xenorat | NexusAPI[.]exe | Triage

Sharing

General

Target

NexusAPI.exe
Size

218KB
MD5

f84f2262fe9b85b3c4cd5580e08aad00
SHA1

5d4f6dadafbdab7d5c58a6532424e568701f3425
SHA256

379a51d059e6decbc5925b87fee09e5376254a57842417ed3eae53ab85d4caa0
SHA512

4642ee4f9376d74b7612d280ccdcaae9a9aa55a84edeff69af0a0ef92a7ce0b60b00f122b98d2ddb4f6558116442c7b5d2aefd496a295af0e075e90731c4421f
SSDEEP

3072:Pc9z4rQfwN8zMLrAFbEt68OU5kbN0iDaKgx:PTa4LAbF8L5kHOKg

Score

10^/10

xenorat

Malware Config

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
sample	family_xenorat

Xenorat family
xenorat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
NexusAPI.exe

Files

NexusAPI.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 42KB - Virtual size: 41KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 175KB - Virtual size: 174KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ