Overview

overview

10

Static

static

8

90f57a9578...07.doc

windows7-x64

10

90f57a9578...07.doc

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    90f57a9578ce153c8520aee9b42d0407.doc

  • Size

    35KB

  • Sample

    241206-rwh8raxphj

  • MD5

    90f57a9578ce153c8520aee9b42d0407

  • SHA1

    b669b63e818628044a49c33a2c4edb9840bb030e

  • SHA256

    c9ab3c4481da95348f1d65fecb8da349ecdb1826f16d27ee3e5c5a0d49384c52

  • SHA512

    a63d6c7d453c82e2ff910b5b1faaddf9a96f312f6ab325b5cdf72d68d46006986e429281cfdb3eea7357f4cec5a4dce29e730602aa120df4afca1c8ea15b13cc

  • SSDEEP

    384:wRpiSY5U1zhghLadtb/W5t7c4AZTA6C60jYvA6cSPvuC9:E7n1QvyTA6NJvA6cSeC9

Score
10/10
xenoratdiscoverymacromacro_on_actionrattrojan

Malware Config

Extracted

Family

xenorat

C2

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    12000

  • install_path

    appdata

  • port

    4567

  • startup_name

    mrec

Targets

    • Target

      90f57a9578ce153c8520aee9b42d0407.doc

    • Size

      35KB

    • MD5

      90f57a9578ce153c8520aee9b42d0407

    • SHA1

      b669b63e818628044a49c33a2c4edb9840bb030e

    • SHA256

      c9ab3c4481da95348f1d65fecb8da349ecdb1826f16d27ee3e5c5a0d49384c52

    • SHA512

      a63d6c7d453c82e2ff910b5b1faaddf9a96f312f6ab325b5cdf72d68d46006986e429281cfdb3eea7357f4cec5a4dce29e730602aa120df4afca1c8ea15b13cc

    • SSDEEP

      384:wRpiSY5U1zhghLadtb/W5t7c4AZTA6C60jYvA6cSPvuC9:E7n1QvyTA6NJvA6cSeC9

    Score
    10/10
    xenoratdiscoveryrattrojan

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Xenorat family

      xenorat

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks