General

  • Target

    xeno.exe

  • Size

    45KB

  • Sample

    250306-mrsjeawwby

  • MD5

    7e1e3bd34c397a1ecf10b7b28f980db5

  • SHA1

    9af0677d55c0df799a750e04bde03a8d41606b4e

  • SHA256

    8471aaf8c5d55b2997611242594f5d3b96723cfe0bfa425913d407d0e00e2d14

  • SHA512

    b91e34aeeb4022daed5654d73f893cc4286e94260e60b8c151e1f527cf27538ce430be8e28538ebd46ec966cd247fda0b6eae022a9ec82761c1748730ed44926

  • SSDEEP

    768:KdhO/poiiUcjlJIndFH9Xqk5nWEZ5SbTDaT0WI7CPW5q:sw+jjgnTH9XqcnW85SbT80WIy

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

xenoware

Attributes
  • delay

    1

  • install_path

    appdata

  • port

    4444

  • startup_name

    idk

Targets

    • Target

      xeno.exe

    • Size

      45KB

    • MD5

      7e1e3bd34c397a1ecf10b7b28f980db5

    • SHA1

      9af0677d55c0df799a750e04bde03a8d41606b4e

    • SHA256

      8471aaf8c5d55b2997611242594f5d3b96723cfe0bfa425913d407d0e00e2d14

    • SHA512

      b91e34aeeb4022daed5654d73f893cc4286e94260e60b8c151e1f527cf27538ce430be8e28538ebd46ec966cd247fda0b6eae022a9ec82761c1748730ed44926

    • SSDEEP

      768:KdhO/poiiUcjlJIndFH9Xqk5nWEZ5SbTDaT0WI7CPW5q:sw+jjgnTH9XqcnW85SbT80WIy

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks