Overview

overview

10

Static

static

10

fwasdadf.exe

windows7-x64

10

fwasdadf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-01-2025 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fwasdadf.exe

  • Size

    45KB

  • MD5

    139d4348e095c96585fb1568a1269cb4

  • SHA1

    f6969aeac79443076c2c807e9e135d79061e39ec

  • SHA256

    4bfcbf7c067e045768fac4a003c1407323b764203bd00996ad466e0b3bb48fdd

  • SHA512

    becffa3abb05037eeea52e1b7defd3696170779893e787330d7ec14e5ece87a057ff9504c239fd99c3cfc4ae7ecdc765d24ce31385dc862ec5adfd50f5065b01

  • SSDEEP

    768:5dhO/poiiUcjlJIn4JH9Xqk5nWEZ5SbTDalvWI7CPW5P:3w+jjgnAH9XqcnW85SbTQWI3

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

128.78.132.78

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    4444

  • startup_name

    Efi spoofer auto spoof

Signatures

  • Detect XenoRat Payload 3 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fwasdadf.exe
    "C:\Users\Admin\AppData\Local\Temp\fwasdadf.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Users\Admin\AppData\Local\Temp\XenoManager\fwasdadf.exe
      "C:\Users\Admin\AppData\Local\Temp\XenoManager\fwasdadf.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:288
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "Efi spoofer auto spoof" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D39.tmp" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2572
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9D39.tmp
    Filesize

    1KB

    MD5

    ff0b3486d9d289d9e8f14b2792b634d6

    SHA1

    85e5dc5b2de5c8b638b599fb0cc82e8e9ead53df

    SHA256

    cae5895e7637b17c235affd7db10ae9ed1ab3354dbf5ae581b86f225c8265d4f

    SHA512

    5a1b5e68715aadfb42303b99a4c5887bcc0c8e9596ac87b1fadecb274746f9c768d7c5ecf650e742f5bc9a517acb7c1e95487940c30d48e8ea54df868a7c2d9d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\XenoManager\fwasdadf.exe
    Filesize

    45KB

    MD5

    139d4348e095c96585fb1568a1269cb4

    SHA1

    f6969aeac79443076c2c807e9e135d79061e39ec

    SHA256

    4bfcbf7c067e045768fac4a003c1407323b764203bd00996ad466e0b3bb48fdd

    SHA512

    becffa3abb05037eeea52e1b7defd3696170779893e787330d7ec14e5ece87a057ff9504c239fd99c3cfc4ae7ecdc765d24ce31385dc862ec5adfd50f5065b01

    Download Submit

  • memory/288-13-0x0000000072F50000-0x000000007363E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/288-9-0x0000000072F5E000-0x0000000072F5F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/288-10-0x0000000000900000-0x0000000000912000-memory.dmp

    Filesize

    72KB

    Download

  • memory/288-14-0x0000000072F5E000-0x0000000072F5F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/288-15-0x0000000072F50000-0x000000007363E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2384-1-0x00000000000D0000-0x00000000000E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2384-0-0x00000000740DE000-0x00000000740DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2712-16-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2712-17-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2712-18-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2712-19-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download