General

  • Target

    anyrun-detect.exe

  • Size

    16KB

  • Sample

    250323-nmn6vssmt9

  • MD5

    feef894d04ba54f3206e9c6c4af056ac

  • SHA1

    a821dd36821ad51c8278a94de84087bd27f3579f

  • SHA256

    67b65b3c64249a9b168acfa3e39411666f65c27c624f21cfe0fad19aeda730f5

  • SHA512

    ac01eb56d7233f608e61d7f3cbc0daeaf4e3177668336b677eaed6e96534827aad57e3d9b178183f497d0c1a41cb50477aa7e1069c9d9dc79610c7f5e34e528b

  • SSDEEP

    192:7iQmO9oCC88hVlBDj+u1BdXElWnKWmXhxydrwtA1bMjghhR:bFWZ3lB+u1wh5XbtONhhR

Malware Config

Extracted

Family

xenorat

C2

2.tcp.ngrok.io

Mutex

Office_at_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    15185

  • startup_name

    office365m

Targets

    • Target

      anyrun-detect.exe

    • Size

      16KB

    • MD5

      feef894d04ba54f3206e9c6c4af056ac

    • SHA1

      a821dd36821ad51c8278a94de84087bd27f3579f

    • SHA256

      67b65b3c64249a9b168acfa3e39411666f65c27c624f21cfe0fad19aeda730f5

    • SHA512

      ac01eb56d7233f608e61d7f3cbc0daeaf4e3177668336b677eaed6e96534827aad57e3d9b178183f497d0c1a41cb50477aa7e1069c9d9dc79610c7f5e34e528b

    • SSDEEP

      192:7iQmO9oCC88hVlBDj+u1BdXElWnKWmXhxydrwtA1bMjghhR:bFWZ3lB+u1wh5XbtONhhR

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks