General

  • Target

    04fad9a9d3cba8ff465f8b46946085b60c67a59e048d8b5b49717e6cdf34b247.exe

  • Size

    283KB

  • Sample

    241206-lp1lkaxkcq

  • MD5

    2a099a2cb321a6fb92075cdfec575a03

  • SHA1

    197d2707fde9d5c1f4c6f3977a7be25c34daffc9

  • SHA256

    04fad9a9d3cba8ff465f8b46946085b60c67a59e048d8b5b49717e6cdf34b247

  • SHA512

    5aa80d1fc6e7709d965e3ad72e6742c6fc3ee0b697ce7004a991f640f67a7159151489ebf09b8594480a74223f5ded57c6a9b29e04d3e70323e8d9f9cc72ba17

  • SSDEEP

    6144:6xIuKqfUfpeerAEx2GvVYc3L1Qqls1gHny+MjoCGFDhSFDUTBe:4KCUfDrAEx2GvVYcTHnyJoPFDWDUT

Malware Config

Extracted

Family

xenorat

C2

96.126.118.61

Mutex

Microsoft Windows_3371808

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    svchost.exe

Targets

    • Target

      04fad9a9d3cba8ff465f8b46946085b60c67a59e048d8b5b49717e6cdf34b247.exe

    • Size

      283KB

    • MD5

      2a099a2cb321a6fb92075cdfec575a03

    • SHA1

      197d2707fde9d5c1f4c6f3977a7be25c34daffc9

    • SHA256

      04fad9a9d3cba8ff465f8b46946085b60c67a59e048d8b5b49717e6cdf34b247

    • SHA512

      5aa80d1fc6e7709d965e3ad72e6742c6fc3ee0b697ce7004a991f640f67a7159151489ebf09b8594480a74223f5ded57c6a9b29e04d3e70323e8d9f9cc72ba17

    • SSDEEP

      6144:6xIuKqfUfpeerAEx2GvVYc3L1Qqls1gHny+MjoCGFDhSFDUTBe:4KCUfDrAEx2GvVYcTHnyJoPFDWDUT

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks