xenorat | dd1d0772b969998d05d329411a3dec9ec52b344df956749dc9998f48107487d0

General

Target

Dropper_protected.exe
Size

5.7MB
MD5

95f9265e284dbccd509025fdc368cadd
SHA1

a63c64dfe79d97aba4056539e1ae9905d1cf518f
SHA256

dd1d0772b969998d05d329411a3dec9ec52b344df956749dc9998f48107487d0
SHA512

18e0d2e959285dcc8b96bcb3dcbedaf7a8e868fb705f9d941ad5914820f17fd4a4d1889a713d032ffa65fbc3365635f7407b616f86b206406d31bba2e0f03040
SSDEEP

98304:d4Ngr8BHpJCLdpkaPDE+7sP3Nh7GsOSa5NJcHjJmZLXuDQn9ebtmg2bhWpxBZMxN:dV8h4pkaPDE+Uj7G7pNJqEKKitF2VWLE

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
nothingset

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001f00000002aa82-9.dat	family_xenorat
behavioral1/memory/2720-26-0x0000000000B00000-0x0000000000B12000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Executes dropped EXE 2 IoCs

pid	Process
2720	hahaha.exe
3948	SimpleCrackMe.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3020	Dropper_protected.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dropper_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hahaha.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2212	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3020	Dropper_protected.exe
3020	Dropper_protected.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2212	vlc.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3020	Dropper_protected.exe
3020	Dropper_protected.exe
2212	vlc.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2720	3020	Dropper_protected.exe	82
PID 3020 wrote to memory of 2720	3020	Dropper_protected.exe	82
PID 3020 wrote to memory of 2720	3020	Dropper_protected.exe	82
PID 3020 wrote to memory of 3948	3020	Dropper_protected.exe	83
PID 3020 wrote to memory of 3948	3020	Dropper_protected.exe	83
PID 3948 wrote to memory of 1160	3948	SimpleCrackMe.exe	86
PID 3948 wrote to memory of 1160	3948	SimpleCrackMe.exe	86

C:\Users\Admin\AppData\Local\Temp\Dropper_protected.exe
"C:\Users\Admin\AppData\Local\Temp\Dropper_protected.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\hahaha.exe
  "C:\Users\Admin\AppData\Local\Temp\hahaha.exe" 0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\SimpleCrackMe.exe
  "C:\Users\Admin\AppData\Local\Temp\SimpleCrackMe.exe" 0
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c exit
    3⤵
    PID:1160

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RegisterInstall.TS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2212

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RegisterInstall.TS"
1⤵
PID:2852

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RegisterInstall.TS"
1⤵
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SimpleCrackMe.exe

Filesize
19KB

MD5
a2e2bddf8addd8d7852b1fd57fdc30ae

SHA1
df84efd4116b4af71721330c5a7abc0b2f36548b

SHA256
55e05a99b673b02723a8861acb4a0c1ad7488ff498570b76e67e69d20fc284a0

SHA512
87b5e0bbc5f7d4ae5f69fe43fa23349016a73dbd7eac3675a7f338d7fa5ff2c20a42bdc88fe5172f50a383b23d18278b40f79ad1af269689b56b23cbf78ef96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hahaha.exe

Filesize
45KB

MD5
42faf67435979c1245010683d8e916b5

SHA1
b93b780736398c6e4001c150276ccb24982ed67f

SHA256
eef18c81faeee1877aa9cd8d8aef18b643a434fd3da221cc724070ec863e5fcd

SHA512
ff0fd19b423da9c89a6729790f5f39bac4e2dd03d62ad8c8fcf9628afb7e57a58b0a4700ee8811ba6c6191390c7cf3816342852fb90fc583ba261fd4637fcd86

Download Submit
memory/1960-38-0x00007FFFFEFA0000-0x00007FFFFEFD4000-memory.dmp

Filesize
208KB

Download
memory/1960-39-0x00007FFFEFB30000-0x00007FFFEFDE6000-memory.dmp

Filesize
2.7MB

Download
memory/1960-42-0x00007FF801DD0000-0x00007FF801DE1000-memory.dmp

Filesize
68KB

Download
memory/1960-41-0x00007FF8020C0000-0x00007FF8020D7000-memory.dmp

Filesize
92KB

Download
memory/1960-40-0x00007FF804D90000-0x00007FF804DA8000-memory.dmp

Filesize
96KB

Download
memory/1960-37-0x00007FF7D2900000-0x00007FF7D29F8000-memory.dmp

Filesize
992KB

Download
memory/2720-30-0x0000000073840000-0x0000000073FF1000-memory.dmp

Filesize
7.7MB

Download
memory/2720-29-0x0000000073840000-0x0000000073FF1000-memory.dmp

Filesize
7.7MB

Download
memory/2720-26-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2720-24-0x000000007384E000-0x000000007384F000-memory.dmp

Filesize
4KB

Download
memory/2852-32-0x00007FFFFEFA0000-0x00007FFFFEFD4000-memory.dmp

Filesize
208KB

Download
memory/2852-36-0x00007FF801DD0000-0x00007FF801DE1000-memory.dmp

Filesize
68KB

Download
memory/2852-35-0x00007FF8020C0000-0x00007FF8020D7000-memory.dmp

Filesize
92KB

Download
memory/2852-34-0x00007FF804D90000-0x00007FF804DA8000-memory.dmp

Filesize
96KB

Download
memory/2852-33-0x00007FFFEFB30000-0x00007FFFEFDE6000-memory.dmp

Filesize
2.7MB

Download
memory/2852-31-0x00007FF7D2900000-0x00007FF7D29F8000-memory.dmp

Filesize
992KB

Download
memory/3020-28-0x000000007FAA0000-0x000000007FE71000-memory.dmp

Filesize
3.8MB

Download
memory/3020-27-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3020-0-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3020-3-0x0000000077AD4000-0x0000000077AD5000-memory.dmp

Filesize
4KB

Download
memory/3020-1-0x000000007FAA0000-0x000000007FE71000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing