General
-
Target
Release.zip
-
Size
6.4MB
-
Sample
250215-lx32naxqhk
-
MD5
89661a9ff6de529497fec56a112bf75e
-
SHA1
2dd31a19489f4d7c562b647f69117e31b894b5c3
-
SHA256
e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd
-
SHA512
33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f
-
SSDEEP
196608:SYNI1S7C6S230UwVLW83FUSA7WQZzwM3/C2cM7m2:rNIs7CDvB1USA7WS/vcx2
Malware Config
Extracted
xenorat
localhost
testing 123123
-
delay
1000
-
install_path
nothingset
-
port
1234
-
startup_name
nothingset
Targets
-
-
Target
Release.zip
-
Size
6.4MB
-
MD5
89661a9ff6de529497fec56a112bf75e
-
SHA1
2dd31a19489f4d7c562b647f69117e31b894b5c3
-
SHA256
e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd
-
SHA512
33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f
-
SSDEEP
196608:SYNI1S7C6S230UwVLW83FUSA7WQZzwM3/C2cM7m2:rNIs7CDvB1USA7WS/vcx2
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory
-
-
-
Target
plugins/Chat.dll
-
Size
11KB
-
MD5
0e5695b84313f7ed7b86dbba80b0342a
-
SHA1
1db6a341dc01460c0c42690e42e2af2c57e53a4a
-
SHA256
fe7677898bda46cd4b88d779b83545c2741f047ba45a3b45cbf3e6912b5d0a14
-
SHA512
b8b67521ae69968bb5e0567a646b1b99fa8ec0db74fd7fc1e2482d036e775f7103163bcd2a6d6194d9e3e24efdd25bdcba35e1f76dadd79b01d762da8df28b58
-
SSDEEP
192:Xt5SEw0NmpdxSE2sECoxmTNny9+EUrcya8Vk3h:9EP0NmR+CoxmTNng+EPy1Vk3h
Score8/10-
Downloads MZ/PE file
-
-
-
Target
plugins/File manager.dll
-
Size
16KB
-
MD5
0746f23b790fd439980d155a75e6275b
-
SHA1
c851f8b269cb82ed1a1dab1dc106edd5e95b6d04
-
SHA256
fa08d4b54719f477eee7a7ce9d75dd84bc123e7f8b8546a1e2a394743fa319df
-
SHA512
2569ad1c09cfb478cfba3ca44276cea443de91a1e66181968388052f0d06cd8be497c5959c0863709d89ab380bcdb3edccfed4fa7207f16ec340474f45bb6bc9
-
SSDEEP
384:AAlqtn09rDgrPhQJBLjQ2z0A7VBvBGQEwZmya1HGrJxEKNX:f52qHMe0A7Vlo331mrJbNX
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory
-
-
-
Target
plugins/Fun.dll
-
Size
10KB
-
MD5
b7c76350514a33374f4597d219d9fec1
-
SHA1
f29cad3c62c7c827b1c46a412b842c71ad8f7fe3
-
SHA256
cbf43a078e26e01184b89bb54f0469291946061426fbcf0ecaf6c205bd898812
-
SHA512
a9c7fd686d73987de75103e772471c084a2913a5087fe827763ac01ec5960abac77d00409ba8cabbea0260c27561975a1519392a845f4dcb842c3e02d1ccf202
-
SSDEEP
192:mySQnh/1lrzXHfvzHfR8B+E9E1gdZ9ONBh6:mpQnh/rnXHfvLfSt9E1+O3h6
Score3/10 -
-
-
Target
plugins/Hvnc.dll
-
Size
44KB
-
MD5
5353c15bee04dcac54f80dd7d5660b21
-
SHA1
2663966150926b2528e4f04913b97bfd7ef988b7
-
SHA256
b029348ff669a2ec5f042376f0b31049688437c7b6ce1d7c36fb7f03d4224932
-
SHA512
3a1ec391fd8e7008d6398078007d0eab071c2b563cd05bd0e3228e3b73e775ec2504b39c81989a3d928c5a6afc1797ae76dd3079ba1515f60813f9b34e7ac9f9
-
SSDEEP
768:x6WH72TsRqvj62N0MPVxKVgr3TcJoQ8je8WHJiCVg5t3l8hpo31e5TtOR6iKPeyH:0WH7b2N0kVQVgrjcaQ8je8iJ3ot1cmaZ
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory
-
-
-
Target
plugins/InfoGrab.dll
-
Size
971KB
-
MD5
86bf07899c4e9764b0752713fe6f12c9
-
SHA1
813924938e367a361c1145ce135e078967d7903e
-
SHA256
11a09734dc3a412ef8130a65a0c06b1ccfc24673d818959cfe50f6b462e33d67
-
SHA512
bb0ca1445b0215ca3bb85defea6fc902618218be04ce006565753c13e3fb3cf786d8dc0fcbe4f77443be28feefe8331e710d895ae8e0b20455b15e7a8bb94578
-
SSDEEP
24576:GOGlTjiaeAeOTKAzbARntW+hZxCNqbo6RVX8sa6AtWZl2cFkN:GOGNjiSZTKAzkltDhTCcVX8saTtWycO
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory
-
-
-
Target
plugins/KeyLogger.dll
-
Size
12KB
-
MD5
1e8ff2a86962488515380c6a27a775c3
-
SHA1
39e1f2f4f9e113e7657abc4adafc8fbd0a5ad016
-
SHA256
cb199fb2fee33300cea0f9b30ad0d3287206c4b1fe380eaa4fa7040b184510a5
-
SHA512
b50ba227037580e1d68eb4ca9a4a751739152716b9e11e2b2b8e6ca0254f043a76e58d3a7e4b790c3cfb46fa1b6676bd74285b6801f1f0c0d00565c4f78f7168
-
SSDEEP
192:Wv+i+cBHIDQkHTvckioy8p4Wbj5Lg3iZEYiRL9eT0pqfAp0FSkiXHB3K:Wv+ifODQkHTvBi8Rbj5zEYiR9eT0pqf7
Score8/10-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
plugins/KeyLoggerOffline.dll
-
Size
22KB
-
MD5
4cf2a22b5fefa18e2ab36a1d73f79833
-
SHA1
eb38e955e34998235040da965979e09d5d88df6d
-
SHA256
3414c471c425ab070896e77df290debd5708748d02cd48952c69133795b4abe1
-
SHA512
0ad3666f9f6b942be9c48cf9d24660faa0b5aa3184e08d9c1b9414220b60cbbfab19c8a082f72c79949edc3ca1b446e53d0f1452e569f531b90ca768f0550161
-
SSDEEP
384:tgqiSBJEMs8uohRFeD4nws5lGHEKVUQlDUqajk7oHVEzipi9eT0pqfAp0FSFzJDJ:acYJn6lGkiHlDF/oHBoz9JDVz
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory
-
-
-
Target
plugins/LiveMicrophone.dll
-
Size
494KB
-
MD5
afb916213f3419be21a061b782793c6e
-
SHA1
6625e390d96820483db6fc9efba739456a0f2fe1
-
SHA256
77a9318b937fbc733f5a53c12ce1cbc57aa49504840da6e33f34a1750879a8f5
-
SHA512
253ca98f2a6b351f2a28f38a18a34ecb7583dee5895fac871cdc0f08dce51a04fec9e684d0a459b147ae6588c67c7c841b6bb32f510c529ddcc3460e45ab9d98
-
SSDEEP
6144:S7E2hItIqKU1zPf7sQwd4h4dY2S/rfWTEFB44PjrKkpArI9ZQf9yZ86DyXLmqwH5:SjHUlxd2STf44PjrKWYmVn6D0
Score3/10 -
-
-
Target
plugins/ProcessManager.dll
-
Size
17KB
-
MD5
4dac21b4f2984931b9710ca50329023a
-
SHA1
e92c1284f58e2cf339340ff5496f94f9183f127c
-
SHA256
8bca46a92123f0435b98174d0d1182016811905c7cae6199176d1d3e94605e67
-
SHA512
36b9c7c23ebf21fc6523ca309d49966c06eba488cb7ba807f496c9effaff7e31ed8e166cab8392352b7efea3dac748af69c5de0b5cf9275fbc0616c0a75af1a9
-
SSDEEP
384:GOQdVyeIdKbl512kg3EHEeGdhCaXJbuLUSJZAnVb:GXIeIdKbsEZaZyw
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory
-
-
-
Target
plugins/Registry Manager.dll
-
Size
12KB
-
MD5
70bfb60e65f7fbf9fbcee5c8aaa3fce7
-
SHA1
da65c59851dfe52e22ceaf3498a516edb80510ef
-
SHA256
684e07c2cca9deddb34b52e791aaa43a223d31b31a06489ab22cf79090504000
-
SHA512
bd2280d7fe342597f2177c37d836c7d40102cf9892cd54ecc07405f88488c1335d7ba0dc489860106825de98a133bf040420b79bef5b97a848fd11f81ba2c143
-
SSDEEP
192:fQ/AstzyaRFzlMXR5DfXXb5BCOrv6qOBPEUbqfINBt:IVZFzlMXRFXCGEBPEUxp
Score8/10-
Downloads MZ/PE file
-
-
-
Target
plugins/ReverseProxy.dll
-
Size
14KB
-
MD5
039d1f0dc21cd752cac608434b205e3c
-
SHA1
baacefeda4cbfd8e6adda01f25f2f52059805d76
-
SHA256
c1b7f81f0d40e4ed6f31235f502792e1ae2c2866254bd492b302498377f0aac8
-
SHA512
4c2211a4d7b4110b3ba6f71105781140436ac57d1b191ef9a22d8adb37ba0fa1c2513fa28a336b29a62b7aaa7cad2295115da8e76fbf6da230cd25e9b1cb8383
-
SSDEEP
384:3ar3GmyvRMMCYLopROCM0jo/s1Vaxy5xa1EVALLPO6:3ar3GFJJ0pROCM0tVKOa+6PO6
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory
-
-
-
Target
plugins/ScreenControl.dll
-
Size
14KB
-
MD5
e402280a434814fd9eecb5077b8aac62
-
SHA1
d120c97cef608e9f234b4d08a62d1cf7d45e5b50
-
SHA256
d692123e16293f2d41a16e1811ae090324a3f611b694820888008ec6102fae54
-
SHA512
8f0725702b21afd56a2631ced5d999ac04c5935f3bc6c637a97af4d3d648cc9a51231a87706e64708ef9ae33e51a3edcd1ae3bcafe6d0009a8cccaa2f3a13cc4
-
SSDEEP
192:ZdOAWZMcRZ+U5FMvZwzUgJKaJqj2MSglwloMWxqR0Zr2v/BmqRPEZDxI6:ZdsKW+sqacj2MSgLxTZr2v/U4ELv
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
-
-
Target
plugins/Shell.dll
-
Size
9KB
-
MD5
5e3e4438045c426410122210759cc0c8
-
SHA1
c7858413c6b724135afeb1f878f986b0ae1bfa46
-
SHA256
81bb6bed470afa97db39d7048dd8d9b7c7786fe8297f51390b5c83b450cdb5e0
-
SHA512
d0a656048deaab2916bd98f5205bda41686891eff65ee7608117157e4f04ee22dfcd8b9bdccbce1bdd065a1573229c3996122b907a303b8494ad7b730fe5d929
-
SSDEEP
96:25ATBzB7uwBHfse4hDjl2KQ1dndjVvIibvibKh0c9v5g+m2rwBGbEbrxtZfvPn2k:25kFDMlor1ZT5guvbEJtZ/2WYC
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory
-
-
-
Target
plugins/Startup.dll
-
Size
6KB
-
MD5
d66568e2fd174b6cc4f5aa10d9ab9ec6
-
SHA1
8ae0f67d073d642c4ccb879d48f71dd39f167ed6
-
SHA256
b82d8d11aece746a4202730eaa361501e4e505d6456f110b6bbd0a42f2b8ec0b
-
SHA512
48b01dfeeb01b2eb103cb93834769a89de79f5b4d9bc8b3b255bfdf4b35f7e02abf0ecab0949d008d3c5b9d004101014befc6d509cd747850c072cefc369ef04
-
SSDEEP
96:02Y9OJCE5Bdx2dix/BKsa7kh+qxH5Bxhj+0p66ljIzKtMy1MOgM03M:rXfOO7V+0pDlj2S
Score8/10-
Downloads MZ/PE file
-
-
-
Target
plugins/SystemPower.dll
-
Size
6KB
-
MD5
b1aca76ee8c1d3fec6edd3a31f9728d8
-
SHA1
859338c0a542697338cb72e7b2f07faf9b9fce2c
-
SHA256
b01ab0fa54986d58b4665492639dbf16ae22e8ab868678ecb0411f06791d8c2f
-
SHA512
83bba2d5f6826fb614f16f25411ca83a2207a18e4992e9f785efec3383a5461d861cfa1e080e1e3f3a1c69c93b3b237ca9c0c2641c276ab074aaf98ce340cc04
-
SSDEEP
48:6D8vMrTBK/pal72gw2wS43qLirMZAxW52Qivmd4M2UP+o1nEGh+4PJ6xnckqtts9:Jah2ZSlNWxW5BxZP+UEL4lksUil8
Score3/10 -
-
-
Target
plugins/Uacbypass.dll
-
Size
18KB
-
MD5
d1d9aef0ed8093ff1ed157bb4af3652c
-
SHA1
f42c6258e2ade01d14fe4fce4d51cd0b05569417
-
SHA256
7c67304b2c4911b9a394604d92e7dfd48286f6aee89c81ddd96c922ad67a0a65
-
SHA512
eab2b498c602105a158d7e167ea0929efadd488328f0cdaf43f65a87430f333c5aae74473f4b4652a21107b3056aea7f3d472098a0fa2cae32d6f687a7ecde10
-
SSDEEP
384:AeI8KomqLwYgwQ+wpGT1FpAZ4tpnt3sGXbbveqiMZ2eiEB487XK:PfE4jtc2bbvZQAB4oa
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory
-
-
-
Target
plugins/WebCam.dll
-
Size
43KB
-
MD5
c554ddb5db3ac1539d9ab7de049b8486
-
SHA1
050e77b2d762be186960cd4f4f2b1e476fd268a2
-
SHA256
3188c001ab60a37ca350093f7b53ebd01cb24950ed5b68331f5ff19ee28fc416
-
SHA512
f0a372740ee090a91e74d57760f459cc4022adadb421eaa6c6d285860e4288d13d5435d7f575175e8f9ca77819cd833509070124d6f7d121e7708877e579d3ef
-
SSDEEP
768:owsh76M4keW4Jon9Y5S3WlbGWFDKyUkbmPSIUdn+ybRuIZ:nshj4kuJe9YrB55JIUdn+yXZ
Score8/10-
Downloads MZ/PE file
-
-
-
Target
stub/xeno rat client.exe
-
Size
46KB
-
MD5
d23d8120af87a615a456a12b43d4a98a
-
SHA1
73b41123d6f50aecdcf1c5e87a7d0319d753b0e7
-
SHA256
27178a08e0d8fb6e5e31ae9bff6194a5224406666fa1f528d4719c1e4a8efd67
-
SHA512
99026704fef97f9f9c01348310f199ad523851e105c7ea1f39312c7370cb6e50af5044fec1041298b96b6e661ac5f48d6af80687e21364806e62738d198ad319
-
SSDEEP
768:Ddqf04XKojwYybbZWsiBHUuOkU7cK9F9km3XNZ5SbTDay6t22:D4z0z3ZWsiBHUuY79kmz5SbTL6B
Score10/10-
Detect XenoRat Payload
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory
-
-
-
Target
xeno rat server.exe
-
Size
2.0MB
-
MD5
3987ee127f2a2cf8a29573d4e111a8e8
-
SHA1
fc253131e832297967f93190217f0ce403e38cb0
-
SHA256
3d00a800474ddf382212e003222805bd74665b69cec43b554f91c3cd9edf04c4
-
SHA512
69d5ac7a691dde1a3ed7f495e9b9180e63152ddaaa3d1b596ad9cbeb4d7b088f3fc4b138ecf87070014cdfa9047be18940b720de60642389921a10053250787b
-
SSDEEP
49152:EnxkNTRWjxoJochWQI3kqXfd+/9AManGhR0vNgtIeGWtOc5Q:ExkNTcaJhDI3kqXf0FtWykQDCiQ
Score8/10-
Downloads MZ/PE file
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1