General

  • Target

    Svchost.exe

  • Size

    45KB

  • Sample

    240924-emf1taxalf

  • MD5

    d7b665428dd5924505511bd5c0f79e28

  • SHA1

    ef1480132b1bae773ef2ddede22e0f1ae7786625

  • SHA256

    c69792d8a8ef30f50d118949aee702a01be0cafb4e9f6c9b544a8bb193ea5994

  • SHA512

    9c0918269b6c8ed93cff186ae13fc0bb288be64381f6465597c619a5a894e76cf5af45c46b7a1aea3c0acd184fc4f74cc2e2dc2b4dc9cedae6643b8ad74f9521

  • SSDEEP

    768:ldhO/poiiUcjlJInShYH9Xqk5nWEZ5SbTDaCuI7CPW5u:7w+jjgnSSH9XqcnW85SbTXuIm

Malware Config

Extracted

Family

xenorat

C2

zenofs.zapto.org

Mutex

Svcchost

Attributes
  • install_path

    appdata

  • port

    4444

  • startup_name

    Windows Support

Targets

    • Target

      Svchost.exe

    • Size

      45KB

    • MD5

      d7b665428dd5924505511bd5c0f79e28

    • SHA1

      ef1480132b1bae773ef2ddede22e0f1ae7786625

    • SHA256

      c69792d8a8ef30f50d118949aee702a01be0cafb4e9f6c9b544a8bb193ea5994

    • SHA512

      9c0918269b6c8ed93cff186ae13fc0bb288be64381f6465597c619a5a894e76cf5af45c46b7a1aea3c0acd184fc4f74cc2e2dc2b4dc9cedae6643b8ad74f9521

    • SSDEEP

      768:ldhO/poiiUcjlJInShYH9Xqk5nWEZ5SbTDaCuI7CPW5u:7w+jjgnSSH9XqcnW85SbTXuIm

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks