Overview

overview

10

Static

static

1

a43b59c549...9f.lnk

windows7-x64

10

a43b59c549...9f.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a43b59c54921c6b5cc272e0af9917b5973231de9b6d183be381c1820416ce49f.lnk

  • Size

    2KB

  • Sample

    241210-dsgzmasjay

  • MD5

    e03e7eeb288c1f96bb336fe0bfa4cb95

  • SHA1

    e2a53c23480aad659723ee5c8542105955787ac1

  • SHA256

    a43b59c54921c6b5cc272e0af9917b5973231de9b6d183be381c1820416ce49f

  • SHA512

    c142377b9ad169f06e62836c4152b916bfff5b4d64487005fcca5dc2d213a9aeaa5a8d6d2fcfbbbbc13b6016aaf9c4ff0b108cff3af98d28cc85d1502478ce2a

Score
10/10
xenoratdiscoveryexecutionmacromacro_on_actionrattrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs

Extracted

Family

xenorat

C2

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    12000

  • install_path

    appdata

  • port

    4567

  • startup_name

    mrec

Targets

    • Target

      a43b59c54921c6b5cc272e0af9917b5973231de9b6d183be381c1820416ce49f.lnk

    • Size

      2KB

    • MD5

      e03e7eeb288c1f96bb336fe0bfa4cb95

    • SHA1

      e2a53c23480aad659723ee5c8542105955787ac1

    • SHA256

      a43b59c54921c6b5cc272e0af9917b5973231de9b6d183be381c1820416ce49f

    • SHA512

      c142377b9ad169f06e62836c4152b916bfff5b4d64487005fcca5dc2d213a9aeaa5a8d6d2fcfbbbbc13b6016aaf9c4ff0b108cff3af98d28cc85d1502478ce2a

    Score
    10/10
    executionxenoratdiscoverymacromacro_on_actionrattrojan

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Xenorat family

      xenorat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

      macromacro_on_action

    • Suspicious Office macro

      Office document equipped with macros.

      macro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks