Resubmissions

14/11/2024, 10:22 UTC

241114-mep8hsxhnm 10

14/11/2024, 10:21 UTC

241114-md3gfs1ndp 10

Analysis

  • max time kernel
    134s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/11/2024, 10:21 UTC

General

  • Target

    Flycode_VPN_installer.exe

  • Size

    725KB

  • MD5

    6214931316aef5b8f870d375a7649218

  • SHA1

    cfbded8b49b5c4c4ad1ab594010d14cb236463b0

  • SHA256

    32aaddf41bbed77709a5db74ed8a62e179f65486945cfb20ccaa6023686a6871

  • SHA512

    8eaa85a23fc4c5b38b08afbaad9ad7101f7c43e85fdc3e2841dac42e484b8af07ccea04b74d304dff39573d4e49747b49ca66f80444222268d1b8ab318e6e78f

  • SSDEEP

    12288:LxeQCJwvvFkyjj6ZqxdDXCXxFCQE1Vdr+iGkvii1KRlWPBboSWo69c32a6st7Ylm:NeQMwvNkn2DXCXxFCQE1Vdr+iGkvii1J

Score
10/10

Malware Config

Signatures

  • Detect XenoRat Payload 1 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

  • Xenorat family

Processes

  • C:\Users\Admin\AppData\Local\Temp\Flycode_VPN_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Flycode_VPN_installer.exe"
    1⤵
      PID:716

    Network

    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      134.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      134.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      212.20.149.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      212.20.149.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • 172.25.136.161:10004
      Flycode_VPN_installer.exe
      260 B
      5
    • 172.25.136.161:10004
      Flycode_VPN_installer.exe
      260 B
      5
    • 172.25.136.161:10004
      Flycode_VPN_installer.exe
      260 B
      5
    • 172.25.136.161:10004
      Flycode_VPN_installer.exe
      260 B
      5
    • 172.25.136.161:10004
      Flycode_VPN_installer.exe
      260 B
      5
    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      134.32.126.40.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      134.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      212.20.149.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      212.20.149.52.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/716-0-0x00007FFB290C3000-0x00007FFB290C5000-memory.dmp

      Filesize

      8KB

    • memory/716-1-0x0000000000980000-0x0000000000A3C000-memory.dmp

      Filesize

      752KB

    • memory/716-2-0x0000000002A90000-0x0000000002AD0000-memory.dmp

      Filesize

      256KB

    • memory/716-3-0x00007FFB290C0000-0x00007FFB29B81000-memory.dmp

      Filesize

      10.8MB

    • memory/716-4-0x00007FFB290C3000-0x00007FFB290C5000-memory.dmp

      Filesize

      8KB

    • memory/716-5-0x00007FFB290C0000-0x00007FFB29B81000-memory.dmp

      Filesize

      10.8MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.