Malware Analysis Report

2025-04-13 23:04

Sample ID 250326-fc8hra1ls4
Target EacSpoofr.exe
SHA256 b26ff883b2cbd4fb188d37e7ec073ac5db545346b3ba748108bd5c55fb48cc23
Tags
xenorat discovery rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b26ff883b2cbd4fb188d37e7ec073ac5db545346b3ba748108bd5c55fb48cc23

Threat Level: Known bad

The file EacSpoofr.exe was found to be: Known bad.

Malicious Activity Summary

xenorat discovery rat trojan

Detect XenoRat Payload

Xenorat family

XenorRat

Unsigned PE

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-26 04:44

Signatures

Detect XenoRat Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-26 04:44

Reported

2025-03-26 04:47

Platform

win7-20240903-en

Max time kernel

132s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EacSpoofr.exe"

Signatures

Detect XenoRat Payload

Description Indicator Process Target
N/A N/A N/A N/A

XenorRat

trojan rat xenorat

Xenorat family

xenorat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EacSpoofr.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EacSpoofr.exe

"C:\Users\Admin\AppData\Local\Temp\EacSpoofr.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Microsoft" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFB9E.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 Knokaaa-35772.portmap.host udp
DE 193.161.193.99:35772 Knokaaa-35772.portmap.host tcp
DE 193.161.193.99:35772 Knokaaa-35772.portmap.host tcp
DE 193.161.193.99:35772 Knokaaa-35772.portmap.host tcp
DE 193.161.193.99:35772 Knokaaa-35772.portmap.host tcp
DE 193.161.193.99:35772 Knokaaa-35772.portmap.host tcp

Files

memory/764-0-0x000000007479E000-0x000000007479F000-memory.dmp

memory/764-1-0x0000000000020000-0x0000000000032000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFB9E.tmp

MD5 85780967de318c4ee5165c72e59d310a
SHA1 7e603003a56c100a92d0b513b09778959fb7997b
SHA256 1b8bd19684f99800f63ae2376f445f9cb696972bd11a3c54d5e8041fac98ff88
SHA512 cf106c6fadc564344c3f15c11648941ab402f3085f3177a7703d41c026dc72478b56e5e888667197d01c814f496026a992326ae11e8cba80e5a0be591526623c

memory/764-4-0x0000000074790000-0x0000000074E7E000-memory.dmp

memory/764-5-0x000000007479E000-0x000000007479F000-memory.dmp

memory/764-6-0x0000000074790000-0x0000000074E7E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-26 04:44

Reported

2025-03-26 04:47

Platform

win10v2004-20250314-en

Max time kernel

132s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EacSpoofr.exe"

Signatures

Detect XenoRat Payload

Description Indicator Process Target
N/A N/A N/A N/A

XenorRat

trojan rat xenorat

Xenorat family

xenorat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EacSpoofr.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2928 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\EacSpoofr.exe C:\Windows\SysWOW64\schtasks.exe
PID 2928 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\EacSpoofr.exe C:\Windows\SysWOW64\schtasks.exe
PID 2928 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\EacSpoofr.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\EacSpoofr.exe

"C:\Users\Admin\AppData\Local\Temp\EacSpoofr.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Microsoft" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC54.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 Knokaaa-35772.portmap.host udp
DE 193.161.193.99:35772 Knokaaa-35772.portmap.host tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 193.161.193.99:35772 Knokaaa-35772.portmap.host tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
DE 193.161.193.99:35772 Knokaaa-35772.portmap.host tcp
DE 193.161.193.99:35772 Knokaaa-35772.portmap.host tcp
DE 193.161.193.99:35772 Knokaaa-35772.portmap.host tcp

Files

memory/2928-0-0x000000007510E000-0x000000007510F000-memory.dmp

memory/2928-1-0x00000000005A0000-0x00000000005B2000-memory.dmp

memory/2928-2-0x0000000075100000-0x00000000758B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEC54.tmp

MD5 85780967de318c4ee5165c72e59d310a
SHA1 7e603003a56c100a92d0b513b09778959fb7997b
SHA256 1b8bd19684f99800f63ae2376f445f9cb696972bd11a3c54d5e8041fac98ff88
SHA512 cf106c6fadc564344c3f15c11648941ab402f3085f3177a7703d41c026dc72478b56e5e888667197d01c814f496026a992326ae11e8cba80e5a0be591526623c

memory/2928-5-0x000000007510E000-0x000000007510F000-memory.dmp

memory/2928-6-0x0000000075100000-0x00000000758B0000-memory.dmp