xenorat | 48a776e5effacaaee83b198a43a9252d9456fd6f488a8f44af4fd6ee5835d8a9 | Triage

Submit
Reports

Overview

overview

Static

static

8

48a776e5ef...a9.xls

windows7-x64

48a776e5ef...a9.xls

windows10-2004-x64

Sharing

General

Target

48a776e5effacaaee83b198a43a9252d9456fd6f488a8f44af4fd6ee5835d8a9
Size

192KB
Sample

241208-z7t4dsvjbx
MD5

054c7c9df65480b67c1762fdf1071692
SHA1

e9962aa07b013c9d2f56a257f08c3873919c57bf
SHA256

48a776e5effacaaee83b198a43a9252d9456fd6f488a8f44af4fd6ee5835d8a9
SHA512

54403bb19f320a9e7c241ba28f9c0b2b67b9beb8585ab13a9e434a6edf9d4bfbd99047710197f784d685879b6af2929574a5e00347b406dcd2493244b12ac3ad
SSDEEP

3072:PrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAq3OLFyhxTchWwaZYwP+1oVET5K8lsq/:zxEtjPOtioVjDGUU1qfDlavx+W2QnAqE

Score

10^/10

xenorat discovery macro macro_on_action rat trojan

Static task

static1

macro macro_on_action

2 signatures

Behavioral task

behavioral1

Sample

48a776e5effacaaee83b198a43a9252d9456fd6f488a8f44af4fd6ee5835d8a9.xls

Resource

win7-20240903-en

windows7-x64

8 signatures

60 seconds

Behavioral task

behavioral2

Sample

48a776e5effacaaee83b198a43a9252d9456fd6f488a8f44af4fd6ee5835d8a9.xls

Resource

win10v2004-20241007-en

xenorat discovery macro macro_on_action rat trojan

windows10-2004-x64

22 signatures

60 seconds

Malware Config

Extracted

Family

xenorat

C2

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes

delay
12000
install_path
appdata
port
4567
startup_name
mrec

Targets

- Target
  
  48a776e5effacaaee83b198a43a9252d9456fd6f488a8f44af4fd6ee5835d8a9
- Size
  
  192KB
- MD5
  
  054c7c9df65480b67c1762fdf1071692
- SHA1
  
  e9962aa07b013c9d2f56a257f08c3873919c57bf
- SHA256
  
  48a776e5effacaaee83b198a43a9252d9456fd6f488a8f44af4fd6ee5835d8a9
- SHA512
  
  54403bb19f320a9e7c241ba28f9c0b2b67b9beb8585ab13a9e434a6edf9d4bfbd99047710197f784d685879b6af2929574a5e00347b406dcd2493244b12ac3ad
- SSDEEP
  
  3072:PrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAq3OLFyhxTchWwaZYwP+1oVET5K8lsq/:zxEtjPOtioVjDGUU1qfDlavx+W2QnAqE
Score

10^/10

discovery xenorat macro macro_on_action rat trojan
- Detect XenoRat Payload
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Xenorat family
  xenorat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Office macro that triggers on suspicious action
  Office document macro which triggers in special circumstances - often malicious.
  macro macro_on_action
- Suspicious Office macro
  Office document equipped with macros.
  macro
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

xenoratdiscoverymacromacro_on_actionrattrojan

© 2018-2024

Terms | Privacy