xenorat | 59cd7e7b0c1c0760cb9499775184b02d8a8e3188bacd9420b04987b0b5724eb5 | Triage

Submit
Reports

Overview

overview

Static

static

7

59cd7e7b0c...b5.exe

windows7-x64

59cd7e7b0c...b5.exe

windows10-2004-x64

Sharing

General

Target

59cd7e7b0c1c0760cb9499775184b02d8a8e3188bacd9420b04987b0b5724eb5
Size

3.9MB
Sample

241207-x9eqdavlgj
MD5

9ce8e0cbb54f24de304851e0b7226c0a
SHA1

1db4c3d746ea0ad15e98ed3a2b96c2ca09fb1366
SHA256

59cd7e7b0c1c0760cb9499775184b02d8a8e3188bacd9420b04987b0b5724eb5
SHA512

fe5fd7e0f40074e45ad5a1709ff72670d47c2cb5e383cc9f6f4baccb21374a334d2ca1d970534f8815ae9a68c1e1f27b6517e3f8eb0a365b390686d61d0e97f8
SSDEEP

98304:xIQjojuFS4tTWv+uwCu48dIrvmnpE4h5CG4DdtED/:2KsovGIL5eG+C/

Score

10^/10

xenorat discovery evasion rat themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

59cd7e7b0c1c0760cb9499775184b02d8a8e3188bacd9420b04987b0b5724eb5.exe

Resource

win7-20240903-en

xenorat discovery evasion rat themida trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

59cd7e7b0c1c0760cb9499775184b02d8a8e3188bacd9420b04987b0b5724eb5.exe

Resource

win10v2004-20241007-en

xenorat discovery evasion rat themida trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

xenorat

C2

96.126.118.61

Mutex

Microsoft Windows_3371808

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
svchost.exe

Targets

- Target
  
  59cd7e7b0c1c0760cb9499775184b02d8a8e3188bacd9420b04987b0b5724eb5
- Size
  
  3.9MB
- MD5
  
  9ce8e0cbb54f24de304851e0b7226c0a
- SHA1
  
  1db4c3d746ea0ad15e98ed3a2b96c2ca09fb1366
- SHA256
  
  59cd7e7b0c1c0760cb9499775184b02d8a8e3188bacd9420b04987b0b5724eb5
- SHA512
  
  fe5fd7e0f40074e45ad5a1709ff72670d47c2cb5e383cc9f6f4baccb21374a334d2ca1d970534f8815ae9a68c1e1f27b6517e3f8eb0a365b390686d61d0e97f8
- SSDEEP
  
  98304:xIQjojuFS4tTWv+uwCu48dIrvmnpE4h5CG4DdtED/:2KsovGIL5eG+C/
Score

10^/10

xenorat discovery evasion rat themida trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Xenorat family
  xenorat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xenoratdiscoveryevasionratthemidatrojan

behavioral2

xenoratdiscoveryevasionratthemidatrojan

© 2018-2024

Terms | Privacy