xenorat | 15ad522ec1e3313921cb6d311a87bca109ac311a3bfd416019fe64a7c60b3dc1

Analysis

max time kernel
143s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15ad522ec1e3313921cb6d311a87bca109ac311a3bfd416019fe64a7c60b3dc1.exe
Size

657KB
MD5

7ba37f3ac2258f9a33ebd1330617ef41
SHA1

b995513d63a7bd394099b44e7cc3269f5d02acc4
SHA256

15ad522ec1e3313921cb6d311a87bca109ac311a3bfd416019fe64a7c60b3dc1
SHA512

0e31d37d86885e2ed8e70756adbab74540273299cad2ed71ea90fd9718d0f019c88f450bb92a1a0ea6419eb02c3c3ade96e3448170c2857ba2ba1dc31a891995
SSDEEP

12288:NcrNS33L10QdrXjivfDnCr9BzOZ/fb67UjVXUSUp9Cq3wYNsMU3yRs:wNA3R5drXWvfDCr9ByNfb6ojZpOxwoRm

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

154.216.17.155

Mutex

Xeno_rat_nd8912d

Attributes

delay
50000
install_path
appdata
port
1357
startup_name
crsr

Signatures

Detect XenoRat Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1348-48-0x0000000000400000-0x0000000000412000-memory.dmp	family_xenorat
behavioral1/memory/1348-49-0x0000000000400000-0x0000000000412000-memory.dmp	family_xenorat
behavioral1/memory/1348-44-0x0000000000400000-0x0000000000412000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 7 IoCs

pid	Process
2784	fjydfj.sfx.exe
1936	fjydfj.exe
1348	fjydfj.exe
848	fjydfj.exe
2556	fjydfj.exe
1924	fjydfj.exe
2496	fjydfj.exe

Loads dropped DLL 6 IoCs

pid	Process
2672	cmd.exe
2784	fjydfj.sfx.exe
2784	fjydfj.sfx.exe
2784	fjydfj.sfx.exe
2784	fjydfj.sfx.exe
1348	fjydfj.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1936 set thread context of 1348	1936	fjydfj.exe	36
PID 1936 set thread context of 848	1936	fjydfj.exe	37
PID 2556 set thread context of 1924	2556	fjydfj.exe	39
PID 2556 set thread context of 2496	2556	fjydfj.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fjydfj.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fjydfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fjydfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fjydfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fjydfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15ad522ec1e3313921cb6d311a87bca109ac311a3bfd416019fe64a7c60b3dc1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fjydfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2020	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2644	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	fjydfj.exe
Token: SeDebugPrivilege	2556	fjydfj.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2672	1720	15ad522ec1e3313921cb6d311a87bca109ac311a3bfd416019fe64a7c60b3dc1.exe	31
PID 1720 wrote to memory of 2672	1720	15ad522ec1e3313921cb6d311a87bca109ac311a3bfd416019fe64a7c60b3dc1.exe	31
PID 1720 wrote to memory of 2672	1720	15ad522ec1e3313921cb6d311a87bca109ac311a3bfd416019fe64a7c60b3dc1.exe	31
PID 1720 wrote to memory of 2672	1720	15ad522ec1e3313921cb6d311a87bca109ac311a3bfd416019fe64a7c60b3dc1.exe	31
PID 1720 wrote to memory of 2644	1720	15ad522ec1e3313921cb6d311a87bca109ac311a3bfd416019fe64a7c60b3dc1.exe	33
PID 1720 wrote to memory of 2644	1720	15ad522ec1e3313921cb6d311a87bca109ac311a3bfd416019fe64a7c60b3dc1.exe	33
PID 1720 wrote to memory of 2644	1720	15ad522ec1e3313921cb6d311a87bca109ac311a3bfd416019fe64a7c60b3dc1.exe	33
PID 1720 wrote to memory of 2644	1720	15ad522ec1e3313921cb6d311a87bca109ac311a3bfd416019fe64a7c60b3dc1.exe	33
PID 2672 wrote to memory of 2784	2672	cmd.exe	34
PID 2672 wrote to memory of 2784	2672	cmd.exe	34
PID 2672 wrote to memory of 2784	2672	cmd.exe	34
PID 2672 wrote to memory of 2784	2672	cmd.exe	34
PID 2784 wrote to memory of 1936	2784	fjydfj.sfx.exe	35
PID 2784 wrote to memory of 1936	2784	fjydfj.sfx.exe	35
PID 2784 wrote to memory of 1936	2784	fjydfj.sfx.exe	35
PID 2784 wrote to memory of 1936	2784	fjydfj.sfx.exe	35
PID 1936 wrote to memory of 1348	1936	fjydfj.exe	36
PID 1936 wrote to memory of 1348	1936	fjydfj.exe	36
PID 1936 wrote to memory of 1348	1936	fjydfj.exe	36
PID 1936 wrote to memory of 1348	1936	fjydfj.exe	36
PID 1936 wrote to memory of 1348	1936	fjydfj.exe	36
PID 1936 wrote to memory of 1348	1936	fjydfj.exe	36
PID 1936 wrote to memory of 1348	1936	fjydfj.exe	36
PID 1936 wrote to memory of 1348	1936	fjydfj.exe	36
PID 1936 wrote to memory of 1348	1936	fjydfj.exe	36
PID 1936 wrote to memory of 848	1936	fjydfj.exe	37
PID 1936 wrote to memory of 848	1936	fjydfj.exe	37
PID 1936 wrote to memory of 848	1936	fjydfj.exe	37
PID 1936 wrote to memory of 848	1936	fjydfj.exe	37
PID 1936 wrote to memory of 848	1936	fjydfj.exe	37
PID 1936 wrote to memory of 848	1936	fjydfj.exe	37
PID 1936 wrote to memory of 848	1936	fjydfj.exe	37
PID 1936 wrote to memory of 848	1936	fjydfj.exe	37
PID 1936 wrote to memory of 848	1936	fjydfj.exe	37
PID 1348 wrote to memory of 2556	1348	fjydfj.exe	38
PID 1348 wrote to memory of 2556	1348	fjydfj.exe	38
PID 1348 wrote to memory of 2556	1348	fjydfj.exe	38
PID 1348 wrote to memory of 2556	1348	fjydfj.exe	38
PID 2556 wrote to memory of 1924	2556	fjydfj.exe	39
PID 2556 wrote to memory of 1924	2556	fjydfj.exe	39
PID 2556 wrote to memory of 1924	2556	fjydfj.exe	39
PID 2556 wrote to memory of 1924	2556	fjydfj.exe	39
PID 2556 wrote to memory of 1924	2556	fjydfj.exe	39
PID 2556 wrote to memory of 1924	2556	fjydfj.exe	39
PID 2556 wrote to memory of 1924	2556	fjydfj.exe	39
PID 2556 wrote to memory of 1924	2556	fjydfj.exe	39
PID 2556 wrote to memory of 1924	2556	fjydfj.exe	39
PID 2556 wrote to memory of 2496	2556	fjydfj.exe	40
PID 2556 wrote to memory of 2496	2556	fjydfj.exe	40
PID 2556 wrote to memory of 2496	2556	fjydfj.exe	40
PID 2556 wrote to memory of 2496	2556	fjydfj.exe	40
PID 2556 wrote to memory of 2496	2556	fjydfj.exe	40
PID 2556 wrote to memory of 2496	2556	fjydfj.exe	40
PID 2556 wrote to memory of 2496	2556	fjydfj.exe	40
PID 2556 wrote to memory of 2496	2556	fjydfj.exe	40
PID 2556 wrote to memory of 2496	2556	fjydfj.exe	40
PID 2496 wrote to memory of 2020	2496	fjydfj.exe	41
PID 2496 wrote to memory of 2020	2496	fjydfj.exe	41
PID 2496 wrote to memory of 2020	2496	fjydfj.exe	41
PID 2496 wrote to memory of 2020	2496	fjydfj.exe	41

C:\Users\Admin\AppData\Local\Temp\15ad522ec1e3313921cb6d311a87bca109ac311a3bfd416019fe64a7c60b3dc1.exe
"C:\Users\Admin\AppData\Local\Temp\15ad522ec1e3313921cb6d311a87bca109ac311a3bfd416019fe64a7c60b3dc1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\fynsdf.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Roaming\fjydfj.sfx.exe
    fjydfj.sfx.exe -pjuhytfdesczopthnymkdespbodtyuhngfszafugyRhvqxsdfHbgnmeL -dC:\Users\Admin\AppData\Roaming
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Users\Admin\AppData\Roaming\fjydfj.exe
      "C:\Users\Admin\AppData\Roaming\fjydfj.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Users\Admin\AppData\Roaming\fjydfj.exe
        
        C:\Users\Admin\AppData\Roaming\fjydfj.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Users\Admin\AppData\Roaming\XenoManager\fjydfj.exe
        
        "C:\Users\Admin\AppData\Roaming\XenoManager\fjydfj.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Users\Admin\AppData\Roaming\XenoManager\fjydfj.exe
        
        C:\Users\Admin\AppData\Roaming\XenoManager\fjydfj.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\XenoManager\fjydfj.exe
        
        C:\Users\Admin\AppData\Roaming\XenoManager\fjydfj.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "crsr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB319.tmp" /F
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2020
    - - C:\Users\Admin\AppData\Roaming\fjydfj.exe
        
        C:\Users\Admin\AppData\Roaming\fjydfj.exe
        5⤵
        Executes dropped EXE
        
        PID:848
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\payment015.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB319.tmp

Filesize
1KB

MD5
d3692e4735e55a77a32d7031a2ee29f4

SHA1
f7d396bd9b7cb1adc7e9801ba99a6bb9f212fd54

SHA256
45e30d379ff41d3d4189a15cda14ee112f78f7c64626c5e7249f98b196951bbb

SHA512
14adac8223300b6648f6dd78acfa936c626c4f12ddfcd46d64d3f6f49a5b37b12b6efdf3e035f4ae38b03515b40a9988989771d29ca096f1864c6acad0c6df35

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
998b4b0ede6501bf76f3b14f2a25bd93

SHA1
f71af3a1d8925124e88bcc051506e4062551c8bf

SHA256
29d5a80063a92d556e45ea1c3095de68c932918479ac6ea6b05b46f340dc5656

SHA512
cad8127c35d256d4586ef18c8436af048479ba6eece0af795d7453f3fab131014e4896c7722036b54d2176aba1520206c641241eb2da3bb1afd73881746fa521

Download Submit
C:\Users\Admin\AppData\Roaming\fjydfj.exe

Filesize
240KB

MD5
5494b95d3ee517acd944dc95f2f0bac3

SHA1
cd56b2d1b7fde74673b4232d21dca6a9700747ed

SHA256
b1375481323657b5d309b7da9c79da454fe74253566bc8fde347b92f9ec49d22

SHA512
1f424b9f2ef285ebfc926f445820b205d215aafc0b6eb9dd31808603ab798d0ab51d9ded3e06c70453c90cd278e2579d92d1209b02e067d14785875e57363c0a

Download Submit
C:\Users\Admin\AppData\Roaming\fjydfj.sfx.exe

Filesize
481KB

MD5
8e8b909eb19b55588982e43b797842fb

SHA1
6ddcdb22ae2e72e25012fb9fe72ac0e65b4a15db

SHA256
d0531eb746554041916d17cb2f076623c829720d1e7697fa3bb26b776d400ffc

SHA512
34262e78fc9fa8837a7df62049776eeac6f69814731124b2ba3873a2377782953f7d720a7e490480429f6a1285b15a2cde6d7445eb0fa9c5c87acd2ed5836ca2

Download Submit
C:\Users\Admin\AppData\Roaming\fynsdf.bat

Filesize
18KB

MD5
34cfd986266a49b1f3fa00d499d0ad54

SHA1
de006ff5ffe85227fc6c5aa1517d05de4b245b84

SHA256
082f92478a289354b64d5899c3a354035dff4ce9709214749201c9e537fd09b9

SHA512
580a2a7e6bb58ed2fb815d61e38662c10abd3eae13078372c6f55deeadbf214ea0705887ccd4a8d4685f655a7e78fa1b880a50867d1a0e4ccecb1518698db4ff

Download Submit
C:\Users\Admin\AppData\Roaming\payment015.pdf

Filesize
30KB

MD5
fa0a0bc195062f035e0b7971ead10491

SHA1
ca2d4bd456ccba9fceb3f2b9ffefeb59615e12c9

SHA256
7a0e40d4c39eae8f7415cb44504e04c1baf41f57e797308f026409c7353ed03d

SHA512
c5a47170ad1ec061b37fd8c0726998400b144decccee65b9225184425da047e7abe007e17197c8423a5d9331c751d7f7d0512fa48de3fecbca0a5989e5c42ae4

Download Submit
memory/1348-49-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1348-48-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1348-44-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1936-43-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download
memory/1936-42-0x0000000000590000-0x00000000005CC000-memory.dmp

Filesize
240KB

Download
memory/1936-41-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download
memory/1936-40-0x0000000000E80000-0x0000000000EC6000-memory.dmp

Filesize
280KB

Download
memory/2556-57-0x0000000000C70000-0x0000000000CB6000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads