General

  • Target

    Mt5_Servers.exe

  • Size

    200KB

  • Sample

    250317-ncz6da1qx9

  • MD5

    5d2230f9507200accc5a6defc551bdf3

  • SHA1

    d502142597ff51da2124c3688ec677a81206f3ea

  • SHA256

    02b05f38602f3f153a01bc5585e7a7482852bfb964cc8865905b584e62eb71b6

  • SHA512

    31e9be6b7f98f2723ef8dc3e7863ccb0b9220368f013fa7735c4404d859a139753172758302b1844b9a9d8072ac0d734fa67d9d7bdb67ea41b1a20f98c9edd9e

  • SSDEEP

    3072:Gw+jqOM91UbTYC105VQq44DCFkoQDmH7J3XnXLanJpg3Efv:zWhM91UbYCW5M7JHGnJN

Malware Config

Extracted

Family

xenorat

C2

83.50.225.25

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4892

  • startup_name

    Mt5 Servers

Targets

    • Target

      Mt5_Servers.exe

    • Size

      200KB

    • MD5

      5d2230f9507200accc5a6defc551bdf3

    • SHA1

      d502142597ff51da2124c3688ec677a81206f3ea

    • SHA256

      02b05f38602f3f153a01bc5585e7a7482852bfb964cc8865905b584e62eb71b6

    • SHA512

      31e9be6b7f98f2723ef8dc3e7863ccb0b9220368f013fa7735c4404d859a139753172758302b1844b9a9d8072ac0d734fa67d9d7bdb67ea41b1a20f98c9edd9e

    • SSDEEP

      3072:Gw+jqOM91UbTYC105VQq44DCFkoQDmH7J3XnXLanJpg3Efv:zWhM91UbYCW5M7JHGnJN

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks