xenorat | 379a51d059e6decbc5925b87fee09e5376254a57842417ed3eae53ab85d4caa0

Analysis

max time kernel
125s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-02-2025 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NexusAPI.exe
Size

218KB
MD5

f84f2262fe9b85b3c4cd5580e08aad00
SHA1

5d4f6dadafbdab7d5c58a6532424e568701f3425
SHA256

379a51d059e6decbc5925b87fee09e5376254a57842417ed3eae53ab85d4caa0
SHA512

4642ee4f9376d74b7612d280ccdcaae9a9aa55a84edeff69af0a0ef92a7ce0b60b00f122b98d2ddb4f6558116442c7b5d2aefd496a295af0e075e90731c4421f
SSDEEP

3072:Pc9z4rQfwN8zMLrAFbEt68OU5kbN0iDaKgx:PTa4LAbF8L5kHOKg

Score

10^/10

xenorat discovery rat trojan

Malware Config

Signatures

Detect XenoRat Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2680-1-0x0000000000A00000-0x0000000000A3C000-memory.dmp	family_xenorat
behavioral1/files/0x0007000000019423-4.dat	family_xenorat
behavioral1/memory/2944-9-0x0000000001360000-0x000000000139C000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Executes dropped EXE 1 IoCs

pid	Process
2944	NexusAPI.exe

Loads dropped DLL 1 IoCs

pid	Process
2680	NexusAPI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NexusAPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NexusAPI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2944	2680	NexusAPI.exe	31
PID 2680 wrote to memory of 2944	2680	NexusAPI.exe	31
PID 2680 wrote to memory of 2944	2680	NexusAPI.exe	31
PID 2680 wrote to memory of 2944	2680	NexusAPI.exe	31

C:\Users\Admin\AppData\Local\Temp\NexusAPI.exe
"C:\Users\Admin\AppData\Local\Temp\NexusAPI.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\XenoManager\NexusAPI.exe
  "C:\Users\Admin\AppData\Local\Temp\XenoManager\NexusAPI.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\XenoManager\NexusAPI.exe

Filesize
218KB

MD5
f84f2262fe9b85b3c4cd5580e08aad00

SHA1
5d4f6dadafbdab7d5c58a6532424e568701f3425

SHA256
379a51d059e6decbc5925b87fee09e5376254a57842417ed3eae53ab85d4caa0

SHA512
4642ee4f9376d74b7612d280ccdcaae9a9aa55a84edeff69af0a0ef92a7ce0b60b00f122b98d2ddb4f6558116442c7b5d2aefd496a295af0e075e90731c4421f

Download Submit
memory/2680-0-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/2680-1-0x0000000000A00000-0x0000000000A3C000-memory.dmp

Filesize
240KB

Download
memory/2944-9-0x0000000001360000-0x000000000139C000-memory.dmp

Filesize
240KB

Download
memory/2944-10-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2944-11-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2944-12-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download