xenorat | a1b6ec86bff84ed72257daaf6a11811f71027b8a02592d39bda47c36a1a91afb | Triage

Sharing

General

Target

a1b6ec86bff84ed72257daaf6a11811f71027b8a02592d39bda47c36a1a91afb
Size

2.2MB
Sample

241207-vs94vaxkft
MD5

958dad459434404af63b16110f8333be
SHA1

2d83e559793d250b8e50643a90c90d78d4a5174f
SHA256

a1b6ec86bff84ed72257daaf6a11811f71027b8a02592d39bda47c36a1a91afb
SHA512

d98d4bf9cfe745c4b7cc4734a017c586c88013a2dc8c16f8e97f50261001357f5e01314dc8a91d8c624ab7ac56c0cc7478c8ed7268bf5004db8f9de61c03bc81
SSDEEP

49152:fegwdsK+fl0+eor1gyVSgg0R4WEggpZWPVcr8823guNNb9C5sx7LfkyoJ:l5OpMp49ggpZyHNho5sNaJ

Score

10^/10

xenorat discovery evasion rat themida trojan

Malware Config

Extracted

Family

xenorat

C2

96.126.118.61

Mutex

Microsoft Windows_3371808

Attributes

delay
5000
install_path
appdata
port
5037
startup_name
svchost.exe

Targets

- Target
  
  a1b6ec86bff84ed72257daaf6a11811f71027b8a02592d39bda47c36a1a91afb
- Size
  
  2.2MB
- MD5
  
  958dad459434404af63b16110f8333be
- SHA1
  
  2d83e559793d250b8e50643a90c90d78d4a5174f
- SHA256
  
  a1b6ec86bff84ed72257daaf6a11811f71027b8a02592d39bda47c36a1a91afb
- SHA512
  
  d98d4bf9cfe745c4b7cc4734a017c586c88013a2dc8c16f8e97f50261001357f5e01314dc8a91d8c624ab7ac56c0cc7478c8ed7268bf5004db8f9de61c03bc81
- SSDEEP
  
  49152:fegwdsK+fl0+eor1gyVSgg0R4WEggpZWPVcr8823guNNb9C5sx7LfkyoJ:l5OpMp49ggpZyHNho5sNaJ
Score

10^/10

xenorat discovery evasion rat themida trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Xenorat family
  xenorat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xenoratdiscoveryevasionratthemidatrojan

behavioral2

xenoratdiscoveryevasionratthemidatrojan