xenorat | ByeFunV1Helper[.]exeu | Triage

Sharing

General

Target

ByeFunV1Helper.exeu
Size

61KB
MD5

4853487df85809a47fd28f81f60914e3
SHA1

efa5f925e0587a5282154def356c93ca6c56fac8
SHA256

93d60d73b33815ffcfa599af4dde3a900bf3ed880d667b2029a6c791d6340810
SHA512

84afd14836ac592548e35f9c03eaabcce22a0d18e3ad596be99f3924e094856d9733fb3e2844bc629ba9dedcdcf22c14d77b2527de475a95d788f6ee2678623d
SSDEEP

1536:Bw+jjgnNH9XqcnW85SbTiuIyLJ+/oOyc:Bw+jqV91UbTiIN+Afc

Score

10^/10

xenorat

Malware Config

Extracted

Family

xenorat

C2

10.9.30.162

Mutex

ByeFunV1Helper

Attributes

delay
5000
install_path
appdata
port
4872
startup_name
BYEFUNHELPERINJECTED

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
sample	family_xenorat

Xenorat family
xenorat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ByeFunV1Helper.exeu

Files

ByeFunV1Helper.exeu
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 43KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ