General

  • Target

    FlameWoo2K_0.0.8.exe

  • Size

    45.7MB

  • Sample

    250326-2mse6swpt2

  • MD5

    348628e2646afa52e420ddd80f0dc496

  • SHA1

    1d6e6dd8200019fa561e0a1092992d0b156f0528

  • SHA256

    56b9c25f3bc2a415ddf03543466767e17a17df3e2bd9d1140e7fc2d4eb994bc9

  • SHA512

    90a73b4cf8cd5fa570df3236f746ccf5abfbf6df6ac710f076e680736ff4425399c2df3f11a6b75be621d6499d42da3c8344ef0bf995930d5e53b6eb6c5dafc4

  • SSDEEP

    786432:TfwRVLtfvbC9Dghk+qi3Qt4xZZcIQ4QPM25sysvE5pLfDosJpMmMV+c9kTzn/NOP:rwRVRLC9DghLqdt4xQ4QPMftwLfcgpDI

Malware Config

Extracted

Family

xenorat

C2

localhost

Mutex

testing 123123

Attributes
  • delay

    1000

  • install_path

    nothingset

  • port

    1234

  • startup_name

    nothingset

Targets

    • Target

      FlameWoo2K_0.0.8.exe

    • Size

      45.7MB

    • MD5

      348628e2646afa52e420ddd80f0dc496

    • SHA1

      1d6e6dd8200019fa561e0a1092992d0b156f0528

    • SHA256

      56b9c25f3bc2a415ddf03543466767e17a17df3e2bd9d1140e7fc2d4eb994bc9

    • SHA512

      90a73b4cf8cd5fa570df3236f746ccf5abfbf6df6ac710f076e680736ff4425399c2df3f11a6b75be621d6499d42da3c8344ef0bf995930d5e53b6eb6c5dafc4

    • SSDEEP

      786432:TfwRVLtfvbC9Dghk+qi3Qt4xZZcIQ4QPM25sysvE5pLfDosJpMmMV+c9kTzn/NOP:rwRVRLC9DghLqdt4xQ4QPMftwLfcgpDI

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Network Share Discovery

      Attempt to gather information on host network.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks