General

  • Target

    Sleezy Perm Spoofer.exe

  • Size

    45KB

  • Sample

    240929-rgfjbaxdjm

  • MD5

    3857559693c3664d1d4a23e347b22a97

  • SHA1

    901a46aa21849b31a78376103d132fd228b6c319

  • SHA256

    cb77bce6f9be0ea60169d0eaf76b5ef231c47f3996cccc75abc60f7d54dff7e8

  • SHA512

    5136d51473f2214ad83fa43c603839224ea736ba436e5ce67d8c1d57390e5969e075c6c8d3fb914f835ca42bf49b369e8962e64326f807b4a6badb5340ebec81

  • SSDEEP

    768:bdhO/poiiUcjlJInfTwH9Xqk5nWEZ5SbTDaJWI7CPW5M:Jw+jjgncH9XqcnW85SbTgWI0

Malware Config

Extracted

Family

xenorat

C2

4.tcp.eu.ngrok.io

Mutex

Sleezy Perm

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    19096

  • startup_name

    svchost.exe

Targets

    • Target

      Sleezy Perm Spoofer.exe

    • Size

      45KB

    • MD5

      3857559693c3664d1d4a23e347b22a97

    • SHA1

      901a46aa21849b31a78376103d132fd228b6c319

    • SHA256

      cb77bce6f9be0ea60169d0eaf76b5ef231c47f3996cccc75abc60f7d54dff7e8

    • SHA512

      5136d51473f2214ad83fa43c603839224ea736ba436e5ce67d8c1d57390e5969e075c6c8d3fb914f835ca42bf49b369e8962e64326f807b4a6badb5340ebec81

    • SSDEEP

      768:bdhO/poiiUcjlJInfTwH9Xqk5nWEZ5SbTDaJWI7CPW5M:Jw+jjgncH9XqcnW85SbTgWI0

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.