xenorat | asteroid-256-main[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

asteroid-256-main.zip
Size

2.8MB
MD5

24ad6b46f9ee78f7c89bde706d86e4bb
SHA1

250f5355ce75f2a216546d999643f6087602f84e
SHA256

7ee2edea3e675db5189d0ca73d4014c98216153dfa7885f31ffba493b6e587d9
SHA512

174b93fc4434b5b5f6574ed8b323f6dc2cc0c77835b682394bac99f0d59e82677fa5a6ebced0b439f705dbc97a2b525c43252418682cc8f437c1b42284a226e8
SSDEEP

49152:JuwsipYkMY64JWvXDAEoQLzB53LTmTN4YAbl257/OiPhuCaicaEnMGgmuO1r:U+pYHAJcxH34iYABG7DuCaicapG7n

Score

10^/10

xenorat

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
gg

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
static1/unpack001/asteroid-256-main/selfess.exe	family_xenorat

Xenorat family
xenorat

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
static1/unpack001/asteroid-256-main/Asteroid.dll	embeds_openssl

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/asteroid-256-main/Asteroid.dll
unpack001/asteroid-256-main/selfess.exe

Files

asteroid-256-main.zip
.zip
asteroid-256-main/Asteroid.dll
.dll windows:6 windows x64 arch:x64

750cbcf4427c99086fa6107ab089c94c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

d3d11

D3D11CreateDeviceAndSwapChain

wldap32

ord26
ord27
ord32
ord33
ord35
ord79
ord30
ord200
ord301
ord45
ord60
ord211
ord46
ord50
ord217
ord143
ord41
ord22

kernel32

ReleaseSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockExclusive
AcquireSRWLockShared
GetCurrentThreadId
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleExW
GetSystemInfo
VirtualAlloc
VirtualProtect
VirtualFree
GetACP
GetCurrentProcessId
GetSystemTimeAsFileTime
CloseHandle
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
ReleaseSemaphore
WaitForSingleObject
GetExitCodeThread
CreateSemaphoreA
GetSystemDirectoryA
FormatMessageA
LoadLibraryW
GetSystemTime
SystemTimeToFileTime
FindClose
FindFirstFileW
FindNextFileW
ReadConsoleA
ReadConsoleW
HeapCreate
HeapFree
GetCurrentProcess
Thread32Next
Thread32First
SuspendThread
ResumeThread
CreateToolhelp32Snapshot
HeapReAlloc
HeapAlloc
GetThreadContext
FlushInstructionCache
SetThreadContext
OpenThread
VirtualQuery
FormatMessageW
GetTickCount
InitializeSRWLock
SetEvent
FreeLibrary
MoveFileExA
WaitForSingleObjectEx
GetEnvironmentVariableA
ReadFile
PeekNamedPipe
WaitForMultipleObjects
SleepEx
VerifyVersionInfoW
CreateFileA
GetFileSizeEx
LCMapStringEx
GetLocaleInfoW
EncodePointer
GetLocaleInfoEx
LocalFree
AreFileApisANSI
GetFullPathNameW
GetFileInformationByHandle
GetFileAttributesExW
FindFirstFileExW
CreateFileW
GetCurrentDirectoryW
VerSetConditionMask
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetTimeZoneInformation
FlushFileBuffers
SetStdHandle
SetEndOfFile
IsValidCodePage
GetOEMCP
SetLastError
GetEnvironmentVariableW
RtlVirtualUnwind
GetLastError
GetProcAddress
QueryPerformanceFrequency
GetCommandLineA
GetCommandLineW
GetFileType
SetConsoleTitleW
SetConsoleOutputCP
CreateThread
Sleep
FreeLibraryAndExitThread
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
InitializeCriticalSectionEx
QueryPerformanceCounter
GetEnvironmentStringsW
FlsFree
FlsSetValue
FlsGetValue
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetProcessHeap
LoadLibraryA
GetLocaleInfoA
GetModuleHandleA
WideCharToMultiByte
GlobalFree
MultiByteToWideChar
AllocConsole
GlobalUnlock
SetConsoleCursorPosition
GetModuleHandleW
GlobalLock
FillConsoleOutputAttribute
GlobalAlloc
FillConsoleOutputCharacterW
GetConsoleMode
SetConsoleMode
WriteFile
GetStdHandle
CreateEventA
GetConsoleScreenBufferInfo
FlsAlloc
GetConsoleOutputCP
GetModuleFileNameW
SetFilePointerEx
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
GetDriveTypeW
ExitThread
SetConsoleCtrlHandler
ExitProcess
LoadLibraryExW
InitializeCriticalSectionAndSpinCount
InterlockedFlushSList
RaiseException
RtlPcToFileHeader
RtlUnwindEx
InitializeSListHead
GetStartupInfoW
IsDebuggerPresent
SleepConditionVariableSRW
WakeAllConditionVariable
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlLookupFunctionEntry
RtlCaptureContext
GetCPInfo
GetStringTypeW
DeleteFileW
HeapSize
WriteConsoleW
DecodePointer
RtlUnwind

user32

SetClipboardData
MessageBoxW
GetUserObjectInformationW
GetProcessWindowStation
DefWindowProcW
CallWindowProcW
SetWindowLongPtrW
GetSystemMetrics
GetWindowTextA
ClipCursor
ShowCursor
GetAsyncKeyState
MessageBoxA
GetMessageExtraInfo
ScreenToClient
GetCapture
ClientToScreen
TrackMouseEvent
GetKeyboardLayout
GetForegroundWindow
LoadCursorW
SetCapture
SetCursor
GetClientRect
IsWindowUnicode
ReleaseCapture
SetCursorPos
GetCursorPos
GetClipboardData
MapVirtualKeyW
GetKeyNameTextA
OpenClipboard
CloseClipboard
EmptyClipboard
GetKeyState

comdlg32

GetOpenFileNameW

shell32

ShellExecuteA

imm32

ImmSetCandidateWindow
ImmSetCompositionWindow
ImmReleaseContext
ImmGetContext

d3dcompiler_47

D3DCompile

wininet

InternetQueryOptionW

bcrypt

BCryptGenRandom

normaliz

IdnToAscii
IdnToUnicode

crypt32

CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CertGetCertificateChain
CertOpenSystemStoreW
CertGetCertificateContextProperty
CertFreeCertificateContext
CertDuplicateCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore
CertFreeCertificateChainEngine
CryptStringToBinaryA
CertFreeCertificateChain

ws2_32

connect
closesocket
bind
accept
send
recv
WSASetLastError
getservbyname
getservbyport
gethostbyaddr
setsockopt
inet_addr
htons
htonl
WSAGetLastError
socket
WSAStartup
gethostbyname
select
ntohs
getsockopt
getsockname
ioctlsocket
shutdown
getpeername
recvfrom
sendto
WSACloseEvent
WSACreateEvent
WSAEnumNetworkEvents
listen
WSAEventSelect
WSAResetEvent
WSAWaitForMultipleEvents
WSAIoctl
__WSAFDIsSet
getaddrinfo
freeaddrinfo
gethostname
inet_ntoa
WSACleanup

advapi32

CryptGenRandom
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
CryptDestroyKey
CryptSetHashParam
CryptGetProvParam
CryptGetUserKey
CryptExportKey
CryptDecrypt
CryptCreateHash
CryptDestroyHash
CryptSignHashW
CryptEnumProvidersW
CryptAcquireContextA
CryptGetHashParam
CryptHashData
CryptImportKey
CryptEncrypt
CryptReleaseContext

Sections

.text
Size: 4.3MB - Virtual size: 4.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 160KB - Virtual size: 182KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 164KB - Virtual size: 164KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 47KB - Virtual size: 47KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
asteroid-256-main/README.md
asteroid-256-main/selfess.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 43KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

750cbcf4427c99086fa6107ab089c94c

Headers

DLL Characteristics

File Characteristics

Imports

d3d11

wldap32

kernel32

user32

comdlg32

shell32

imm32

d3dcompiler_47

wininet

bcrypt

normaliz

crypt32

ws2_32

advapi32

Sections

.text Size: 4.3MB - Virtual size: 4.3MB

.rdata Size: 1.5MB - Virtual size: 1.5MB

.data Size: 160KB - Virtual size: 182KB

.pdata Size: 164KB - Virtual size: 164KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 47KB - Virtual size: 47KB

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 43KB - Virtual size: 42KB

.rsrc Size: 68KB - Virtual size: 67KB

.reloc Size: 512B - Virtual size: 12B

.text
Size: 4.3MB - Virtual size: 4.3MB

.rdata
Size: 1.5MB - Virtual size: 1.5MB

.data
Size: 160KB - Virtual size: 182KB

.pdata
Size: 164KB - Virtual size: 164KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 47KB - Virtual size: 47KB

.text
Size: 43KB - Virtual size: 42KB

.rsrc
Size: 68KB - Virtual size: 67KB

.reloc
Size: 512B - Virtual size: 12B