xenorat | 4b464a4f2349980f053288514e7e25b20319cf7655576f702def8bbf1a6e49af

General

Target

xeno cheat.exe
Size

45KB
MD5

724a1a11d4fe58feafde5ea5d5cb0ee7
SHA1

4c6a67d87338ff6060ad83d84e78c4e4e4ed044d
SHA256

4b464a4f2349980f053288514e7e25b20319cf7655576f702def8bbf1a6e49af
SHA512

0b486edf69b4715a92eb887086a9161fb98ab06c5aabd7a33fa4bc42077f70d5ce7e1cc8f38ee8de734541309fbf1c5d15204566b62e6279fa9b7ed7b41a82fd
SSDEEP

768:+dhO/poiiUcjlJInUkiH9Xqk5nWEZ5SbTDamWI7CPW5X:Iw+jjgngH9XqcnW85SbTfWIf

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

xeno_cheat

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
nothingset

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2836-1-0x0000000000640000-0x0000000000652000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3976	MicrosoftEdgeUpdate.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3680	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 3680	2836	xeno cheat.exe	85
PID 2836 wrote to memory of 3680	2836	xeno cheat.exe	85
PID 2836 wrote to memory of 3680	2836	xeno cheat.exe	85

C:\Users\Admin\AppData\Local\Temp\xeno cheat.exe
"C:\Users\Admin\AppData\Local\Temp\xeno cheat.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "XenoUpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC294.tmp" /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3680

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDA2NjI2NzYtRDc1MC00RjkzLUJCRTYtMzNGRTBGODNEQkMxfSIgdXNlcmlkPSJ7NDBEMTg3NTUtRDJBNi00MDkxLUI0MDMtNjUzRkRFNjY2NTYxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjBBMTY1NzktRTYwRC00NDM5LUE2OEQtMjcxRjBFQkJBNDBGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU1NzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODAxNjUyMzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjQ3NDI2MzE3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC294.tmp

Filesize
1KB

MD5
2b0036a4e98783edb6ce787ea303230b

SHA1
d15cbbe5d8fa46fe81826fd29baf1359d3f5bf99

SHA256
d5c94ef52af094f435620583487e70461ef6c41c45bf7b42287f4a93e246bb3f

SHA512
b0f5dc630e335b5aff0fd0d81273cc1585fdccdee4faf7fb509ca67ab4229845f5eaf0797861d031bbdb3041b869e78d7b593544091309c49b25f17ace575560

Download Submit
memory/2836-0-0x000000007396E000-0x000000007396F000-memory.dmp

Filesize
4KB

Download
memory/2836-1-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/2836-2-0x0000000073960000-0x0000000074110000-memory.dmp

Filesize
7.7MB

Download
memory/2836-5-0x000000007396E000-0x000000007396F000-memory.dmp

Filesize
4KB

Download
memory/2836-6-0x0000000073960000-0x0000000074110000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads