xenorat | 9df32d691dc6483d47b40e6154aeff36f0acdc009c07b4af48618c4fb6b21b9f

General

Target

KQlljCB.exe
Size

499KB
MD5

7289b991c37d058b2e69b3983f75d122
SHA1

b89acc7669c5e84c1e5e9bcf0822df8803f10e43
SHA256

9df32d691dc6483d47b40e6154aeff36f0acdc009c07b4af48618c4fb6b21b9f
SHA512

958e5ba3326d01653d5218f578c909012d4a26d0bad7a467569395a080d5531103c92cd55cf049daa491826ea371dc3cc665560dcab127b6e38c9e399359a60c
SSDEEP

12288:d7Wnj4mpB/33bxyy0vyJ2qiJSUINUpqag73a3Bkl:tyjVn/3LxavmzsINUpvg7

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

C2

196.251.87.37

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
temp
port
4782
startup_name
nothingset

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
behavioral2/memory/916-0-0x0000000000400000-0x0000000000412000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
59	112	Process not Found

Executes dropped EXE 1 IoCs

pid	Process
8	msbuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5052 set thread context of 916	5052	KQlljCB.exe	88

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3940	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 916	5052	KQlljCB.exe	88
PID 5052 wrote to memory of 916	5052	KQlljCB.exe	88
PID 5052 wrote to memory of 916	5052	KQlljCB.exe	88
PID 5052 wrote to memory of 916	5052	KQlljCB.exe	88
PID 5052 wrote to memory of 916	5052	KQlljCB.exe	88
PID 5052 wrote to memory of 916	5052	KQlljCB.exe	88
PID 5052 wrote to memory of 916	5052	KQlljCB.exe	88
PID 5052 wrote to memory of 916	5052	KQlljCB.exe	88
PID 916 wrote to memory of 8	916	msbuild.exe	89
PID 916 wrote to memory of 8	916	msbuild.exe	89
PID 916 wrote to memory of 8	916	msbuild.exe	89

C:\Users\Admin\AppData\Local\Temp\KQlljCB.exe
"C:\Users\Admin\AppData\Local\Temp\KQlljCB.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\XenoManager\msbuild.exe
    "C:\Users\Admin\AppData\Local\Temp\XenoManager\msbuild.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:8

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjEzQjBEN0EtNzE4OS00NTRBLTk4NjUtNUMwNzY2ODlFN0Y5fSIgdXNlcmlkPSJ7M0JBMTk3QjgtREREMi00RTY0LTk1MjItNEM3MUVDRjkxRjY1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NUQ2OTJEQkUtREE1RC00QzcxLUI1QjUtRkY0QjA0QkNENzcwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI3IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTU1Nzk0MzgxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\msbuild.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenoManager\msbuild.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
memory/8-15-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/8-16-0x0000000000B50000-0x0000000000B6A000-memory.dmp

Filesize
104KB

Download
memory/8-17-0x0000000004B20000-0x0000000004C7A000-memory.dmp

Filesize
1.4MB

Download
memory/8-18-0x00000000739C0000-0x0000000074170000-memory.dmp

Filesize
7.7MB

Download
memory/8-19-0x00000000739C0000-0x0000000074170000-memory.dmp

Filesize
7.7MB

Download
memory/916-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/916-1-0x00000000739CE000-0x00000000739CF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing