General
-
Target
POandSpecs.exe
-
Size
460KB
-
Sample
240923-kzpflsxaka
-
MD5
aa52cb347a4fe7db5729034b98401cc6
-
SHA1
7f29bef53000b95f4a4e6841a3acaee663f8a76e
-
SHA256
75b996b46e3fab0bec17d7ecce7cef67d87d8febd445b96cfe449b2deab4fa24
-
SHA512
4ae2d77c3ccfa6d4b3a24d6045aee14591d96b89d9e6094246a6eb1fbd0be831c04210dd41b147348cdcfa73d2f260034e4f5fefb1094ecd2e868fd03e5c16f4
-
SSDEEP
12288:IdmmXoRZbtfe6avjEVNRB27/BSxC6XCcgEw:7xfe6aQVDBzCQTgV
Malware Config
Extracted
xenorat
84.38.132.74
Msword_Zac_nd8912d
-
delay
5
-
install_path
temp
-
port
4444
-
startup_name
nothingset
Targets
-
-
Target
POandSpecs.exe
-
Size
460KB
-
MD5
aa52cb347a4fe7db5729034b98401cc6
-
SHA1
7f29bef53000b95f4a4e6841a3acaee663f8a76e
-
SHA256
75b996b46e3fab0bec17d7ecce7cef67d87d8febd445b96cfe449b2deab4fa24
-
SHA512
4ae2d77c3ccfa6d4b3a24d6045aee14591d96b89d9e6094246a6eb1fbd0be831c04210dd41b147348cdcfa73d2f260034e4f5fefb1094ecd2e868fd03e5c16f4
-
SSDEEP
12288:IdmmXoRZbtfe6avjEVNRB27/BSxC6XCcgEw:7xfe6aQVDBzCQTgV
Score10/10-
Detect XenoRat Payload
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1