xenorat | 15f36a2a51a3195920753b15485517b8a6bad427d9a0bd11020d46055ac22c7b

General

Target

Echoes of the Overgrown BETA version 1.1.exe
Size

46KB
MD5

fb960f0a414e6dd221301c94e345451b
SHA1

7dd4fd9949b0dfcc84812fc9cde3d88e0490c9c2
SHA256

15f36a2a51a3195920753b15485517b8a6bad427d9a0bd11020d46055ac22c7b
SHA512

f29f36b2682d1c6616f406d3b10ee171144427ee99d93842cdc1f4f8ec13901aab3a09efbf34f68d0413a3780b3b6b30747f06f8b8941e3e402f39bf49e76451
SSDEEP

768:NdhO/poiiUcjlJInaVH9Xqk5nWEZ5SbTDa2uI7CPW5/:Dw+jjgn6H9XqcnW85SbTDuIX

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
temp
port
2000
startup_name
localhost

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/memory/4212-1-0x0000000000610000-0x0000000000622000-memory.dmp	family_xenorat
behavioral1/files/0x000a000000023bb3-6.dat	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Echoes of the Overgrown BETA version 1.1.exe

Executes dropped EXE 1 IoCs

pid	Process
5056	Echoes of the Overgrown BETA version 1.1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Echoes of the Overgrown BETA version 1.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Echoes of the Overgrown BETA version 1.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4716	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 5056	4212	Echoes of the Overgrown BETA version 1.1.exe	85
PID 4212 wrote to memory of 5056	4212	Echoes of the Overgrown BETA version 1.1.exe	85
PID 4212 wrote to memory of 5056	4212	Echoes of the Overgrown BETA version 1.1.exe	85
PID 5056 wrote to memory of 4716	5056	Echoes of the Overgrown BETA version 1.1.exe	94
PID 5056 wrote to memory of 4716	5056	Echoes of the Overgrown BETA version 1.1.exe	94
PID 5056 wrote to memory of 4716	5056	Echoes of the Overgrown BETA version 1.1.exe	94

C:\Users\Admin\AppData\Local\Temp\Echoes of the Overgrown BETA version 1.1.exe
"C:\Users\Admin\AppData\Local\Temp\Echoes of the Overgrown BETA version 1.1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Users\Admin\AppData\Local\Temp\XenoManager\Echoes of the Overgrown BETA version 1.1.exe
  "C:\Users\Admin\AppData\Local\Temp\XenoManager\Echoes of the Overgrown BETA version 1.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "localhost" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8F8E.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Echoes of the Overgrown BETA version 1.1.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenoManager\Echoes of the Overgrown BETA version 1.1.exe

Filesize
46KB

MD5
fb960f0a414e6dd221301c94e345451b

SHA1
7dd4fd9949b0dfcc84812fc9cde3d88e0490c9c2

SHA256
15f36a2a51a3195920753b15485517b8a6bad427d9a0bd11020d46055ac22c7b

SHA512
f29f36b2682d1c6616f406d3b10ee171144427ee99d93842cdc1f4f8ec13901aab3a09efbf34f68d0413a3780b3b6b30747f06f8b8941e3e402f39bf49e76451

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F8E.tmp

Filesize
1KB

MD5
a1ab36ce70b5dfa1deb2f99e2c7b33e7

SHA1
9dba69bf8826825bbb7400f36bc2a57bdb8e89af

SHA256
a31d87dd73a6b5f9c00ea815e9f14eb60ff383cf0ce52f20053352800daf4e00

SHA512
3967919303da9cf3068925e836110a3e84cf7d9f11585b9ea0585ea3423d95261fbd9ba599ff6bc12bd5defd20aede7457132148bce40dad58a3f1714decc213

Download Submit
memory/4212-0-0x000000007526E000-0x000000007526F000-memory.dmp

Filesize
4KB

Download
memory/4212-1-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/5056-15-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/5056-16-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/5056-19-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/5056-20-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads