Overview

overview

10

Static

static

8

b8e91461d8...8b.xls

windows7-x64

10

b8e91461d8...8b.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b8e91461d8d0db828a63eee57785437e8a0f2e939c2f576e1f5569917e6a348b

  • Size

    192KB

  • Sample

    241208-z5ntlatrht

  • MD5

    a0d948d0fbf62f7e4b6e54892a49ccf6

  • SHA1

    151f7cc6960406e3ce9d3579c483e820daa074f2

  • SHA256

    b8e91461d8d0db828a63eee57785437e8a0f2e939c2f576e1f5569917e6a348b

  • SHA512

    3cec3d407ee2146f931f64114d545e00ef5d81a9cfbe44fca8e5822d20efa71c77eda92750fff277a26d7314da92e4b272642eda74ac4ea62b9435ff23860e72

  • SSDEEP

    3072:brxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAq3OLFyhxTchWwaZYwP+1oVET5K8lsq/:/xEtjPOtioVjDGUU1qfDlavx+W2QnAqE

Score
10/10
xenoratdiscoverymacromacro_on_actionrattrojan

Malware Config

Extracted

Family

xenorat

C2

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    12000

  • install_path

    appdata

  • port

    4567

  • startup_name

    mrec

Targets

    • Target

      b8e91461d8d0db828a63eee57785437e8a0f2e939c2f576e1f5569917e6a348b

    • Size

      192KB

    • MD5

      a0d948d0fbf62f7e4b6e54892a49ccf6

    • SHA1

      151f7cc6960406e3ce9d3579c483e820daa074f2

    • SHA256

      b8e91461d8d0db828a63eee57785437e8a0f2e939c2f576e1f5569917e6a348b

    • SHA512

      3cec3d407ee2146f931f64114d545e00ef5d81a9cfbe44fca8e5822d20efa71c77eda92750fff277a26d7314da92e4b272642eda74ac4ea62b9435ff23860e72

    • SSDEEP

      3072:brxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAq3OLFyhxTchWwaZYwP+1oVET5K8lsq/:/xEtjPOtioVjDGUU1qfDlavx+W2QnAqE

    Score
    10/10
    discoveryxenoratmacromacro_on_actionrattrojan

    • Detect XenoRat Payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Xenorat family

      xenorat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

      macromacro_on_action

    • Suspicious Office macro

      Office document equipped with macros.

      macro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.