General

  • Target

    c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace.exe

  • Size

    686KB

  • Sample

    241206-ls75taxlfq

  • MD5

    44adb05457d354014bd7b663c4768892

  • SHA1

    f3a5cbd19cae38d03ce9792ec7770ca00639e812

  • SHA256

    c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace

  • SHA512

    6f870752d03c2f9083f46013ac3d057debc45d36f0d880ec12725d53f5f19bea964ced664f477aedbb2c79e881a47158e4dd07884ccc52e330c42cdb663b8505

  • SSDEEP

    12288:WDIl5j/JEDC4z1EzPwSE5y4jE5O6txIwyiHzrEDS0:WDIl5AC1zYSE5yhjGniH3E

Malware Config

Extracted

Family

xenorat

C2

96.126.118.61

Mutex

Microsoft Windows_3371808

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    svchost.exe

Targets

    • Target

      c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace.exe

    • Size

      686KB

    • MD5

      44adb05457d354014bd7b663c4768892

    • SHA1

      f3a5cbd19cae38d03ce9792ec7770ca00639e812

    • SHA256

      c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace

    • SHA512

      6f870752d03c2f9083f46013ac3d057debc45d36f0d880ec12725d53f5f19bea964ced664f477aedbb2c79e881a47158e4dd07884ccc52e330c42cdb663b8505

    • SSDEEP

      12288:WDIl5j/JEDC4z1EzPwSE5y4jE5O6txIwyiHzrEDS0:WDIl5AC1zYSE5yhjGniH3E

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks