Overview

overview

10

Static

static

1

7ab4cff638...77.vbs

windows7-x64

8

7ab4cff638...77.vbs

windows10-2004-x64

10

Resubmissions

07-12-2024 15:34

241207-sz38rs1pgm 10

07-12-2024 15:32

241207-syqw2s1pem 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7ab4cff638814f6af02b404eb9be4546122f56f93b071c44728d79f71e074277.zip

  • Size

    3KB

  • Sample

    241207-syqw2s1pem

  • MD5

    e3450b679ba72cd38ec9468a27fb0dd4

  • SHA1

    d1fbb7a2e9f4b2739a5a7f1acb31e1ac7d1730f5

  • SHA256

    b4dd75adf11ddcc5140fda99a0619ec0410ec7565b96b18c8e0da718823f91da

  • SHA512

    d6369591aeeed1b9c2319c9ff7c96d88c69d45b52019cbefd6f5e58a002147947b4c9c5518ecbc591f7ec2bbbd9be9d21c73d8327d79e21ef065334016c19527

Score
10/10
xenoratdiscoverymacromacro_on_actionrattrojan

Malware Config

Extracted

Family

xenorat

C2

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    12000

  • install_path

    appdata

  • port

    4567

  • startup_name

    mrec

Targets

    • Target

      7ab4cff638814f6af02b404eb9be4546122f56f93b071c44728d79f71e074277.vbs

    • Size

      10KB

    • MD5

      49c83d8e10443183f49df571416c685b

    • SHA1

      01df897fe262f4aaf0b3d48ccade34587dd83e72

    • SHA256

      7ab4cff638814f6af02b404eb9be4546122f56f93b071c44728d79f71e074277

    • SHA512

      92812130a270b977e5d0c655731b808a4c2d01a67d720921de1072d553199a2c200aa34853bda5937219e90c813f0a3350e59f0072a37c38c8de09a1adba7d49

    • SSDEEP

      192:PQrn65rH/Jjw5jvacpYTvS96XVELDrRiHgk:PQGrHdmvib1yLR/k

    Score
    10/10
    xenoratdiscoverymacromacro_on_actionrattrojan

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Xenorat family

      xenorat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

      macromacro_on_action

    • Suspicious Office macro

      Office document equipped with macros.

      macro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks