xenorat | nai[.]exe | Triage

Sharing

General

Target

nai.exe
Size

45KB
MD5

4cbfc61732f67fdd690ff9d578af8f14
SHA1

dcb062b56bbe4b9660f4a07e3d7f59a92f6bf3d3
SHA256

fa4f97a38443e919cba50e6fe7cf121f4b69305b57eedca93128f016ff289a0f
SHA512

768f53ea46ca839fa2f6ddad154d4b0a1c0de3b1c926cfdb986f8790086c92e1de3366796345623195a643a3cf3c9743b5d9990e02c8d736c1a85b76eb225408
SSDEEP

768:bdhO/poiiUcjlJInvvH9Xqk5nWEZ5SbTDaJWI7CPW5R:Jw+jjgn3H9XqcnW85SbTAWIJ

Score

10^/10

xenorat

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
nothingset

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
sample	family_xenorat

Xenorat family
xenorat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
nai.exe

Files

nai.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 43KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ