General
-
Target
91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff
-
Size
9.1MB
-
Sample
240927-mfjr5azhla
-
MD5
1bafb4856a31ae27271fbd2ee1574a4f
-
SHA1
b8b3649d959524df2c4e8a94434fc0de90f95005
-
SHA256
91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff
-
SHA512
e71e6ab8f548c379f49ae60e8a179ed13d41a9e9862707f15513af083f754a4585b1567491bc08ecbbd3fb700e307b8114600c9aed297932a34b5f0fe1cebe25
-
SSDEEP
3072:YaHDgOV/hchoS9bFr/l2Z40o6MLKkZPDOxAWP0:YmM8/DS9bF7knxMFb7D
Static task
static1
Behavioral task
behavioral1
Sample
91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
xenorat
193.149.187.135
Xeno_rat_nd8912d
-
delay
5000
-
install_path
appdata
-
port
4444
-
startup_name
mswindow
Extracted
gurcu
https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389
Targets
-
-
Target
91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff
-
Size
9.1MB
-
MD5
1bafb4856a31ae27271fbd2ee1574a4f
-
SHA1
b8b3649d959524df2c4e8a94434fc0de90f95005
-
SHA256
91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff
-
SHA512
e71e6ab8f548c379f49ae60e8a179ed13d41a9e9862707f15513af083f754a4585b1567491bc08ecbbd3fb700e307b8114600c9aed297932a34b5f0fe1cebe25
-
SSDEEP
3072:YaHDgOV/hchoS9bFr/l2Z40o6MLKkZPDOxAWP0:YmM8/DS9bF7knxMFb7D
-
Detect XenoRat Payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1