General

  • Target

    42.exe

  • Size

    45KB

  • Sample

    250309-z2s9xa1qs2

  • MD5

    9126f5b92f9db6d7feec3b86f38a39da

  • SHA1

    c8db8ac4b786331393af8b14ddf8fa770cd03efc

  • SHA256

    a90625831ae890455e7df575b57f88ca72d06e691a321def5d60bab441bfb2c8

  • SHA512

    642ff98420b4c3bc2f45da08aa9376899a5b4466dd9b4c02e55b009929d360b6cb3977a227ebab2edd8d35248b24e9c32ec32bf3a07d368f8e10710493dd550c

  • SSDEEP

    768:JdhO/poiiUcjlJInFTH9Xqk5nWEZ5SbTDaAuI7CPW5cP:Hw+jjgndH9XqcnW85SbTduI0P

Malware Config

Extracted

Family

xenorat

C2

fr242.hopto.org

Mutex

25682-25636-235364376-254262

Attributes
  • delay

    1000

  • install_path

    appdata

  • port

    4210

  • startup_name

    System

Targets

    • Target

      42.exe

    • Size

      45KB

    • MD5

      9126f5b92f9db6d7feec3b86f38a39da

    • SHA1

      c8db8ac4b786331393af8b14ddf8fa770cd03efc

    • SHA256

      a90625831ae890455e7df575b57f88ca72d06e691a321def5d60bab441bfb2c8

    • SHA512

      642ff98420b4c3bc2f45da08aa9376899a5b4466dd9b4c02e55b009929d360b6cb3977a227ebab2edd8d35248b24e9c32ec32bf3a07d368f8e10710493dd550c

    • SSDEEP

      768:JdhO/poiiUcjlJInFTH9Xqk5nWEZ5SbTDaAuI7CPW5cP:Hw+jjgndH9XqcnW85SbTduI0P

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks