Overview

overview

10

Static

static

1

res_out.exe

windows7-x64

10

res_out.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    res_out.exe

  • Size

    4.4MB

  • Sample

    240906-mstsvs1hnj

  • MD5

    bf9ec01c25506a02c399ac19f154b9fd

  • SHA1

    c2563bd4dde7108c68d2f0eab24ddad600132e0f

  • SHA256

    2be849154e91a1aa43a1914c7253f08f0029854d309ab4e3d0e264a7424ee8cc

  • SHA512

    038d347a9264a708600d0488e533b26149aa3f162d096a7f09ac57f0f86f5d65210794c3a5fe583abde36cda2b2191acfe1715b2fab7f30ee19b7e83ec1d9d91

  • SSDEEP

    49152:ONLzXOKH6AqIHxAAAf7CpjZMZGIFjItJgtG3wBzP+F61w5USYNT1Q7sq4hrj8wNN:oLzXOKHD5xABKIxksBaQu8s4aIuftbO

Score
10/10
xenoratdiscoverypersistencerattrojan

Malware Config

Extracted

Family

xenorat

C2

raven123.ddnsgeek.com

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4111

  • startup_name

    nothingset

Targets

    • Target

      res_out.exe

    • Size

      4.4MB

    • MD5

      bf9ec01c25506a02c399ac19f154b9fd

    • SHA1

      c2563bd4dde7108c68d2f0eab24ddad600132e0f

    • SHA256

      2be849154e91a1aa43a1914c7253f08f0029854d309ab4e3d0e264a7424ee8cc

    • SHA512

      038d347a9264a708600d0488e533b26149aa3f162d096a7f09ac57f0f86f5d65210794c3a5fe583abde36cda2b2191acfe1715b2fab7f30ee19b7e83ec1d9d91

    • SSDEEP

      49152:ONLzXOKH6AqIHxAAAf7CpjZMZGIFjItJgtG3wBzP+F61w5USYNT1Q7sq4hrj8wNN:oLzXOKHD5xABKIxksBaQu8s4aIuftbO

    Score
    10/10
    xenoratdiscoverypersistencerattrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks