General

  • Target

    ruleaza.exe

  • Size

    60KB

  • Sample

    241215-p8zedsvkhx

  • MD5

    bc8dd3bc1e1c0dc28e40898a6cb1e8d4

  • SHA1

    873efbf4b0461a252eb88b61113511211cfe4b4c

  • SHA256

    4154a155effa00a21a92bc505e79d666227a04a572dcd3f0a1c09ad99d9bb1ed

  • SHA512

    f61e8c0dbce599e5af66403a249269b27a950263aa22059962bedd171eb199540f5e72258b29bf150dbf0a5ec54b2db3c86a670d367658fde2874c141cf638b4

  • SSDEEP

    768:pdhO/poiiUcjlJInLVH9Xqk5nWEZ5SbTDaLuI7CPW5WdxelsWNRPZ:nw+jjgnxH9XqcnW85SbTGuIZtNRZ

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4782

  • startup_name

    niggas

Targets

    • Target

      ruleaza.exe

    • Size

      60KB

    • MD5

      bc8dd3bc1e1c0dc28e40898a6cb1e8d4

    • SHA1

      873efbf4b0461a252eb88b61113511211cfe4b4c

    • SHA256

      4154a155effa00a21a92bc505e79d666227a04a572dcd3f0a1c09ad99d9bb1ed

    • SHA512

      f61e8c0dbce599e5af66403a249269b27a950263aa22059962bedd171eb199540f5e72258b29bf150dbf0a5ec54b2db3c86a670d367658fde2874c141cf638b4

    • SSDEEP

      768:pdhO/poiiUcjlJInLVH9Xqk5nWEZ5SbTDaLuI7CPW5WdxelsWNRPZ:nw+jjgnxH9XqcnW85SbTGuIZtNRZ

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks