General

  • Target

    363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe

  • Size

    31.0MB

  • Sample

    241206-lsr4la1ne1

  • MD5

    8f83513e7e3638b5a61c5e7f40f51c7e

  • SHA1

    e181ecf02f5575849e64f267fa733a83630191ee

  • SHA256

    363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d

  • SHA512

    c26ae71b83354a2a9fad7e5f12e6cd7de20defd455fd56cbaadc51e65a91ab506c0b98525244f6b4db25eb4586bef49f4dbb1f3e59c54312721da52c9974f091

  • SSDEEP

    786432:FjWc2f/LEmPTH4ccIAcuQ64skTX3KchPau56pIUWCkGm:xWpT9PcZ864s6HKchPipIUWC9m

Malware Config

Extracted

Family

xenorat

C2

96.126.118.61

Mutex

lokai_je_bruh_1337

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    Usermode Disk Driver Host

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe

Targets

    • Target

      363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe

    • Size

      31.0MB

    • MD5

      8f83513e7e3638b5a61c5e7f40f51c7e

    • SHA1

      e181ecf02f5575849e64f267fa733a83630191ee

    • SHA256

      363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d

    • SHA512

      c26ae71b83354a2a9fad7e5f12e6cd7de20defd455fd56cbaadc51e65a91ab506c0b98525244f6b4db25eb4586bef49f4dbb1f3e59c54312721da52c9974f091

    • SSDEEP

      786432:FjWc2f/LEmPTH4ccIAcuQ64skTX3KchPau56pIUWCkGm:xWpT9PcZ864s6HKchPipIUWC9m

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks