General
-
Target
Pagopendiente.vbs
-
Size
10KB
-
Sample
241206-t46ecsxjaw
-
MD5
0995c2673a7fe289c96c2bab2ac7dfb4
-
SHA1
5e78f526dc678b118650746f4f1c2f8d782a0242
-
SHA256
bf6659af111dfa8daca20d98f53711b282cce11434fff5d245a0c277e6c806ef
-
SHA512
53e29b747ad1c100f389a38c720280160f01421938277bd84b844fd94fec2d897ac1172b6b8c7335797f00f72cce90a7e7e9557962a9192947e9c7078eadd789
-
SSDEEP
192:dBwtLFm2jh5HdWo6uUcnzRs1JARdGgG7A:dBAr6X8kJeGA
Static task
static1
Behavioral task
behavioral1
Sample
Pagopendiente.vbs
Resource
win7-20241023-en
Malware Config
Extracted
xenorat
dns.stipamana.com
Xeno_rat_nd8912d
-
delay
12000
-
install_path
appdata
-
port
4567
-
startup_name
mrec
Targets
-
-
Target
Pagopendiente.vbs
-
Size
10KB
-
MD5
0995c2673a7fe289c96c2bab2ac7dfb4
-
SHA1
5e78f526dc678b118650746f4f1c2f8d782a0242
-
SHA256
bf6659af111dfa8daca20d98f53711b282cce11434fff5d245a0c277e6c806ef
-
SHA512
53e29b747ad1c100f389a38c720280160f01421938277bd84b844fd94fec2d897ac1172b6b8c7335797f00f72cce90a7e7e9557962a9192947e9c7078eadd789
-
SSDEEP
192:dBwtLFm2jh5HdWo6uUcnzRs1JARdGgG7A:dBAr6X8kJeGA
-
Detect XenoRat Payload
-
Xenorat family
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Office macro that triggers on suspicious action
Office document macro which triggers in special circumstances - often malicious.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-