Overview

overview

10

Static

static

1

ebf59f8f0f...e6.exe

windows7-x64

6

ebf59f8f0f...e6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ebf59f8f0f1701f73f72b674104d460d9a3247a6978bc2c722ba9c2e3f92fde6.exe

  • Size

    170KB

  • Sample

    241206-lm7l4a1lgx

  • MD5

    f7e04e3049ca18c4913b2e119f21b9ec

  • SHA1

    e9febfc187572560b5e341c78cf85e337e519313

  • SHA256

    ebf59f8f0f1701f73f72b674104d460d9a3247a6978bc2c722ba9c2e3f92fde6

  • SHA512

    3933209da5c285372783e045aceb8f3d962365fbc3a4bbb02f7a88bdbb174cf083350b7046ca861a615313c8f81b928585c76d619fb646f39411554a65868971

  • SSDEEP

    3072:2wfGVibRB5zlyH2d6spw9MAu2FJJr/T+kHNPXGTkWZASbmpc8:2wFB7yH2noMArnJTrPGu7

Score
10/10
xenoratdiscoveryevasionratthemidatrojan

Malware Config

Extracted

Family

xenorat

C2

96.126.118.61

Mutex

Microsoft Windows_3371808

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    svchost.exe

Targets

    • Target

      ebf59f8f0f1701f73f72b674104d460d9a3247a6978bc2c722ba9c2e3f92fde6.exe

    • Size

      170KB

    • MD5

      f7e04e3049ca18c4913b2e119f21b9ec

    • SHA1

      e9febfc187572560b5e341c78cf85e337e519313

    • SHA256

      ebf59f8f0f1701f73f72b674104d460d9a3247a6978bc2c722ba9c2e3f92fde6

    • SHA512

      3933209da5c285372783e045aceb8f3d962365fbc3a4bbb02f7a88bdbb174cf083350b7046ca861a615313c8f81b928585c76d619fb646f39411554a65868971

    • SSDEEP

      3072:2wfGVibRB5zlyH2d6spw9MAu2FJJr/T+kHNPXGTkWZASbmpc8:2wFB7yH2noMArnJTrPGu7

    Score
    10/10
    discoveryxenoratevasionratthemidatrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Xenorat family

      xenorat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks