Overview

overview

10

Static

static

8

b8e91461d8...8b.xls

windows7-x64

10

b8e91461d8...8b.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b8e91461d8d0db828a63eee57785437e8a0f2e939c2f576e1f5569917e6a348b

  • Size

    192KB

  • Sample

    241208-zyfjmsyqbj

  • MD5

    a0d948d0fbf62f7e4b6e54892a49ccf6

  • SHA1

    151f7cc6960406e3ce9d3579c483e820daa074f2

  • SHA256

    b8e91461d8d0db828a63eee57785437e8a0f2e939c2f576e1f5569917e6a348b

  • SHA512

    3cec3d407ee2146f931f64114d545e00ef5d81a9cfbe44fca8e5822d20efa71c77eda92750fff277a26d7314da92e4b272642eda74ac4ea62b9435ff23860e72

  • SSDEEP

    3072:brxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAq3OLFyhxTchWwaZYwP+1oVET5K8lsq/:/xEtjPOtioVjDGUU1qfDlavx+W2QnAqE

Score
10/10
xenoratdiscoverymacromacro_on_actionrattrojan

Malware Config

Extracted

Family

xenorat

C2

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    12000

  • install_path

    appdata

  • port

    4567

  • startup_name

    mrec

Targets

    • Target

      b8e91461d8d0db828a63eee57785437e8a0f2e939c2f576e1f5569917e6a348b

    • Size

      192KB

    • MD5

      a0d948d0fbf62f7e4b6e54892a49ccf6

    • SHA1

      151f7cc6960406e3ce9d3579c483e820daa074f2

    • SHA256

      b8e91461d8d0db828a63eee57785437e8a0f2e939c2f576e1f5569917e6a348b

    • SHA512

      3cec3d407ee2146f931f64114d545e00ef5d81a9cfbe44fca8e5822d20efa71c77eda92750fff277a26d7314da92e4b272642eda74ac4ea62b9435ff23860e72

    • SSDEEP

      3072:brxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAq3OLFyhxTchWwaZYwP+1oVET5K8lsq/:/xEtjPOtioVjDGUU1qfDlavx+W2QnAqE

    Score
    10/10
    discoveryxenoratmacromacro_on_actionrattrojan

    • Detect XenoRat Payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Xenorat family

      xenorat

    • Blocklisted process makes network request

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

      macromacro_on_action

    • Suspicious Office macro

      Office document equipped with macros.

      macro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks