xenorat | Terminal[.]exe | Triage

Sharing

General

Target

Terminal.exe
Size

265KB
MD5

4ef7fab8f31fea78f9339ff1b61ff955
SHA1

feab88e721e59e6685d80fbbb62880679f16973c
SHA256

bd96ab832522b95bc01637c0aa4d2a03cb9a36c1ace05ce6c0962586d3fd645f
SHA512

1165dc71eab587b19c9a6b3d10c5ac513a9befd45d10719c482364f02dcd990aaf583080900fd1bd961de98b8088a4d0a4aa733f9a26af121bd8caeae262b693
SSDEEP

3072:1qN4fDJNpygmDiAk5vTol3pJVwEUQ7HlPIXAJ/scSTVJJZMoondbrlp52:TfDJrygmGN6nNzlPIGUcSBJvM3dbxp

Score

10^/10

xenorat

Malware Config

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
sample	family_xenorat

Xenorat family
xenorat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Terminal.exe

Files

Terminal.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

kC*l+6U
Size: 100KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

kC*l+6U
Size: 100KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 60KB - Virtual size: 60KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

CCFB0F12
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ