Overview

overview

10

Static

static

10

544f68f901...e7.exe

windows7-x64

10

544f68f901...e7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    544f68f90157e53fb81a864b1aa1b30a91a7e297062cc33b9194d2d83ab124e7.exe

  • Size

    46KB

  • Sample

    250128-gy24jazpbj

  • MD5

    9ce983782ef6449547057837fbf28149

  • SHA1

    95efe91de8f9e7ddb866efc015906a1f498f8c53

  • SHA256

    544f68f90157e53fb81a864b1aa1b30a91a7e297062cc33b9194d2d83ab124e7

  • SHA512

    6ffd8563bc5ce87882fc835d2c753c673b4f178deb8815ec32f168c8d6344f4457d8d09aba41b1d2ddfc204257f5c29359a79525726490183bfd50cc435e84e8

  • SSDEEP

    768:PdhO/poiiUcjlJInbTH9Xqk5nWEZ5SbTDaNuI7CPW5A:Fw+jjgnnH9XqcnW85SbTIuIY

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

roblox.airdns.org

Mutex

Microsoft_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    62604

  • startup_name

    Runtime Broker.

Targets

    • Target

      544f68f90157e53fb81a864b1aa1b30a91a7e297062cc33b9194d2d83ab124e7.exe

    • Size

      46KB

    • MD5

      9ce983782ef6449547057837fbf28149

    • SHA1

      95efe91de8f9e7ddb866efc015906a1f498f8c53

    • SHA256

      544f68f90157e53fb81a864b1aa1b30a91a7e297062cc33b9194d2d83ab124e7

    • SHA512

      6ffd8563bc5ce87882fc835d2c753c673b4f178deb8815ec32f168c8d6344f4457d8d09aba41b1d2ddfc204257f5c29359a79525726490183bfd50cc435e84e8

    • SSDEEP

      768:PdhO/poiiUcjlJInbTH9Xqk5nWEZ5SbTDaNuI7CPW5A:Fw+jjgnnH9XqcnW85SbTIuIY

    Score
    10/10
    xenoratdiscoveryrattrojan

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Xenorat family

      xenorat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks