General

  • Target

    TRANSFERENCIACOMPROBANTES.lnk

  • Size

    2KB

  • Sample

    241209-gmd8bsvpbp

  • MD5

    5f82d730794323e47df2c5361e13ce69

  • SHA1

    e05dba2157cec9966790f75cba9899243939b569

  • SHA256

    4a6695307864dfe0b2e8b516afce79959cb20fed28734d5426450091367255a4

  • SHA512

    9b0ffcccaff5071944b6525bcb9678aed94f939700c741ebc99f919cdc4033d86a79546f39080e1991b41cd7cf2e243d434b147764495b3548e1f563a1a0ea07

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs

Extracted

Family

xenorat

C2

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    12000

  • install_path

    appdata

  • port

    4567

  • startup_name

    mrec

Targets

    • Target

      TRANSFERENCIACOMPROBANTES.lnk

    • Size

      2KB

    • MD5

      5f82d730794323e47df2c5361e13ce69

    • SHA1

      e05dba2157cec9966790f75cba9899243939b569

    • SHA256

      4a6695307864dfe0b2e8b516afce79959cb20fed28734d5426450091367255a4

    • SHA512

      9b0ffcccaff5071944b6525bcb9678aed94f939700c741ebc99f919cdc4033d86a79546f39080e1991b41cd7cf2e243d434b147764495b3548e1f563a1a0ea07

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

    • Suspicious Office macro

      Office document equipped with macros.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks