xenorat | b7af0c5cdc296b96ea5993fed5daa849031c5d1d7b69cb8d445406db1fb1d74b

General

Target

b7af0c5cdc296b96ea5993fed5daa849031c5d1d7b69cb8d445406db1fb1d74b.exe
Size

823KB
MD5

f0da3bdc5e367bec5963e7c88279d549
SHA1

a44f1f9bc3829e8b5317092ab7952cabc38f0366
SHA256

b7af0c5cdc296b96ea5993fed5daa849031c5d1d7b69cb8d445406db1fb1d74b
SHA512

e1137f33a5b52ba52ac9a5a7099422a00db738ebfe130ed9b9ca13cc0cf7e62c68fb189a969a29ab1a50c6bf86b5f2aa085557abfa21f74abf9893645dc9ff33
SSDEEP

24576:RHDP1eovEwCWcDO6j1cV5PaNVNQjUP7JH2ELVj:RHD9PlCnDdj1cVMNVNZ1Xpj

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

C2

74.14.71.2

Mutex

Xeno_rat_nd8912d

Attributes

delay
10
install_path
appdata
port
6969
startup_name
msedge

Signatures

Detect XenoRat Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016c80-7.dat	family_xenorat
behavioral1/memory/3068-16-0x0000000000AD0000-0x0000000000B06000-memory.dmp	family_xenorat
behavioral1/memory/2692-24-0x0000000001230000-0x0000000001266000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Executes dropped EXE 2 IoCs

pid	Process
3068	bac.exe
2692	bac.exe

Loads dropped DLL 1 IoCs

pid	Process
3068	bac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bac.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2524	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 3068	1800	b7af0c5cdc296b96ea5993fed5daa849031c5d1d7b69cb8d445406db1fb1d74b.exe	31
PID 1800 wrote to memory of 3068	1800	b7af0c5cdc296b96ea5993fed5daa849031c5d1d7b69cb8d445406db1fb1d74b.exe	31
PID 1800 wrote to memory of 3068	1800	b7af0c5cdc296b96ea5993fed5daa849031c5d1d7b69cb8d445406db1fb1d74b.exe	31
PID 1800 wrote to memory of 3068	1800	b7af0c5cdc296b96ea5993fed5daa849031c5d1d7b69cb8d445406db1fb1d74b.exe	31
PID 3068 wrote to memory of 2692	3068	bac.exe	32
PID 3068 wrote to memory of 2692	3068	bac.exe	32
PID 3068 wrote to memory of 2692	3068	bac.exe	32
PID 3068 wrote to memory of 2692	3068	bac.exe	32
PID 2692 wrote to memory of 2524	2692	bac.exe	33
PID 2692 wrote to memory of 2524	2692	bac.exe	33
PID 2692 wrote to memory of 2524	2692	bac.exe	33
PID 2692 wrote to memory of 2524	2692	bac.exe	33

C:\Users\Admin\AppData\Local\Temp\b7af0c5cdc296b96ea5993fed5daa849031c5d1d7b69cb8d445406db1fb1d74b.exe
"C:\Users\Admin\AppData\Local\Temp\b7af0c5cdc296b96ea5993fed5daa849031c5d1d7b69cb8d445406db1fb1d74b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\bac.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bac.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Roaming\XenoManager\bac.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\bac.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "msedge" /XML "C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp" /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bac.exe

Filesize
194KB

MD5
f73f69de4629869b868b71dd097fe282

SHA1
9b1adb9148ff61eb24cf8ee5b4b7a93538802571

SHA256
16f6c02691320612b7437cd44cf381b8f63e5bcbb30cd780637628d487e2602d

SHA512
d67609d94f44d51fb89bd9a7e7dbf5f2cb3a9e14f4202b56b021de6306dce1a787763ad5c6da60869273310e06ed95b8c8707284c71e1a454bc212d49db6af26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp

Filesize
1KB

MD5
c4b5ff827a617a0db739c1792785b256

SHA1
53dd6140d39f0e7bfe0cd8a42d0f9f08481d0e6a

SHA256
6e40af4c3f66210e9474add8f807de3702975991b1e8f2ebce8c52365a696201

SHA512
329718a943cbcbaf3211c1cf536f618febb654c2945ce33fc2f2c1bbfd24d58fc7e875b053511278ce6601ae21daca9e6d22baf2bd990ea62f119d779f10f7ad

Download Submit
memory/1800-4-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/2692-24-0x0000000001230000-0x0000000001266000-memory.dmp

Filesize
216KB

Download
memory/3068-15-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/3068-16-0x0000000000AD0000-0x0000000000B06000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads