General
-
Target
anyrun-detect.exe
-
Size
16KB
-
Sample
250323-nmn6vssmt9
-
MD5
feef894d04ba54f3206e9c6c4af056ac
-
SHA1
a821dd36821ad51c8278a94de84087bd27f3579f
-
SHA256
67b65b3c64249a9b168acfa3e39411666f65c27c624f21cfe0fad19aeda730f5
-
SHA512
ac01eb56d7233f608e61d7f3cbc0daeaf4e3177668336b677eaed6e96534827aad57e3d9b178183f497d0c1a41cb50477aa7e1069c9d9dc79610c7f5e34e528b
-
SSDEEP
192:7iQmO9oCC88hVlBDj+u1BdXElWnKWmXhxydrwtA1bMjghhR:bFWZ3lB+u1wh5XbtONhhR
Malware Config
Extracted
xenorat
2.tcp.ngrok.io
Office_at_nd8912d
-
delay
5000
-
install_path
appdata
-
port
15185
-
startup_name
office365m
Targets
-
-
Target
anyrun-detect.exe
-
Size
16KB
-
MD5
feef894d04ba54f3206e9c6c4af056ac
-
SHA1
a821dd36821ad51c8278a94de84087bd27f3579f
-
SHA256
67b65b3c64249a9b168acfa3e39411666f65c27c624f21cfe0fad19aeda730f5
-
SHA512
ac01eb56d7233f608e61d7f3cbc0daeaf4e3177668336b677eaed6e96534827aad57e3d9b178183f497d0c1a41cb50477aa7e1069c9d9dc79610c7f5e34e528b
-
SSDEEP
192:7iQmO9oCC88hVlBDj+u1BdXElWnKWmXhxydrwtA1bMjghhR:bFWZ3lB+u1wh5XbtONhhR
Score10/10-
Detect XenoRat Payload
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1