General

  • Target

    f.exe

  • Size

    45KB

  • Sample

    250310-mx6cfsstbv

  • MD5

    ee4c9d122b27e42c325358e85cd8e7f4

  • SHA1

    52ac4bf7bf1402427b63e43254e6077ad2e958cd

  • SHA256

    83a8c278ff9caa4ba6ef571d0e06fc85c414e082085bc6d078f5f5ba606305da

  • SHA512

    593ee01ab2335ba70d0faa36857b10bda93c2b40d9b87c7919df183295eb983e77c35e48ce95e0610e944bda59c2f0d20320710eb5dfa3171380c5e422e23ca0

  • SSDEEP

    768:1dhO/poiiUcjlJInsVH9Xqk5nWEZ5SbTDa01uI7CPW5WZ:Lw+jjgn8H9XqcnW85SbTbuIe

Malware Config

Extracted

Family

xenorat

C2

10.10.1.250

Mutex

High Definition Audio

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4782

  • startup_name

    High Definition Audio

Targets

    • Target

      f.exe

    • Size

      45KB

    • MD5

      ee4c9d122b27e42c325358e85cd8e7f4

    • SHA1

      52ac4bf7bf1402427b63e43254e6077ad2e958cd

    • SHA256

      83a8c278ff9caa4ba6ef571d0e06fc85c414e082085bc6d078f5f5ba606305da

    • SHA512

      593ee01ab2335ba70d0faa36857b10bda93c2b40d9b87c7919df183295eb983e77c35e48ce95e0610e944bda59c2f0d20320710eb5dfa3171380c5e422e23ca0

    • SSDEEP

      768:1dhO/poiiUcjlJInsVH9Xqk5nWEZ5SbTDa01uI7CPW5WZ:Lw+jjgn8H9XqcnW85SbTbuIe

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks