xenorat | 75a5568c91850b8332bf8ac3d6a0acbe24a2bbb9a7941994709ba3cbaa255c5a | Triage

Submit
Reports

Overview

overview

Static

static

8

Estado de cuenta.xls

windows7-x64

Estado de cuenta.xls

windows10-2004-x64

Sharing

General

Target

Estado de cuenta.xls
Size

192KB
Sample

241208-jzeezaxqhy
MD5

31795aff2f438defa01c82368886353c
SHA1

3f4c6dfa01693fea70f3113c11aeb5812b0c6cdb
SHA256

75a5568c91850b8332bf8ac3d6a0acbe24a2bbb9a7941994709ba3cbaa255c5a
SHA512

9ceebe6f8c7ee47b23c9e9350b7afdb21064edc45009ad8d1400566959d669b5aa2fd426d19c3302d701e05d5a09e9ed4088c1869168f4237b2b7417e21a49df
SSDEEP

6144:BxEtjPOtioVjDGUU1qfDlavx+W2QnAu+Ly9ckwDwPq5XlsqhwxNNipu:s+VkGUqLsqyi

Score

10^/10

xenorat discovery macro macro_on_action rat trojan

Static task

static1

macro macro_on_action

2 signatures

Behavioral task

behavioral1

Sample

Estado de cuenta.xls

Resource

win7-20241023-en

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

Estado de cuenta.xls

Resource

win10v2004-20241007-en

xenorat discovery macro macro_on_action rat trojan

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

xenorat

C2

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes

delay
12000
install_path
appdata
port
4567
startup_name
mrec

Targets

- Target
  
  Estado de cuenta.xls
- Size
  
  192KB
- MD5
  
  31795aff2f438defa01c82368886353c
- SHA1
  
  3f4c6dfa01693fea70f3113c11aeb5812b0c6cdb
- SHA256
  
  75a5568c91850b8332bf8ac3d6a0acbe24a2bbb9a7941994709ba3cbaa255c5a
- SHA512
  
  9ceebe6f8c7ee47b23c9e9350b7afdb21064edc45009ad8d1400566959d669b5aa2fd426d19c3302d701e05d5a09e9ed4088c1869168f4237b2b7417e21a49df
- SSDEEP
  
  6144:BxEtjPOtioVjDGUU1qfDlavx+W2QnAu+Ly9ckwDwPq5XlsqhwxNNipu:s+VkGUqLsqyi
Score

10^/10

discovery xenorat macro macro_on_action rat trojan
- Detect XenoRat Payload
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Xenorat family
  xenorat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Office macro that triggers on suspicious action
  Office document macro which triggers in special circumstances - often malicious.
  macro macro_on_action
- Suspicious Office macro
  Office document equipped with macros.
  macro
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

xenoratdiscoverymacromacro_on_actionrattrojan

© 2018-2024

Terms | Privacy