General

  • Target

    91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff

  • Size

    9.1MB

  • Sample

    240926-2pwklssanq

  • MD5

    1bafb4856a31ae27271fbd2ee1574a4f

  • SHA1

    b8b3649d959524df2c4e8a94434fc0de90f95005

  • SHA256

    91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff

  • SHA512

    e71e6ab8f548c379f49ae60e8a179ed13d41a9e9862707f15513af083f754a4585b1567491bc08ecbbd3fb700e307b8114600c9aed297932a34b5f0fe1cebe25

  • SSDEEP

    3072:YaHDgOV/hchoS9bFr/l2Z40o6MLKkZPDOxAWP0:YmM8/DS9bF7knxMFb7D

Malware Config

Extracted

Family

xenorat

C2

193.149.187.135

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    mswindow

Targets

    • Target

      91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff

    • Size

      9.1MB

    • MD5

      1bafb4856a31ae27271fbd2ee1574a4f

    • SHA1

      b8b3649d959524df2c4e8a94434fc0de90f95005

    • SHA256

      91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff

    • SHA512

      e71e6ab8f548c379f49ae60e8a179ed13d41a9e9862707f15513af083f754a4585b1567491bc08ecbbd3fb700e307b8114600c9aed297932a34b5f0fe1cebe25

    • SSDEEP

      3072:YaHDgOV/hchoS9bFr/l2Z40o6MLKkZPDOxAWP0:YmM8/DS9bF7knxMFb7D

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads ssh keys stored on the system

      Tries to access SSH used by SSH programs.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks