xenorat | 548a95874bd76148ec652a03f114709880801c322700821f24349d1950bd94cb | Triage

Submit
Reports

Overview

overview

Static

static

8

548a95874b...cb.xls

windows7-x64

548a95874b...cb.xls

windows10-2004-x64

Sharing

General

Target

548a95874bd76148ec652a03f114709880801c322700821f24349d1950bd94cb.xls
Size

196KB
Sample

241209-cr7cfssrak
MD5

e700160268262e4b240c83c431f11299
SHA1

fdea2e1e5f0904c186a53bd325550707f7aa2699
SHA256

548a95874bd76148ec652a03f114709880801c322700821f24349d1950bd94cb
SHA512

2460d16d033021dad30dfa88e547118c05f151070233eb4e39a1e9a8e320fc76b23001f315eb5c3ea18c3f5721c22bfcd9fcae8cca4670ed5ddce5f6da56a0ad
SSDEEP

6144:wxEtjPOtioVjDGUU1qfDlavx+W2QnAj+Ly9ckwDwPq5XlsqYwxNNiprC:E+VkGUqLsqhi4

Score

10^/10

xenorat discovery macro macro_on_action rat trojan

Static task

static1

macro macro_on_action

2 signatures

Behavioral task

behavioral1

Sample

548a95874bd76148ec652a03f114709880801c322700821f24349d1950bd94cb.xls

Resource

win7-20240903-en

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

548a95874bd76148ec652a03f114709880801c322700821f24349d1950bd94cb.xls

Resource

win10v2004-20241007-en

xenorat discovery macro macro_on_action rat trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

xenorat

C2

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes

delay
12000
install_path
appdata
port
4567
startup_name
mrec

Targets

- Target
  
  548a95874bd76148ec652a03f114709880801c322700821f24349d1950bd94cb.xls
- Size
  
  196KB
- MD5
  
  e700160268262e4b240c83c431f11299
- SHA1
  
  fdea2e1e5f0904c186a53bd325550707f7aa2699
- SHA256
  
  548a95874bd76148ec652a03f114709880801c322700821f24349d1950bd94cb
- SHA512
  
  2460d16d033021dad30dfa88e547118c05f151070233eb4e39a1e9a8e320fc76b23001f315eb5c3ea18c3f5721c22bfcd9fcae8cca4670ed5ddce5f6da56a0ad
- SSDEEP
  
  6144:wxEtjPOtioVjDGUU1qfDlavx+W2QnAj+Ly9ckwDwPq5XlsqYwxNNiprC:E+VkGUqLsqhi4
Score

10^/10

discovery xenorat macro macro_on_action rat trojan
- Detect XenoRat Payload
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Xenorat family
  xenorat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Office macro that triggers on suspicious action
  Office document macro which triggers in special circumstances - often malicious.
  macro macro_on_action
- Suspicious Office macro
  Office document equipped with macros.
  macro
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

xenoratdiscoverymacromacro_on_actionrattrojan

© 2018-2024

Terms | Privacy