General

  • Target

    real.exe

  • Size

    45KB

  • Sample

    250308-wsg9haz1as

  • MD5

    4ce3393ef46abfb25be0c792674ce6a4

  • SHA1

    9278aebae0d9ca698134ba88c0841b50c2f1340a

  • SHA256

    f19fed4954e0b643b5f21abefe57ec4701b84795084ec2d30a4c8fcedbac2360

  • SHA512

    0007289b551022abc30e1ad9d247abb479219c2498b87f1f422badd3be53415830d56c80dcf567d9395a10689939f4b92612c73bbb749fe537469fe8fd03967c

  • SSDEEP

    768:SdhO/poiiUcjlJInVsH9Xqk5nWEZ5SbTDasWI7CPW5wP:0w+jjgnWH9XqcnW85SbT9WIoP

Malware Config

Extracted

Family

xenorat

C2

2533qwefs-64288.portmap.host

Mutex

25682-25636-235364376-254262

Attributes
  • delay

    1000

  • install_path

    appdata

  • port

    64288

  • startup_name

    System

Targets

    • Target

      real.exe

    • Size

      45KB

    • MD5

      4ce3393ef46abfb25be0c792674ce6a4

    • SHA1

      9278aebae0d9ca698134ba88c0841b50c2f1340a

    • SHA256

      f19fed4954e0b643b5f21abefe57ec4701b84795084ec2d30a4c8fcedbac2360

    • SHA512

      0007289b551022abc30e1ad9d247abb479219c2498b87f1f422badd3be53415830d56c80dcf567d9395a10689939f4b92612c73bbb749fe537469fe8fd03967c

    • SSDEEP

      768:SdhO/poiiUcjlJInVsH9Xqk5nWEZ5SbTDasWI7CPW5wP:0w+jjgnWH9XqcnW85SbT9WIoP

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks