xenorat | 4a4f56be826841723b685fe98aedfb81eb3c11dfac2f4a466f4c78eef2c5bb71 | Triage

Sharing

General

Target

virus_src.bat
Size

652B
Sample

241207-zqa9yssrgy
MD5

3d20c8ba40ea3e85334342e7c01018bd
SHA1

b678d69ec173ca2e385ba8a8bda18be618f5af2c
SHA256

4a4f56be826841723b685fe98aedfb81eb3c11dfac2f4a466f4c78eef2c5bb71
SHA512

0fdeac77b6c4f3ba7ee53c33785c6c576873a7798d8921721d21498910316893b8ebb0e499759bd1d62239506499ce4bf9f222a2019c4a882ffd1a2ce86a6776

Score

10^/10

xenorat discovery execution rat trojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

09fasifjkansmf8s9ghjndui90gijmfgpjkjyt90y843

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
nothingset

Targets

- Target
  
  virus_src.bat
- Size
  
  652B
- MD5
  
  3d20c8ba40ea3e85334342e7c01018bd
- SHA1
  
  b678d69ec173ca2e385ba8a8bda18be618f5af2c
- SHA256
  
  4a4f56be826841723b685fe98aedfb81eb3c11dfac2f4a466f4c78eef2c5bb71
- SHA512
  
  0fdeac77b6c4f3ba7ee53c33785c6c576873a7798d8921721d21498910316893b8ebb0e499759bd1d62239506499ce4bf9f222a2019c4a882ffd1a2ce86a6776
Score

10^/10

xenorat discovery execution rat trojan
- Detect XenoRat Payload
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Xenorat family
  xenorat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xenoratdiscoveryexecutionrattrojan