xenorat | 2ad5653826ca219c21abade6c432e450a8a853191ddc0728a3c748bae031467c | Triage

Submit
Reports

Overview

overview

Static

static

3

Pago.09.26.2024.exe

windows7-x64

Pago.09.26.2024.exe

windows10-2004-x64

Sharing

General

Target

28092024_0315_26092024_Pago.09.26.2024.gz
Size

210KB
Sample

240928-drywratgpp
MD5

e460d5b3216f36126761d0241257de60
SHA1

92b2bef82f71b78a4f713facaa2359081cdee237
SHA256

2ad5653826ca219c21abade6c432e450a8a853191ddc0728a3c748bae031467c
SHA512

6a7cba3ac208752faf23865842076c9442a99edcec40cd4a67a61492e15fb36203e35c7419dd5c9923951be0b5f02456499138bde1a2a9f8dd74531b4d6e3232
SSDEEP

6144:MC0Ogtrl76b3uR8j+rS2jRJWkIaXt43f9105:REd6DmS+rpRJWkVXc105

Score

10^/10

xenorat discovery rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Pago.09.26.2024.exe

Resource

win7-20240903-en

xenorat discovery rat trojan

windows7-x64

10 signatures

300 seconds

Behavioral task

behavioral2

Sample

Pago.09.26.2024.exe

Resource

win10v2004-20240802-en

xenorat discovery rat trojan

windows10-2004-x64

10 signatures

300 seconds

Malware Config

Extracted

Family

xenorat

C2

154.216.17.207

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
4448
startup_name
rscv.exe

Targets

- Target
  
  Pago.09.26.2024.exe
- Size
  
  240KB
- MD5
  
  9db85d8ad7a6a8604245cfe2cf28ed98
- SHA1
  
  15fd23324049f3d76bdd5c25f75ef79a0e83dcea
- SHA256
  
  80d58f595084e1daff4180c2984e40eed2792a4afbbfbd3cfa67374291b78742
- SHA512
  
  92b9210aa58f14a660f0b2d0d26d71d35b5acc659ba3f1789315ee3f3a8a453aa976d5547271d266f309a0ffb49125d18c93cfcb26b8f4696d1d1ff1f7682b72
- SSDEEP
  
  6144:vgkcoKal76b3uR8j+rSwjRXWkIaXt43Z910ic39O8+JaYII:zpd6DmS+rhRXWkVX410ic39O8+JaY1
Score

10^/10

xenorat discovery rat trojan
- Detect XenoRat Payload
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xenoratdiscoveryrattrojan

behavioral2

xenoratdiscoveryrattrojan

© 2018-2024

Terms | Privacy