xenorat | Client[.]exe | Triage

Sharing

General

Target

Client.exe
Size

45KB
MD5

dd96a8b21fb100affb8df038d0b8b571
SHA1

d51aaf85de04ba1f9d0fdb15579d9bd7a2fd343c
SHA256

add0eddbaee1ea36c8f7879c17b3b5fc0f2cf0982b47c9aecf66b6b97a2d3ca4
SHA512

fe509d0e9719e20ea85775f96f9367d91881c1e485e50aa22cfb677e186c1ffd9352deed72373ca37abe06180097438e6038164b30991b1e9087f53298942d47
SSDEEP

768:YdhO/poiiUcjlJIn5fdH9Xqk5nWEZ5SbTDaoWI7CPW5g:Kw+jjgnpdH9XqcnW85SbTJWIo

Score

10^/10

xenorat

Malware Config

Extracted

Family

xenorat

C2

anyone-center.gl.at.ply.gg

Mutex

4dfb8031-19a0-4b82-bddc-e152f936aa12

Attributes

delay
4000
install_path
appdata
port
8080
startup_name
Update.exe

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
sample	family_xenorat

Xenorat family
xenorat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Client.exe

Files

Client.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 43KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ