General
-
Target
Sleezy Perm Spoofer.exe
-
Size
45KB
-
Sample
240929-rgfjbaxdjm
-
MD5
3857559693c3664d1d4a23e347b22a97
-
SHA1
901a46aa21849b31a78376103d132fd228b6c319
-
SHA256
cb77bce6f9be0ea60169d0eaf76b5ef231c47f3996cccc75abc60f7d54dff7e8
-
SHA512
5136d51473f2214ad83fa43c603839224ea736ba436e5ce67d8c1d57390e5969e075c6c8d3fb914f835ca42bf49b369e8962e64326f807b4a6badb5340ebec81
-
SSDEEP
768:bdhO/poiiUcjlJInfTwH9Xqk5nWEZ5SbTDaJWI7CPW5M:Jw+jjgncH9XqcnW85SbTgWI0
Behavioral task
behavioral1
Sample
Sleezy Perm Spoofer.exe
Resource
win7-20240708-en
Malware Config
Extracted
xenorat
4.tcp.eu.ngrok.io
Sleezy Perm
-
delay
5000
-
install_path
temp
-
port
19096
-
startup_name
svchost.exe
Targets
-
-
Target
Sleezy Perm Spoofer.exe
-
Size
45KB
-
MD5
3857559693c3664d1d4a23e347b22a97
-
SHA1
901a46aa21849b31a78376103d132fd228b6c319
-
SHA256
cb77bce6f9be0ea60169d0eaf76b5ef231c47f3996cccc75abc60f7d54dff7e8
-
SHA512
5136d51473f2214ad83fa43c603839224ea736ba436e5ce67d8c1d57390e5969e075c6c8d3fb914f835ca42bf49b369e8962e64326f807b4a6badb5340ebec81
-
SSDEEP
768:bdhO/poiiUcjlJInfTwH9Xqk5nWEZ5SbTDaJWI7CPW5M:Jw+jjgncH9XqcnW85SbTgWI0
-
Detect XenoRat Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-