General

  • Target

    1n.exe

  • Size

    45KB

  • Sample

    250310-3egjdasyet

  • MD5

    3db088b8c8b9748d2be4f6cf43c51ff2

  • SHA1

    af920d280aa927072c9df457a7c6adac1a76b17c

  • SHA256

    52c7adefae6b848e0c83fadf001b9545f77b767922f5b8031f2ba981fb624281

  • SHA512

    2bbbe7e57bcd5ab74ad5426f2e70e54da9a72cceca1a8c768dac6485d9892460dc16ad1b7847c33b8c52576c2131089e90266e1eeeac308a34d6e4b065d6d198

  • SSDEEP

    768:hdhO/poiiUcjlJIn+0H9Xqk5nWEZ5SbTDahuI7CPW55:fw+jjgnjH9XqcnW85SbTEuIB

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    nego

Targets

    • Target

      1n.exe

    • Size

      45KB

    • MD5

      3db088b8c8b9748d2be4f6cf43c51ff2

    • SHA1

      af920d280aa927072c9df457a7c6adac1a76b17c

    • SHA256

      52c7adefae6b848e0c83fadf001b9545f77b767922f5b8031f2ba981fb624281

    • SHA512

      2bbbe7e57bcd5ab74ad5426f2e70e54da9a72cceca1a8c768dac6485d9892460dc16ad1b7847c33b8c52576c2131089e90266e1eeeac308a34d6e4b065d6d198

    • SSDEEP

      768:hdhO/poiiUcjlJIn+0H9Xqk5nWEZ5SbTDahuI7CPW55:fw+jjgnjH9XqcnW85SbTEuIB

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks