Overview

overview

10

Static

static

8

52f44039d9...ae.xls

windows7-x64

10

52f44039d9...ae.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    52f44039d97483f8ba440cc2f1745cbc4bb9663d27ef9ea40e2788e2813994ae

  • Size

    192KB

  • Sample

    241208-z5axqsyqgn

  • MD5

    8347418fb4da55c1e1afe281a84c6c4d

  • SHA1

    426e1a5950a97345ac8ed1d11cb7aea1c90fedd2

  • SHA256

    52f44039d97483f8ba440cc2f1745cbc4bb9663d27ef9ea40e2788e2813994ae

  • SHA512

    9192ec1f65dad0faddca5eb0d3353cff66d60bb41a66a27d7afa5328550011e6139516e9850a2c5e1156126f145bdb915b0374e97ddf0def9784d7e8ec250b3d

  • SSDEEP

    3072:MrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAq3OLFyhxTchWwaZYwP+1oVET5K8lsq/:2xEtjPOtioVjDGUU1qfDlavx+W2QnAqE

Score
10/10
xenoratdiscoverymacromacro_on_actionrattrojan

Malware Config

Extracted

Family

xenorat

C2

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    12000

  • install_path

    appdata

  • port

    4567

  • startup_name

    mrec

Targets

    • Target

      52f44039d97483f8ba440cc2f1745cbc4bb9663d27ef9ea40e2788e2813994ae

    • Size

      192KB

    • MD5

      8347418fb4da55c1e1afe281a84c6c4d

    • SHA1

      426e1a5950a97345ac8ed1d11cb7aea1c90fedd2

    • SHA256

      52f44039d97483f8ba440cc2f1745cbc4bb9663d27ef9ea40e2788e2813994ae

    • SHA512

      9192ec1f65dad0faddca5eb0d3353cff66d60bb41a66a27d7afa5328550011e6139516e9850a2c5e1156126f145bdb915b0374e97ddf0def9784d7e8ec250b3d

    • SSDEEP

      3072:MrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAq3OLFyhxTchWwaZYwP+1oVET5K8lsq/:2xEtjPOtioVjDGUU1qfDlavx+W2QnAqE

    Score
    10/10
    discoveryxenoratmacromacro_on_actionrattrojan

    • Detect XenoRat Payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Xenorat family

      xenorat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

      macromacro_on_action

    • Suspicious Office macro

      Office document equipped with macros.

      macro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks