General

  • Target

    Pagopendiente.vbs

  • Size

    10KB

  • Sample

    241206-t46ecsxjaw

  • MD5

    0995c2673a7fe289c96c2bab2ac7dfb4

  • SHA1

    5e78f526dc678b118650746f4f1c2f8d782a0242

  • SHA256

    bf6659af111dfa8daca20d98f53711b282cce11434fff5d245a0c277e6c806ef

  • SHA512

    53e29b747ad1c100f389a38c720280160f01421938277bd84b844fd94fec2d897ac1172b6b8c7335797f00f72cce90a7e7e9557962a9192947e9c7078eadd789

  • SSDEEP

    192:dBwtLFm2jh5HdWo6uUcnzRs1JARdGgG7A:dBAr6X8kJeGA

Malware Config

Extracted

Family

xenorat

C2

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    12000

  • install_path

    appdata

  • port

    4567

  • startup_name

    mrec

Targets

    • Target

      Pagopendiente.vbs

    • Size

      10KB

    • MD5

      0995c2673a7fe289c96c2bab2ac7dfb4

    • SHA1

      5e78f526dc678b118650746f4f1c2f8d782a0242

    • SHA256

      bf6659af111dfa8daca20d98f53711b282cce11434fff5d245a0c277e6c806ef

    • SHA512

      53e29b747ad1c100f389a38c720280160f01421938277bd84b844fd94fec2d897ac1172b6b8c7335797f00f72cce90a7e7e9557962a9192947e9c7078eadd789

    • SSDEEP

      192:dBwtLFm2jh5HdWo6uUcnzRs1JARdGgG7A:dBAr6X8kJeGA

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

    • Suspicious Office macro

      Office document equipped with macros.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks