Overview

overview

10

Static

static

10

eulen.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    75s
  • max time network
    73s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-01-2025 23:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eulen.exe

  • Size

    74KB

  • MD5

    3844571d2d25e1112db4d525422f8ad2

  • SHA1

    3ee0f8874270f73c417a2a56e506a49b850cef8e

  • SHA256

    c4c21224b91351cbd943ca77e14c1c458815104ab9ffa5d252615d75e736f725

  • SHA512

    fd0ac668e7f85b5bba70bc01db2ae4c63b85519ad8059aaec4142be92ea4642d242fc6fea4fc78bc4cf36b1b67ec4e4564c8effaab6987042acb738187179705

  • SSDEEP

    1536:Tw+jjgn2yH9XqcnW85SbTBqWIy8+Qlr6SYCmQqy15X:Tw+jq2s91UbTBqH+Q4wqy15X

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

147.185.221.25

Mutex

Eulen

Attributes
  • delay

    1

  • install_path

    temp

  • port

    18889

  • startup_name

    Update

Signatures

  • Detect XenoRat Payload 2 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eulen.exe
    "C:\Users\Admin\AppData\Local\Temp\eulen.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:32
    • C:\Users\Admin\AppData\Local\Temp\XenoManager\eulen.exe
      "C:\Users\Admin\AppData\Local\Temp\XenoManager\eulen.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "Update" /XML "C:\Users\Admin\AppData\Local\Temp\tmp80F7.tmp" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3892
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2672
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1528

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eulen.exe.log
      Filesize

      226B

      MD5

      916851e072fbabc4796d8916c5131092

      SHA1

      d48a602229a690c512d5fdaf4c8d77547a88e7a2

      SHA256

      7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

      SHA512

      07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XenoManager\eulen.exe
      Filesize

      74KB

      MD5

      3844571d2d25e1112db4d525422f8ad2

      SHA1

      3ee0f8874270f73c417a2a56e506a49b850cef8e

      SHA256

      c4c21224b91351cbd943ca77e14c1c458815104ab9ffa5d252615d75e736f725

      SHA512

      fd0ac668e7f85b5bba70bc01db2ae4c63b85519ad8059aaec4142be92ea4642d242fc6fea4fc78bc4cf36b1b67ec4e4564c8effaab6987042acb738187179705

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp80F7.tmp
      Filesize

      1KB

      MD5

      89dc616a1bd6468611d1519a7a59cc6a

      SHA1

      ad4a7de6aa7c8b03f4b900ca306c8885f44adf58

      SHA256

      c98cf4e9c0641617e4df28ce0a0f294939fa0027c14d18d6952d1c6a5f84282c

      SHA512

      b1e39c66cfac7da9b2adb1051e4b64f8ae0f2f35cddcb5e0852ae0e9d6448ecde519a466e4a229669c1de7bf49c4ff3ad59fbbe0b370ad908e7d31b3141ef017

      Download Submit

    • memory/32-1-0x00000000008F0000-0x0000000000908000-memory.dmp

      Filesize

      96KB

      Download

    • memory/32-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1164-33-0x0000000074BF0000-0x00000000753A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1164-16-0x0000000074BF0000-0x00000000753A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1164-17-0x0000000074BF0000-0x00000000753A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1164-19-0x0000000074BF0000-0x00000000753A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2672-20-0x0000016A4ED30000-0x0000016A4ED31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2672-21-0x0000016A4ED30000-0x0000016A4ED31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2672-28-0x0000016A4ED30000-0x0000016A4ED31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2672-32-0x0000016A4ED30000-0x0000016A4ED31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2672-31-0x0000016A4ED30000-0x0000016A4ED31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2672-30-0x0000016A4ED30000-0x0000016A4ED31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2672-29-0x0000016A4ED30000-0x0000016A4ED31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2672-27-0x0000016A4ED30000-0x0000016A4ED31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2672-26-0x0000016A4ED30000-0x0000016A4ED31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2672-22-0x0000016A4ED30000-0x0000016A4ED31000-memory.dmp

      Filesize

      4KB

      Download