General

  • Target

    Bob Xeno Client.exe

  • Size

    46KB

  • Sample

    250308-y2axwssjv6

  • MD5

    2a7dfd47f45c9a8d291c27449677a409

  • SHA1

    04791fc97f6b0edd17f486110c09c7fe2db3b5c0

  • SHA256

    8e9ff300c349a60640c091c0c4ee0bc40bdb1338708c55d4e73c46354aac831a

  • SHA512

    0d9f43dcff9f750867e829a1d28e1c120859d5bf6855c0698f36adce94375b1523e604fdca5b968e7b8d683781219c54f56451a00512d38467220457d07c7feb

  • SSDEEP

    768:PdhO/poiiUcjlJInVTH9Xqk5nWEZ5SbTDafuI7CPW5E:Fw+jjgnNH9XqcnW85SbT6uIM

Malware Config

Extracted

Family

xenorat

C2

if-eventually.gl.at.ply.gg

Mutex

silly_goober

Attributes
  • install_path

    temp

  • port

    17094

  • startup_name

    Runtime Broker

Targets

    • Target

      Bob Xeno Client.exe

    • Size

      46KB

    • MD5

      2a7dfd47f45c9a8d291c27449677a409

    • SHA1

      04791fc97f6b0edd17f486110c09c7fe2db3b5c0

    • SHA256

      8e9ff300c349a60640c091c0c4ee0bc40bdb1338708c55d4e73c46354aac831a

    • SHA512

      0d9f43dcff9f750867e829a1d28e1c120859d5bf6855c0698f36adce94375b1523e604fdca5b968e7b8d683781219c54f56451a00512d38467220457d07c7feb

    • SSDEEP

      768:PdhO/poiiUcjlJInVTH9Xqk5nWEZ5SbTDafuI7CPW5E:Fw+jjgnNH9XqcnW85SbT6uIM

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks