xenorat | c69792d8a8ef30f50d118949aee702a01be0cafb4e9f6c9b544a8bb193ea5994

Analysis

max time kernel
135s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-09-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Svchost.exe
Size

45KB
MD5

d7b665428dd5924505511bd5c0f79e28
SHA1

ef1480132b1bae773ef2ddede22e0f1ae7786625
SHA256

c69792d8a8ef30f50d118949aee702a01be0cafb4e9f6c9b544a8bb193ea5994
SHA512

9c0918269b6c8ed93cff186ae13fc0bb288be64381f6465597c619a5a894e76cf5af45c46b7a1aea3c0acd184fc4f74cc2e2dc2b4dc9cedae6643b8ad74f9521
SSDEEP

768:ldhO/poiiUcjlJInShYH9Xqk5nWEZ5SbTDaCuI7CPW5u:7w+jjgnSSH9XqcnW85SbTXuIm

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

zenofs.zapto.org

Mutex

Svcchost

Attributes

install_path
appdata
port
4444
startup_name
Windows Support

Signatures

Detect XenoRat Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1628-1-0x0000000000E30000-0x0000000000E42000-memory.dmp	family_xenorat
behavioral1/files/0x000a00000001739b-4.dat	family_xenorat
behavioral1/memory/2468-9-0x0000000000D50000-0x0000000000D62000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 1 IoCs

pid	Process
2468	Svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1628	Svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2036	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2468	1628	Svchost.exe	31
PID 1628 wrote to memory of 2468	1628	Svchost.exe	31
PID 1628 wrote to memory of 2468	1628	Svchost.exe	31
PID 1628 wrote to memory of 2468	1628	Svchost.exe	31
PID 2468 wrote to memory of 2036	2468	Svchost.exe	32
PID 2468 wrote to memory of 2036	2468	Svchost.exe	32
PID 2468 wrote to memory of 2036	2468	Svchost.exe	32
PID 2468 wrote to memory of 2036	2468	Svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\Svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Svchost.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Roaming\XenoManager\Svchost.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\Svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "Windows Support" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE263.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE263.tmp

Filesize
1KB

MD5
dc9da360c13e549113fa679558d32557

SHA1
c3edf7411c9ca91cf84ff5caee8617daab489d9c

SHA256
0b86988e5abcb35b0a4b2c12b4a0a6875aecfb910d87ec8dbcaf0a7d6a039725

SHA512
44645a3693177ab17be7d831b660be5f378e2930ccc23a4a8d3587ed8dd748fe2e65d47d90f0026f73be746a500a34b14bf3e93cc8edd62f71671cc4c58bee7a

Download Submit
\Users\Admin\AppData\Roaming\XenoManager\Svchost.exe

Filesize
45KB

MD5
d7b665428dd5924505511bd5c0f79e28

SHA1
ef1480132b1bae773ef2ddede22e0f1ae7786625

SHA256
c69792d8a8ef30f50d118949aee702a01be0cafb4e9f6c9b544a8bb193ea5994

SHA512
9c0918269b6c8ed93cff186ae13fc0bb288be64381f6465597c619a5a894e76cf5af45c46b7a1aea3c0acd184fc4f74cc2e2dc2b4dc9cedae6643b8ad74f9521

Download Submit
memory/1628-0-0x000000007424E000-0x000000007424F000-memory.dmp

Filesize
4KB

Download
memory/1628-1-0x0000000000E30000-0x0000000000E42000-memory.dmp

Filesize
72KB

Download
memory/2468-9-0x0000000000D50000-0x0000000000D62000-memory.dmp

Filesize
72KB

Download
memory/2468-12-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2468-13-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2468-14-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads