General

  • Target

    dasdwasd.exe

  • Size

    45KB

  • Sample

    241219-tpmzgavpct

  • MD5

    7c0981b33bb05e403e6dafbfb15f245e

  • SHA1

    0d85fd3a8c5de8bce1e9e5595d2882491cab3e51

  • SHA256

    d54bd79976a9cfef49e8ae530437fd657e3c2125623b8c26049f95a77da9b0ea

  • SHA512

    bb57ef8f6489b4fe0c2f8f02d2fde38c5398c80296af53c2c34909e02a5a0e042dcd22d0a08c36b40c4e5816cb5334b55e802e67a8cb699df25a183b435dd96a

  • SSDEEP

    768:xdhO/poiiUcjlJInlzH9Xqk5nWEZ5SbTDaYWI7CPW5V:vw+jjgndH9XqcnW85SbTZWId

Malware Config

Extracted

Family

xenorat

C2

192.168.1.129

Mutex

MERRYCHEESEMAS

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    8888

  • startup_name

    Windows

Targets

    • Target

      dasdwasd.exe

    • Size

      45KB

    • MD5

      7c0981b33bb05e403e6dafbfb15f245e

    • SHA1

      0d85fd3a8c5de8bce1e9e5595d2882491cab3e51

    • SHA256

      d54bd79976a9cfef49e8ae530437fd657e3c2125623b8c26049f95a77da9b0ea

    • SHA512

      bb57ef8f6489b4fe0c2f8f02d2fde38c5398c80296af53c2c34909e02a5a0e042dcd22d0a08c36b40c4e5816cb5334b55e802e67a8cb699df25a183b435dd96a

    • SSDEEP

      768:xdhO/poiiUcjlJInlzH9Xqk5nWEZ5SbTDaYWI7CPW5V:vw+jjgndH9XqcnW85SbTZWId

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks