General

  • Target

    de2926943fb1ffb6cba2166eaeec84cf9b3a1dbdfdb808dd7d364cf73c4c6462.exe

  • Size

    451KB

  • Sample

    241010-ctvrfavenb

  • MD5

    b08ec13cff4a4b999fbc04f79c08b4ed

  • SHA1

    81340aff932cde68070c03c634fb1292f62e8eaf

  • SHA256

    de2926943fb1ffb6cba2166eaeec84cf9b3a1dbdfdb808dd7d364cf73c4c6462

  • SHA512

    6c2921d1e41fd695d20ed40e235e561e772283ad7503d808e44e1eb75856297ce2835038d7c8efcc295c950527073041ec888f91062d03b4e37665be2e714d9c

  • SSDEEP

    6144:ySnzhr6w+x08AE1Owf4pIB89065C9EDMuY1zhmP1iaOfzdXQq+Bwe8bQbi:xVr6wu1AEl470R9Ew31zwP1ifdE8bQb

Malware Config

Extracted

Family

xenorat

C2

109.248.150.212

Mutex

eno_rx_nd8912d

Attributes
  • delay

    5

  • install_path

    appdata

  • port

    4444

  • startup_name

    nothingset

Targets

    • Target

      de2926943fb1ffb6cba2166eaeec84cf9b3a1dbdfdb808dd7d364cf73c4c6462.exe

    • Size

      451KB

    • MD5

      b08ec13cff4a4b999fbc04f79c08b4ed

    • SHA1

      81340aff932cde68070c03c634fb1292f62e8eaf

    • SHA256

      de2926943fb1ffb6cba2166eaeec84cf9b3a1dbdfdb808dd7d364cf73c4c6462

    • SHA512

      6c2921d1e41fd695d20ed40e235e561e772283ad7503d808e44e1eb75856297ce2835038d7c8efcc295c950527073041ec888f91062d03b4e37665be2e714d9c

    • SSDEEP

      6144:ySnzhr6w+x08AE1Owf4pIB89065C9EDMuY1zhmP1iaOfzdXQq+Bwe8bQbi:xVr6wu1AEl470R9Ew31zwP1ifdE8bQb

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks