General

  • Target

    3106e90067456404a9f3e768ce3b60de6ae91fa2be664255ad6fe86c3f87e67d.doc

  • Size

    195KB

  • Sample

    241211-ctx7kawkhm

  • MD5

    13326ed69d36aaa385c5eba9fa6e5cc2

  • SHA1

    66946fa69204b91787c7eabb91c1fd8452b1cc24

  • SHA256

    3106e90067456404a9f3e768ce3b60de6ae91fa2be664255ad6fe86c3f87e67d

  • SHA512

    39e5df1db48b1afe1c2bf7f2b8ccfca38b0fd4c49dd04884299fcc8adc633e6171a8756bf9eca65ac37b59ce6ef4a3fb3c761848a94c04d9afe725a53d008edd

  • SSDEEP

    3072:j877VGZ5Sd3b4e0wNZtsqXNKd5AvDJW4S+I/tZ6X1bpF6mIJ88:6GZYwAZHMCDJ8/u5pAmIe8

Malware Config

Extracted

Family

xenorat

C2

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    12000

  • install_path

    appdata

  • port

    4567

  • startup_name

    mrec

Targets

    • Target

      3106e90067456404a9f3e768ce3b60de6ae91fa2be664255ad6fe86c3f87e67d.doc

    • Size

      195KB

    • MD5

      13326ed69d36aaa385c5eba9fa6e5cc2

    • SHA1

      66946fa69204b91787c7eabb91c1fd8452b1cc24

    • SHA256

      3106e90067456404a9f3e768ce3b60de6ae91fa2be664255ad6fe86c3f87e67d

    • SHA512

      39e5df1db48b1afe1c2bf7f2b8ccfca38b0fd4c49dd04884299fcc8adc633e6171a8756bf9eca65ac37b59ce6ef4a3fb3c761848a94c04d9afe725a53d008edd

    • SSDEEP

      3072:j877VGZ5Sd3b4e0wNZtsqXNKd5AvDJW4S+I/tZ6X1bpF6mIJ88:6GZYwAZHMCDJ8/u5pAmIe8

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks