General

  • Target

    e58385d0d9d312cedbf8950d430c0948307184a839454bd86d5ffeadcf3a9ebf.exe

  • Size

    47KB

  • Sample

    250307-jtbrwsxk16

  • MD5

    7f9d2a897d4ce0a5a7bf0ed18c21455d

  • SHA1

    f3360c62328f120b234874223b5db75ec48812d1

  • SHA256

    e58385d0d9d312cedbf8950d430c0948307184a839454bd86d5ffeadcf3a9ebf

  • SHA512

    d8399616d965006f83069e9058ef611cb2027fdc6a19f0ab72c541e1738e84233a9fd69a82123d21a9469a4b39cecab26593c31eedd2288fb3803bdabf29d8cb

  • SSDEEP

    768:sdhM/poiiUcjlJInvhYf9Xqk5nWEZ5SbTDa/vI7CPW5XYc:m2+jjgnvaf9XqcnW85SbTuvIgc

Malware Config

Extracted

Family

xenorat

C2

geikus.myaddr.io

Mutex

Xeno_Rat_d7515nd

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    5555

  • startup_name

    onex187

Targets

    • Target

      e58385d0d9d312cedbf8950d430c0948307184a839454bd86d5ffeadcf3a9ebf.exe

    • Size

      47KB

    • MD5

      7f9d2a897d4ce0a5a7bf0ed18c21455d

    • SHA1

      f3360c62328f120b234874223b5db75ec48812d1

    • SHA256

      e58385d0d9d312cedbf8950d430c0948307184a839454bd86d5ffeadcf3a9ebf

    • SHA512

      d8399616d965006f83069e9058ef611cb2027fdc6a19f0ab72c541e1738e84233a9fd69a82123d21a9469a4b39cecab26593c31eedd2288fb3803bdabf29d8cb

    • SSDEEP

      768:sdhM/poiiUcjlJInvhYf9Xqk5nWEZ5SbTDa/vI7CPW5XYc:m2+jjgnvaf9XqcnW85SbTuvIgc

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks