xenorat | 4bfcbf7c067e045768fac4a003c1407323b764203bd00996ad466e0b3bb48fdd

General

Target

fwasdadf.exe
Size

45KB
MD5

139d4348e095c96585fb1568a1269cb4
SHA1

f6969aeac79443076c2c807e9e135d79061e39ec
SHA256

4bfcbf7c067e045768fac4a003c1407323b764203bd00996ad466e0b3bb48fdd
SHA512

becffa3abb05037eeea52e1b7defd3696170779893e787330d7ec14e5ece87a057ff9504c239fd99c3cfc4ae7ecdc765d24ce31385dc862ec5adfd50f5065b01
SSDEEP

768:5dhO/poiiUcjlJIn4JH9Xqk5nWEZ5SbTDalvWI7CPW5P:3w+jjgnAH9XqcnW85SbTQWI3

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

C2

128.78.132.78

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
temp
port
4444
startup_name
Efi spoofer auto spoof

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral2/memory/3248-1-0x00000000002A0000-0x00000000002B2000-memory.dmp	family_xenorat
behavioral2/files/0x0007000000023cb0-6.dat	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fwasdadf.exe

Executes dropped EXE 1 IoCs

pid	Process
1260	fwasdadf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwasdadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwasdadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4844	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 1260	3248	fwasdadf.exe	82
PID 3248 wrote to memory of 1260	3248	fwasdadf.exe	82
PID 3248 wrote to memory of 1260	3248	fwasdadf.exe	82
PID 1260 wrote to memory of 4844	1260	fwasdadf.exe	85
PID 1260 wrote to memory of 4844	1260	fwasdadf.exe	85
PID 1260 wrote to memory of 4844	1260	fwasdadf.exe	85

C:\Users\Admin\AppData\Local\Temp\fwasdadf.exe
"C:\Users\Admin\AppData\Local\Temp\fwasdadf.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Users\Admin\AppData\Local\Temp\XenoManager\fwasdadf.exe
  "C:\Users\Admin\AppData\Local\Temp\XenoManager\fwasdadf.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "Efi spoofer auto spoof" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD021.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fwasdadf.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenoManager\fwasdadf.exe

Filesize
45KB

MD5
139d4348e095c96585fb1568a1269cb4

SHA1
f6969aeac79443076c2c807e9e135d79061e39ec

SHA256
4bfcbf7c067e045768fac4a003c1407323b764203bd00996ad466e0b3bb48fdd

SHA512
becffa3abb05037eeea52e1b7defd3696170779893e787330d7ec14e5ece87a057ff9504c239fd99c3cfc4ae7ecdc765d24ce31385dc862ec5adfd50f5065b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD021.tmp

Filesize
1KB

MD5
ff0b3486d9d289d9e8f14b2792b634d6

SHA1
85e5dc5b2de5c8b638b599fb0cc82e8e9ead53df

SHA256
cae5895e7637b17c235affd7db10ae9ed1ab3354dbf5ae581b86f225c8265d4f

SHA512
5a1b5e68715aadfb42303b99a4c5887bcc0c8e9596ac87b1fadecb274746f9c768d7c5ecf650e742f5bc9a517acb7c1e95487940c30d48e8ea54df868a7c2d9d

Download Submit
memory/1260-15-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/1260-18-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/1260-19-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/3248-0-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/3248-1-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads