General

  • Target

    sigmacode.bat

  • Size

    241KB

  • Sample

    250327-gek1xaxyg1

  • MD5

    dc465799cbb5221f848c11da15faff51

  • SHA1

    158d6b4d23f4e8bb0ba1eb96c0f9e665285faba6

  • SHA256

    b59fda940719ff91b2df43e0c25e827853c0fb9c8eb43bce5c0324bc945ac53a

  • SHA512

    763773fb65732bd2e6415056e59bf4b3c4f85f782bcc63da420f2e143f9c9787f9e25c548363e9d858f895a9e08338c4f80cd9fed779fa002092e1083410fb71

  • SSDEEP

    6144:zqKuEvqtJNqLQa2qIUOKIHBSnMWQ/L24Ox1gRxzNP+oxQ6O9:zqBBzsl/IHBSMD/L24O7gRxzNP+o90

Malware Config

Extracted

Family

xenorat

C2

issue-vernon.gl.at.ply.gg

Mutex

deptrainhatvutru

Attributes
  • delay

    5000

  • install_path

    nothingset

  • port

    7560

  • startup_name

    nothingset

Targets

    • Target

      sigmacode.bat

    • Size

      241KB

    • MD5

      dc465799cbb5221f848c11da15faff51

    • SHA1

      158d6b4d23f4e8bb0ba1eb96c0f9e665285faba6

    • SHA256

      b59fda940719ff91b2df43e0c25e827853c0fb9c8eb43bce5c0324bc945ac53a

    • SHA512

      763773fb65732bd2e6415056e59bf4b3c4f85f782bcc63da420f2e143f9c9787f9e25c548363e9d858f895a9e08338c4f80cd9fed779fa002092e1083410fb71

    • SSDEEP

      6144:zqKuEvqtJNqLQa2qIUOKIHBSnMWQ/L24Ox1gRxzNP+oxQ6O9:zqBBzsl/IHBSMD/L24O7gRxzNP+o90

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Enterprise v15

Tasks