xenorat | 2f2764f4cf7f147d0e05ebc817329e4ee20f9abf41bf2d18a0422b6e74525382

Analysis

max time kernel
1791s
max time network
1560s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Atlantisrat.exe
Size

250KB
MD5

6d6b39d2de6789a8c1ebb5b22401bc7b
SHA1

6cec48b082e8839871edd8cebf7df6529a989d66
SHA256

2f2764f4cf7f147d0e05ebc817329e4ee20f9abf41bf2d18a0422b6e74525382
SHA512

a71802ed767b38ad785e5435fcd601f4a650ba6ba863ae1171ee16f3aa7bca4bdf6bcf2dece91557893eb777b76995de2a25f02327839f8d3ee363257c089fbb
SSDEEP

1536:Pw+jjgnyH9XqcnW85SbTvWIFAZ+r/cttjNFH1MB53FvSvoKi8G:Pw+jqs91UbTvE+ri0NgvFi8G

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Atlantis

Attributes

delay
1000
install_path
appdata
port
4444
startup_name
nothingset

Signatures

Detect XenoRat Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2344-1-0x0000000001100000-0x0000000001144000-memory.dmp	family_xenorat
behavioral1/files/0x0007000000016cd1-7.dat	family_xenorat
behavioral1/memory/2108-9-0x0000000001290000-0x00000000012D4000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Executes dropped EXE 1 IoCs

pid	Process
2108	Atlantisrat.exe

Loads dropped DLL 1 IoCs

pid	Process
2344	Atlantisrat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Atlantisrat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Atlantisrat.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2108	2344	Atlantisrat.exe	30
PID 2344 wrote to memory of 2108	2344	Atlantisrat.exe	30
PID 2344 wrote to memory of 2108	2344	Atlantisrat.exe	30
PID 2344 wrote to memory of 2108	2344	Atlantisrat.exe	30

C:\Users\Admin\AppData\Local\Temp\Atlantisrat.exe
"C:\Users\Admin\AppData\Local\Temp\Atlantisrat.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Roaming\XenoManager\Atlantisrat.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\Atlantisrat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2108

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\XenoManager\Atlantisrat.exe

Filesize
250KB

MD5
6d6b39d2de6789a8c1ebb5b22401bc7b

SHA1
6cec48b082e8839871edd8cebf7df6529a989d66

SHA256
2f2764f4cf7f147d0e05ebc817329e4ee20f9abf41bf2d18a0422b6e74525382

SHA512
a71802ed767b38ad785e5435fcd601f4a650ba6ba863ae1171ee16f3aa7bca4bdf6bcf2dece91557893eb777b76995de2a25f02327839f8d3ee363257c089fbb

Download Submit
memory/2108-9-0x0000000001290000-0x00000000012D4000-memory.dmp

Filesize
272KB

Download
memory/2108-10-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2108-11-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2108-12-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2344-0-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/2344-1-0x0000000001100000-0x0000000001144000-memory.dmp

Filesize
272KB

Download