General
-
Target
de2926943fb1ffb6cba2166eaeec84cf9b3a1dbdfdb808dd7d364cf73c4c6462.exe
-
Size
451KB
-
Sample
241010-ctvrfavenb
-
MD5
b08ec13cff4a4b999fbc04f79c08b4ed
-
SHA1
81340aff932cde68070c03c634fb1292f62e8eaf
-
SHA256
de2926943fb1ffb6cba2166eaeec84cf9b3a1dbdfdb808dd7d364cf73c4c6462
-
SHA512
6c2921d1e41fd695d20ed40e235e561e772283ad7503d808e44e1eb75856297ce2835038d7c8efcc295c950527073041ec888f91062d03b4e37665be2e714d9c
-
SSDEEP
6144:ySnzhr6w+x08AE1Owf4pIB89065C9EDMuY1zhmP1iaOfzdXQq+Bwe8bQbi:xVr6wu1AEl470R9Ew31zwP1ifdE8bQb
Static task
static1
Behavioral task
behavioral1
Sample
de2926943fb1ffb6cba2166eaeec84cf9b3a1dbdfdb808dd7d364cf73c4c6462.exe
Resource
win7-20240903-en
Malware Config
Extracted
xenorat
109.248.150.212
eno_rx_nd8912d
-
delay
5
-
install_path
appdata
-
port
4444
-
startup_name
nothingset
Targets
-
-
Target
de2926943fb1ffb6cba2166eaeec84cf9b3a1dbdfdb808dd7d364cf73c4c6462.exe
-
Size
451KB
-
MD5
b08ec13cff4a4b999fbc04f79c08b4ed
-
SHA1
81340aff932cde68070c03c634fb1292f62e8eaf
-
SHA256
de2926943fb1ffb6cba2166eaeec84cf9b3a1dbdfdb808dd7d364cf73c4c6462
-
SHA512
6c2921d1e41fd695d20ed40e235e561e772283ad7503d808e44e1eb75856297ce2835038d7c8efcc295c950527073041ec888f91062d03b4e37665be2e714d9c
-
SSDEEP
6144:ySnzhr6w+x08AE1Owf4pIB89065C9EDMuY1zhmP1iaOfzdXQq+Bwe8bQbi:xVr6wu1AEl470R9Ew31zwP1ifdE8bQb
-
Detect XenoRat Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-