Overview

overview

10

Static

static

3

0b9145613d...e3.exe

windows7-x64

10

0b9145613d...e3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    19/03/2025, 07:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe

  • Size

    612KB

  • MD5

    5cb029f745b0691ec119a958319c31ef

  • SHA1

    e7079a4aa2715132d6ea4ac4e7997effea00e979

  • SHA256

    0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3

  • SHA512

    61bbb3929c8d233bc3ebb265094ff515ad509a18903edbad887f1d9ad23982ace2adc619f9bde098565a20674ce29973ac2bc83558a3f6f5b02548df09e68094

  • SSDEEP

    12288:ycrNS33L10QdrXpxen47qBmk1cNi3qYjY7fopC4xky2tuqFUmt:ZNA3R5drXPe47qBmk1+i39jWfopCObqJ

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

salutoepiesircam.sytes.net

Mutex

Xeno_rat_nd8911d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4450

  • startup_name

    setting

Signatures

  • Detect XenoRat Payload 3 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 8 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe
    "C:\Users\Admin\AppData\Local\Temp\0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\budshpdig.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe
        afgsfxf.sfx.exe -pthngaqwscpolkmBuiofxvflfadfdyehngfszafugyRhvqxsHbgnmeYiorhn -dC:\Users\Admin\AppData\Local\Temp
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
          "C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2112
          • C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
            C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1492
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks.exe" /Create /TN "setting" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC5D.tmp" /F
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2360
          • C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
            C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1760
            • C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
              "C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2348
              • C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
                C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1632
              • C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
                C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\budshpdig.bat
    Filesize

    12KB

    MD5

    3c7b48100b1343fb5e491b6e25b3f973

    SHA1

    c1f0101ce56b77b1e62d5cd8eedb058039a6a6f1

    SHA256

    82af508a479aa7eb3710995954c09308b5610f141f65c57c296b19b2fa218a4b

    SHA512

    989df1b3bfea4de6bda4bed0a027dc280d905dbffe6e7573f65b3acfc708f58fce83da939f8952e5ffa4b7c0f539e4a4b16bc409670513a643af95d6147b6108

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpBC5D.tmp
    Filesize

    1KB

    MD5

    4ca9b69da92c5e2bccf63c0e57f8888d

    SHA1

    3812235f99f0f0685ecf6566816c8d0182601163

    SHA256

    0320bb6bdd7e13012024f1239019036e8707883cc208e2a9d63827568e4ee18e

    SHA512

    c912aef98bb83d9c6784574b01defd757f49a70079762d94961ee503a46b31502361bb067e345fcad733afd5f06dd00c6f6e8c98e7d010e96a7779ae6fb9853d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\afgsfxf.exe
    Filesize

    238KB

    MD5

    e1dc7c5bc0e25c682383ed45a4f1b62d

    SHA1

    efb65a80c919f0c3b7d20f7e6936c4ed1bc39526

    SHA256

    8698d7bb5416fc8975a61be1f58793bd93ce9a611b0934ba9c1c7bfbd48d5ad6

    SHA512

    a194d7142c92ab1de1fc2c35d350a968085e116fa15dfda722c28c597eb33e0548de18717c48d308e6953cfbfc9c10996b2bcbc21ce60e5cb2c43fe860772dfc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe
    Filesize

    471KB

    MD5

    b0f7c04b2eeecc36eaf4b8028f039fca

    SHA1

    f4215f7f99a94bc0f11caed46fba0f5b6d894bf3

    SHA256

    49189308da7b2d7038fc3cae77c4bffa62420b07ca4b833c85299f82d1e0dbf0

    SHA512

    ee91d628a5dd338bad371018f5593d83e246c173b6c6aa8dcca6f5be37b06013417f01a8583baf7379f782c83e836fb385bdb20b5bad79484b8b4c0a407cce27

    Download Submit

  • memory/1492-51-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1492-45-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1492-42-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2112-37-0x0000000001310000-0x0000000001354000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2112-38-0x00000000001B0000-0x00000000001B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2112-39-0x00000000003D0000-0x000000000040E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2112-40-0x0000000000220000-0x0000000000226000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2348-59-0x00000000010F0000-0x0000000001134000-memory.dmp

    Filesize

    272KB

    Download