Overview

overview

10

Static

static

10

image logg...der.py

windows11-21h2-x64

3

image logg...V2.exe

windows11-21h2-x64

10

image logg...der.py

windows11-21h2-x64

3

image logg...11.pyc

windows11-21h2-x64

3

image logg...11.pyc

windows11-21h2-x64

3

image logg...ion.py

windows11-21h2-x64

3

image logg...ief.py

windows11-21h2-x64

3

image logg...ate.py

windows11-21h2-x64

3

image logg...ter.py

windows11-21h2-x64

3

image logg...upx.py

windows11-21h2-x64

3

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-09-2024 23:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    image logger V2/imageloggerV2.exe

  • Size

    45KB

  • MD5

    7b4b9400a241fff39ed69caf21a2bfff

  • SHA1

    418c0cce490a23fb0845bd1126cd40d573592ce0

  • SHA256

    a64fb3bf19974ad4369f1cbf8ab7cd5cf598462fb623788f9fd51b86b8361839

  • SHA512

    dda3bdb11484b0f9ce83f39c7d9356fce18225775678a78d1454a1c943255b5f86a3f6deab19f575cf9596444031d97d13b62ecaa46c5c52f5c45df45b6020d0

  • SSDEEP

    768:pdhO/poiiUcjlJInWC2H9Xqk5nWEZ5SbTDanuI7CPW5R:nw+jjgnX2H9XqcnW85SbTKuIJ

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

192.168.1.164

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    nothingset

  • port

    4444

  • startup_name

    java updater

Signatures

  • Detect XenoRat Payload 1 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\image logger V2\imageloggerV2.exe
    "C:\Users\Admin\AppData\Local\Temp\image logger V2\imageloggerV2.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5300
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "java updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCF85.tmp" /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1280

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpCF85.tmp
    Filesize

    1KB

    MD5

    c9ba9ed76aafb96274549155689311f9

    SHA1

    de253a051b63d7ac539be1126b8577a40eed178f

    SHA256

    561517b4b5a3d6d6d0d94261145dc8c4f40e4984636a67b12904e82e61503d6b

    SHA512

    4b103f6ca74adf9807a238966e4a78d6341bf937d4e648014d1ca9ff2b927d24aa5b721c08d94ef8e3c700ddb70f47981213d47e62efe9b10e32411aa0094be0

    Download Submit

  • memory/5300-0-0x00000000751AE000-0x00000000751AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5300-1-0x0000000000CC0000-0x0000000000CD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5300-2-0x00000000751A0000-0x0000000075951000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5300-5-0x00000000751AE000-0x00000000751AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5300-6-0x00000000751A0000-0x0000000075951000-memory.dmp

    Filesize

    7.7MB

    Download