General

  • Target

    51da22344eb88f90613c1260e0767883504220eb087af4051296724170ad0271.exe

  • Size

    4.5MB

  • Sample

    241207-c4czda1ngt

  • MD5

    faeb91bf5a7103468d164959ba3f0974

  • SHA1

    8edb3aa7c02a6d6ef72034906d9ed233ad8de0eb

  • SHA256

    51da22344eb88f90613c1260e0767883504220eb087af4051296724170ad0271

  • SHA512

    09ca0174ab748ae2fd4fbae87ef3bf3d284112b365687abff91da6e3e03a4418e780fefa576ee5df058f50426c9fd3a8a09a6bc5110f2f0b877e8d5b65c8cbbe

  • SSDEEP

    98304:9wNq3cmCLbLxPplbkajaf5I7tcZVu+Fajxkl9L9jmvXBl80VQNrT1e7asbJ:sTLxhlbka+O7tc3FsjxcJSvAYID0J

Malware Config

Extracted

Family

xenorat

C2

96.126.118.61

Mutex

Microsoft Windows_3371808

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    5037

  • startup_name

    svchost.exe

Targets

    • Target

      51da22344eb88f90613c1260e0767883504220eb087af4051296724170ad0271.exe

    • Size

      4.5MB

    • MD5

      faeb91bf5a7103468d164959ba3f0974

    • SHA1

      8edb3aa7c02a6d6ef72034906d9ed233ad8de0eb

    • SHA256

      51da22344eb88f90613c1260e0767883504220eb087af4051296724170ad0271

    • SHA512

      09ca0174ab748ae2fd4fbae87ef3bf3d284112b365687abff91da6e3e03a4418e780fefa576ee5df058f50426c9fd3a8a09a6bc5110f2f0b877e8d5b65c8cbbe

    • SSDEEP

      98304:9wNq3cmCLbLxPplbkajaf5I7tcZVu+Fajxkl9L9jmvXBl80VQNrT1e7asbJ:sTLxhlbka+O7tc3FsjxcJSvAYID0J

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks