Overview

overview

10

Static

static

3

a5d28ebe51...9e.exe

windows7-x64

6

a5d28ebe51...9e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a5d28ebe518095de0a4ca7143132c1de8d57bd7c9d18fb970834c1d9a682979e.exe

  • Size

    161KB

  • Sample

    241206-lnrl9s1lhy

  • MD5

    5152fe85bb3fb27bc5c9a03bd69cdb7d

  • SHA1

    f10099bbe57ee0cff489596cb04aeb914898afad

  • SHA256

    a5d28ebe518095de0a4ca7143132c1de8d57bd7c9d18fb970834c1d9a682979e

  • SHA512

    2b65a40ebc16bb7143060408d87dab84b3af86dfb33db4c0211febe32537a3ada1b0bd66f5a4741d22becc6e512b761026efd6039017694b0eecdb1b65572bd3

  • SSDEEP

    3072:WAl8ZMA3vR2sSN+3NZHtcKfE1RKW+zJQARhGq4y6d8loubgUMOfyrAbYp:WdRZ29+3NVmw8RK71FGIjJNq

Score
10/10
xenoratdiscoveryevasionratthemidatrojan

Malware Config

Extracted

Family

xenorat

C2

96.126.118.61

Mutex

Microsoft Windows_3371808

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    svchost.exe

Targets

    • Target

      a5d28ebe518095de0a4ca7143132c1de8d57bd7c9d18fb970834c1d9a682979e.exe

    • Size

      161KB

    • MD5

      5152fe85bb3fb27bc5c9a03bd69cdb7d

    • SHA1

      f10099bbe57ee0cff489596cb04aeb914898afad

    • SHA256

      a5d28ebe518095de0a4ca7143132c1de8d57bd7c9d18fb970834c1d9a682979e

    • SHA512

      2b65a40ebc16bb7143060408d87dab84b3af86dfb33db4c0211febe32537a3ada1b0bd66f5a4741d22becc6e512b761026efd6039017694b0eecdb1b65572bd3

    • SSDEEP

      3072:WAl8ZMA3vR2sSN+3NZHtcKfE1RKW+zJQARhGq4y6d8loubgUMOfyrAbYp:WdRZ29+3NVmw8RK71FGIjJNq

    Score
    10/10
    discoveryxenoratevasionratthemidatrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Xenorat family

      xenorat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks