xenorat | Beda-Executor-BETA[.]exe | Triage

Sharing

General

Target

Beda-Executor-BETA.exe
Size

46KB
MD5

09dbfc1d03bf12e1c49086e5686ed71d
SHA1

6faf2c9afe5baf71f983adc76ec0c772e1f54fa9
SHA256

55b673feb6d0421068371f155aad3eb46e3e409dcb8e8b1f868ed055246a8d9c
SHA512

632114c35378aaffd8835327aca9693a27331819527aca6e42c68a2c3b0bfdee53d93e3924439c1f9c21eca6b9f76c3aeb28417b3ac5291b360fa69420b70308
SSDEEP

768:1dhO/poiiUcjlJInGzH9Xqk5nWEZ5SbTDaaWI7CPW55:Lw+jjgnEH9XqcnW85SbT7WIx

Score

10^/10

xenorat

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

beda_sa_nd8912d

Attributes

delay
5000
install_path
appdata
port
4449
startup_name
WinSec

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
sample	family_xenorat

Xenorat family
xenorat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Beda-Executor-BETA.exe

Files

Beda-Executor-BETA.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 43KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ