xenorat | b7af0c5cdc296b96ea5993fed5daa849031c5d1d7b69cb8d445406db1fb1d74b

General

Target

b7af0c5cdc296b96ea5993fed5daa849031c5d1d7b69cb8d445406db1fb1d74b.exe
Size

823KB
MD5

f0da3bdc5e367bec5963e7c88279d549
SHA1

a44f1f9bc3829e8b5317092ab7952cabc38f0366
SHA256

b7af0c5cdc296b96ea5993fed5daa849031c5d1d7b69cb8d445406db1fb1d74b
SHA512

e1137f33a5b52ba52ac9a5a7099422a00db738ebfe130ed9b9ca13cc0cf7e62c68fb189a969a29ab1a50c6bf86b5f2aa085557abfa21f74abf9893645dc9ff33
SSDEEP

24576:RHDP1eovEwCWcDO6j1cV5PaNVNQjUP7JH2ELVj:RHD9PlCnDdj1cVMNVNZ1Xpj

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

C2

74.14.71.2

Mutex

Xeno_rat_nd8912d

Attributes

delay
10
install_path
appdata
port
6969
startup_name
msedge

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000f000000023bb7-6.dat	family_xenorat
behavioral2/memory/3108-15-0x0000000000530000-0x0000000000566000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	bac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	b7af0c5cdc296b96ea5993fed5daa849031c5d1d7b69cb8d445406db1fb1d74b.exe

Executes dropped EXE 2 IoCs

pid	Process
3108	bac.exe
3188	bac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1556	schtasks.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 3108	3636	b7af0c5cdc296b96ea5993fed5daa849031c5d1d7b69cb8d445406db1fb1d74b.exe	86
PID 3636 wrote to memory of 3108	3636	b7af0c5cdc296b96ea5993fed5daa849031c5d1d7b69cb8d445406db1fb1d74b.exe	86
PID 3636 wrote to memory of 3108	3636	b7af0c5cdc296b96ea5993fed5daa849031c5d1d7b69cb8d445406db1fb1d74b.exe	86
PID 3108 wrote to memory of 3188	3108	bac.exe	89
PID 3108 wrote to memory of 3188	3108	bac.exe	89
PID 3108 wrote to memory of 3188	3108	bac.exe	89
PID 3188 wrote to memory of 1556	3188	bac.exe	90
PID 3188 wrote to memory of 1556	3188	bac.exe	90
PID 3188 wrote to memory of 1556	3188	bac.exe	90

C:\Users\Admin\AppData\Local\Temp\b7af0c5cdc296b96ea5993fed5daa849031c5d1d7b69cb8d445406db1fb1d74b.exe
"C:\Users\Admin\AppData\Local\Temp\b7af0c5cdc296b96ea5993fed5daa849031c5d1d7b69cb8d445406db1fb1d74b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\bac.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bac.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Users\Admin\AppData\Roaming\XenoManager\bac.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\bac.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "msedge" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBF97.tmp" /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bac.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bac.exe

Filesize
194KB

MD5
f73f69de4629869b868b71dd097fe282

SHA1
9b1adb9148ff61eb24cf8ee5b4b7a93538802571

SHA256
16f6c02691320612b7437cd44cf381b8f63e5bcbb30cd780637628d487e2602d

SHA512
d67609d94f44d51fb89bd9a7e7dbf5f2cb3a9e14f4202b56b021de6306dce1a787763ad5c6da60869273310e06ed95b8c8707284c71e1a454bc212d49db6af26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBF97.tmp

Filesize
1KB

MD5
c4b5ff827a617a0db739c1792785b256

SHA1
53dd6140d39f0e7bfe0cd8a42d0f9f08481d0e6a

SHA256
6e40af4c3f66210e9474add8f807de3702975991b1e8f2ebce8c52365a696201

SHA512
329718a943cbcbaf3211c1cf536f618febb654c2945ce33fc2f2c1bbfd24d58fc7e875b053511278ce6601ae21daca9e6d22baf2bd990ea62f119d779f10f7ad

Download Submit
memory/3108-14-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/3108-15-0x0000000000530000-0x0000000000566000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads