xenorat | 548212f42d5dc4965db354d6ce075422dcb3331a213fb0b5b662e08e59234829 | Triage

Submit
Reports

Overview

overview

Static

static

8

ec6627e48b...31.doc

windows7-x64

ec6627e48b...31.doc

windows10-2004-x64

Sharing

General

Target

ec6627e48bb4c56abbb2a4563072e631.doc
Size

191KB
Sample

241211-lrqjdaxlfv
MD5

ec6627e48bb4c56abbb2a4563072e631
SHA1

9e237643473c67940eb359bba09825114c7bc726
SHA256

548212f42d5dc4965db354d6ce075422dcb3331a213fb0b5b662e08e59234829
SHA512

4fb47dcf9e0fe13e038a88cc8c9e06ff1dde996d69281c505a07c3d4cc591e32770c1df8dac3da8d031f4868073ebde8202a7173dfd369b016aa2c69af2385a3
SSDEEP

3072:Q877VGZ5Sd3b4e0wNZtsqXNKd5AvDJW4S+I/tZ6X1bpF6m+3b:9GZYwAZHMCDJ8/u5pAm0b

Score

10^/10

xenorat discovery macro macro_on_action rat trojan

Static task

static1

macro macro_on_action

2 signatures

Behavioral task

behavioral1

Sample

ec6627e48bb4c56abbb2a4563072e631.doc

Resource

win7-20240729-en

xenorat discovery rat trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

ec6627e48bb4c56abbb2a4563072e631.doc

Resource

win10v2004-20241007-en

xenorat discovery rat trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

xenorat

C2

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes

delay
12000
install_path
appdata
port
4567
startup_name
mrec

Targets

- Target
  
  ec6627e48bb4c56abbb2a4563072e631.doc
- Size
  
  191KB
- MD5
  
  ec6627e48bb4c56abbb2a4563072e631
- SHA1
  
  9e237643473c67940eb359bba09825114c7bc726
- SHA256
  
  548212f42d5dc4965db354d6ce075422dcb3331a213fb0b5b662e08e59234829
- SHA512
  
  4fb47dcf9e0fe13e038a88cc8c9e06ff1dde996d69281c505a07c3d4cc591e32770c1df8dac3da8d031f4868073ebde8202a7173dfd369b016aa2c69af2385a3
- SSDEEP
  
  3072:Q877VGZ5Sd3b4e0wNZtsqXNKd5AvDJW4S+I/tZ6X1bpF6m+3b:9GZYwAZHMCDJ8/u5pAm0b
Score

10^/10

xenorat discovery rat trojan
- Detect XenoRat Payload
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Xenorat family
  xenorat
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

macromacro_on_action

behavioral1

xenoratdiscoveryrattrojan

behavioral2

xenoratdiscoveryrattrojan

© 2018-2024

Terms | Privacy