Extracted

• • Target

    Zwerve-External-main.zip

  • Size

    2KB

  • MD5

    511c1e1041b300aeff37b8272a61b717

  • SHA1

    fe5d6f283806f8539fa8d6344509efdb5d69072e

  • SHA256

    2738d6b280eab5dca82d1dabc4d585e98bc3b8a6f27f8afcb0439a20ff54f87a

  • SHA512

    1ac35b241062c3477f42107bcf5c67f272fd3295df06ffe5fed25555a6a35242de8f00385c9c2004175eea98ccd5beb3ea074f8f142cef73451cf784eaefc4d6

  Score

  10^/10

  xenoratcredential_accessdiscoveryexecutionpersistenceprivilege_escalationratspywarestealertrojan

  • Detect XenoRat Payload

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Command and Scripting Interpreter: PowerShell

    Start PowerShell.

    execution
  behavioral1