General

  • Target

    2a8d5a1ffaab412d105732aa88021fa9.bin

  • Size

    223KB

  • Sample

    240907-bgmdvsxajr

  • MD5

    26b9cc193e45cd2d6b416d3428dfa897

  • SHA1

    64c94e09726e900b21da24d7709ed57983984fbb

  • SHA256

    a31418649e34c3dc565170c37075fcdd93a158dd2e16ac80688ec2cbe58134c2

  • SHA512

    5f9d93884dfec12b27448aaddc41584cbf74befff4b2503c386dd957c795b165cabd4f82d95e1b5043e98cc00e258888e6e8155dcb042d143f61485e5de537bb

  • SSDEEP

    6144:9nXJH9KAVRZo1+vGRruUFbUDzpFBPxXuXtOMmAr:NZHlfS/RpeF5Vudlm0

Malware Config

Extracted

Family

xenorat

C2

154.216.17.155

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    50000

  • install_path

    appdata

  • port

    1356

  • startup_name

    csvr

Targets

    • Target

      2b700f4c8c95319e90414db0e22d42467ebf5843d397b907f817672b9501ade1.exe

    • Size

      348KB

    • MD5

      2a8d5a1ffaab412d105732aa88021fa9

    • SHA1

      ff1a188dc9121e1cd8feda55937a01efe47ecdcd

    • SHA256

      2b700f4c8c95319e90414db0e22d42467ebf5843d397b907f817672b9501ade1

    • SHA512

      840dd6d020ee45f14c60dafb662da94aee39e36e2e6eaf2aa3c16f5e1a5255db9d93a5bc4fe0693c8b6bbeecfba799d7f260b60e5365d9ba62fd54ad000c2dcc

    • SSDEEP

      6144:aVLrSJPZdikuk3beCsq2+1yEijN2HWEvIEwpFJ+zXbqUKXYI:ULrSJzikukasjOwHzQHpFJ+zXbqUKXF

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks