General
-
Target
04fad9a9d3cba8ff465f8b46946085b60c67a59e048d8b5b49717e6cdf34b247.exe
-
Size
283KB
-
Sample
241206-lp1lkaxkcq
-
MD5
2a099a2cb321a6fb92075cdfec575a03
-
SHA1
197d2707fde9d5c1f4c6f3977a7be25c34daffc9
-
SHA256
04fad9a9d3cba8ff465f8b46946085b60c67a59e048d8b5b49717e6cdf34b247
-
SHA512
5aa80d1fc6e7709d965e3ad72e6742c6fc3ee0b697ce7004a991f640f67a7159151489ebf09b8594480a74223f5ded57c6a9b29e04d3e70323e8d9f9cc72ba17
-
SSDEEP
6144:6xIuKqfUfpeerAEx2GvVYc3L1Qqls1gHny+MjoCGFDhSFDUTBe:4KCUfDrAEx2GvVYcTHnyJoPFDWDUT
Static task
static1
Behavioral task
behavioral1
Sample
04fad9a9d3cba8ff465f8b46946085b60c67a59e048d8b5b49717e6cdf34b247.exe
Resource
win7-20240903-en
Malware Config
Extracted
xenorat
96.126.118.61
Microsoft Windows_3371808
-
delay
5000
-
install_path
appdata
-
port
4444
-
startup_name
svchost.exe
Targets
-
-
Target
04fad9a9d3cba8ff465f8b46946085b60c67a59e048d8b5b49717e6cdf34b247.exe
-
Size
283KB
-
MD5
2a099a2cb321a6fb92075cdfec575a03
-
SHA1
197d2707fde9d5c1f4c6f3977a7be25c34daffc9
-
SHA256
04fad9a9d3cba8ff465f8b46946085b60c67a59e048d8b5b49717e6cdf34b247
-
SHA512
5aa80d1fc6e7709d965e3ad72e6742c6fc3ee0b697ce7004a991f640f67a7159151489ebf09b8594480a74223f5ded57c6a9b29e04d3e70323e8d9f9cc72ba17
-
SSDEEP
6144:6xIuKqfUfpeerAEx2GvVYc3L1Qqls1gHny+MjoCGFDhSFDUTBe:4KCUfDrAEx2GvVYcTHnyJoPFDWDUT
-
Xenorat family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-