General
-
Target
c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace.exe
-
Size
686KB
-
Sample
241206-ls75taxlfq
-
MD5
44adb05457d354014bd7b663c4768892
-
SHA1
f3a5cbd19cae38d03ce9792ec7770ca00639e812
-
SHA256
c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace
-
SHA512
6f870752d03c2f9083f46013ac3d057debc45d36f0d880ec12725d53f5f19bea964ced664f477aedbb2c79e881a47158e4dd07884ccc52e330c42cdb663b8505
-
SSDEEP
12288:WDIl5j/JEDC4z1EzPwSE5y4jE5O6txIwyiHzrEDS0:WDIl5AC1zYSE5yhjGniH3E
Static task
static1
Behavioral task
behavioral1
Sample
c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace.exe
Resource
win7-20240708-en
Malware Config
Extracted
xenorat
96.126.118.61
Microsoft Windows_3371808
-
delay
5000
-
install_path
appdata
-
port
4444
-
startup_name
svchost.exe
Targets
-
-
Target
c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace.exe
-
Size
686KB
-
MD5
44adb05457d354014bd7b663c4768892
-
SHA1
f3a5cbd19cae38d03ce9792ec7770ca00639e812
-
SHA256
c056638ae3452cddf858121518abe039b2e75e6a4d4ba40fc27340ef5d1aeace
-
SHA512
6f870752d03c2f9083f46013ac3d057debc45d36f0d880ec12725d53f5f19bea964ced664f477aedbb2c79e881a47158e4dd07884ccc52e330c42cdb663b8505
-
SSDEEP
12288:WDIl5j/JEDC4z1EzPwSE5y4jE5O6txIwyiHzrEDS0:WDIl5AC1zYSE5yhjGniH3E
-
Xenorat family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-