General
-
Target
wda.exe
-
Size
161KB
-
Sample
250327-qn72gavkx2
-
MD5
d5b4b9710a94d2f3ee369da506aa1082
-
SHA1
1320363847c692323214bcbba4ae8810d4675f09
-
SHA256
c6945b1ebf56e405f11d217c5e54c43a9ee111c6c57e63b8189720a2b4029433
-
SHA512
74a24a65911f89829486921e8f18bc493d201c5c1ac618a7c99b4fa39658d14648e4154eee9fa92080eddb40c921a90656fccee1596c405c5f1da363e707f55d
-
SSDEEP
3072:qw+jq+91UbT5wtYX8YUSl6s2rGYiDHjommEAT0FDu7HJdZ/JmBhejFA9mkVjvs:HWH91UbCtYMYUSl6hCHNm5TBT/aeji9T
Behavioral task
behavioral1
Sample
wda.exe
Resource
win10v2004-20250313-en
Malware Config
Extracted
xenorat
punanemarps-61910.portmap.host
Xeno_rat_nd8912d
-
delay
3000
-
install_path
temp
-
port
61910
-
startup_name
Splayer
Targets
-
-
Target
wda.exe
-
Size
161KB
-
MD5
d5b4b9710a94d2f3ee369da506aa1082
-
SHA1
1320363847c692323214bcbba4ae8810d4675f09
-
SHA256
c6945b1ebf56e405f11d217c5e54c43a9ee111c6c57e63b8189720a2b4029433
-
SHA512
74a24a65911f89829486921e8f18bc493d201c5c1ac618a7c99b4fa39658d14648e4154eee9fa92080eddb40c921a90656fccee1596c405c5f1da363e707f55d
-
SSDEEP
3072:qw+jq+91UbT5wtYX8YUSl6s2rGYiDHjommEAT0FDu7HJdZ/JmBhejFA9mkVjvs:HWH91UbCtYMYUSl6hCHNm5TBT/aeji9T
-
Detect XenoRat Payload
-
Xenorat family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Abuse Elevation Control Mechanism: Bypass User Account Control
UAC Bypass Attempt via SilentCleanup Task.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1