xenorat | a2763124af5630502ace78bd406f0ff15ba6701b29fe38a6a3d60c1e65e9ce73 | Triage

Submit
Reports

Overview

overview

Static

static

3

extracted_...in.exe

windows7-x64

6

extracted_...in.exe

windows10-2004-x64

Sharing

General

Target

extracted_payload.exe.bin.exe
Size

204KB
Sample

241206-lnrl9sxjgq
MD5

d45f2292784bc9e8a19d093e9950673f
SHA1

7c4e46b465680ef32ff55fc17916a5f4f6f9dbd5
SHA256

a2763124af5630502ace78bd406f0ff15ba6701b29fe38a6a3d60c1e65e9ce73
SHA512

a14cbac8377689b06c126c3ee71cc79c8b06e1650ecf0d29c7963425d1842dafb0fd6e1a66df1411cec487f6dcc5b696ee3d7a3f623773be61fd0b7a96646989
SSDEEP

3072:BhRxII30n0gihoSUgmGoQkrCMOsiDnwKH5OD1shB8t7ARD:nD0nxiWSUgPk5iD5BXR

Score

10^/10

xenorat discovery evasion rat themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

extracted_payload.exe.bin.exe

Resource

win7-20240708-en

windows7-x64

1 signatures

150 seconds

Behavioral task

behavioral2

Sample

extracted_payload.exe.bin.exe

Resource

win10v2004-20241007-en

xenorat discovery evasion rat themida trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

xenorat

C2

96.126.118.61

Mutex

Microsoft Windows_3371808

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
svchost.exe

Targets

- Target
  
  extracted_payload.exe.bin.exe
- Size
  
  204KB
- MD5
  
  d45f2292784bc9e8a19d093e9950673f
- SHA1
  
  7c4e46b465680ef32ff55fc17916a5f4f6f9dbd5
- SHA256
  
  a2763124af5630502ace78bd406f0ff15ba6701b29fe38a6a3d60c1e65e9ce73
- SHA512
  
  a14cbac8377689b06c126c3ee71cc79c8b06e1650ecf0d29c7963425d1842dafb0fd6e1a66df1411cec487f6dcc5b696ee3d7a3f623773be61fd0b7a96646989
- SSDEEP
  
  3072:BhRxII30n0gihoSUgmGoQkrCMOsiDnwKH5OD1shB8t7ARD:nD0nxiWSUgPk5iD5BXR
Score

10^/10

xenorat discovery evasion rat themida trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Xenorat family
  xenorat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xenoratdiscoveryevasionratthemidatrojan

© 2018-2024

Terms | Privacy