General
-
Target
4ca7db129091a1a0a8c7babdc0851cd1f56a0afce09db54776a5862a89daae15.exe
-
Size
161KB
-
Sample
241206-lnrl9s1mat
-
MD5
85e4320221408f8475e1337d3d4df3ac
-
SHA1
702da4350473dc5a3e7c6d1f0c7899fce0ffeb42
-
SHA256
4ca7db129091a1a0a8c7babdc0851cd1f56a0afce09db54776a5862a89daae15
-
SHA512
c7fac650d78662d518d8a5d2e57131f82805c766256b71e55fd9bec2bfaf607abea80ac4c08630f23e31df247ef28b20f5bad77915d76eb5506f3351666fcb00
-
SSDEEP
3072:nd3SoRYw/VXW80KeQoBWIJ0xKAG50NlQvh+5v4Ty2b1Nm:nZSo75WCvoBL/AGF0yb1N
Static task
static1
Behavioral task
behavioral1
Sample
4ca7db129091a1a0a8c7babdc0851cd1f56a0afce09db54776a5862a89daae15.exe
Resource
win7-20240903-en
Malware Config
Extracted
xenorat
96.126.118.61
Microsoft Windows_3371808
-
delay
5000
-
install_path
appdata
-
port
4444
-
startup_name
svchost.exe
Targets
-
-
Target
4ca7db129091a1a0a8c7babdc0851cd1f56a0afce09db54776a5862a89daae15.exe
-
Size
161KB
-
MD5
85e4320221408f8475e1337d3d4df3ac
-
SHA1
702da4350473dc5a3e7c6d1f0c7899fce0ffeb42
-
SHA256
4ca7db129091a1a0a8c7babdc0851cd1f56a0afce09db54776a5862a89daae15
-
SHA512
c7fac650d78662d518d8a5d2e57131f82805c766256b71e55fd9bec2bfaf607abea80ac4c08630f23e31df247ef28b20f5bad77915d76eb5506f3351666fcb00
-
SSDEEP
3072:nd3SoRYw/VXW80KeQoBWIJ0xKAG50NlQvh+5v4Ty2b1Nm:nZSo75WCvoBL/AGF0yb1N
-
Xenorat family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-