xenorat | 8db64fb78d54b15b0648d454b3678b0200431114cb1058d70f4783278b7feb70 | Triage

Sharing

General

Target

SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe
Size

159KB
Sample

250210-xkxjwsskgz
MD5

6159b2025a32b10d721f03c7141577d8
SHA1

829beb712c7ad268f05865bc982d9db519079433
SHA256

8db64fb78d54b15b0648d454b3678b0200431114cb1058d70f4783278b7feb70
SHA512

b6fd30a5c76d40b0949a34de2dba060bc915ccc0dc6fcc0b8050da9a064ff0f8c487cac4b1fa7b16d545c4c31d77f4a9aedb3997e17e96e3af60b724d60cfa22
SSDEEP

3072:EahKyd2n31zf5GWp1icKAArDZz4N9GhbkrNEk1QOwgT:EahOzp0yN90QEOwc

Score

10^/10

xenorat discovery execution persistence rat trojan

Malware Config

Extracted

Family

xenorat

C2

failed2.myftp.org

Mutex

Winsock2Mutex

Attributes

delay
5000
install_path
appdata
port
4782
startup_name
start.exe

Targets

- Target
  
  SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe
- Size
  
  159KB
- MD5
  
  6159b2025a32b10d721f03c7141577d8
- SHA1
  
  829beb712c7ad268f05865bc982d9db519079433
- SHA256
  
  8db64fb78d54b15b0648d454b3678b0200431114cb1058d70f4783278b7feb70
- SHA512
  
  b6fd30a5c76d40b0949a34de2dba060bc915ccc0dc6fcc0b8050da9a064ff0f8c487cac4b1fa7b16d545c4c31d77f4a9aedb3997e17e96e3af60b724d60cfa22
- SSDEEP
  
  3072:EahKyd2n31zf5GWp1icKAArDZz4N9GhbkrNEk1QOwgT:EahOzp0yN90QEOwc
Score

10^/10

xenorat discovery execution persistence rat trojan
- Detect XenoRat Payload
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Xenorat family
  xenorat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xenoratdiscoveryexecutionpersistencerattrojan