General

  • Target

    wda.exe

  • Size

    161KB

  • Sample

    250327-qqkc7avky6

  • MD5

    d5b4b9710a94d2f3ee369da506aa1082

  • SHA1

    1320363847c692323214bcbba4ae8810d4675f09

  • SHA256

    c6945b1ebf56e405f11d217c5e54c43a9ee111c6c57e63b8189720a2b4029433

  • SHA512

    74a24a65911f89829486921e8f18bc493d201c5c1ac618a7c99b4fa39658d14648e4154eee9fa92080eddb40c921a90656fccee1596c405c5f1da363e707f55d

  • SSDEEP

    3072:qw+jq+91UbT5wtYX8YUSl6s2rGYiDHjommEAT0FDu7HJdZ/JmBhejFA9mkVjvs:HWH91UbCtYMYUSl6hCHNm5TBT/aeji9T

Malware Config

Extracted

Family

xenorat

C2

punanemarps-61910.portmap.host

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    3000

  • install_path

    temp

  • port

    61910

  • startup_name

    Splayer

Targets

    • Target

      wda.exe

    • Size

      161KB

    • MD5

      d5b4b9710a94d2f3ee369da506aa1082

    • SHA1

      1320363847c692323214bcbba4ae8810d4675f09

    • SHA256

      c6945b1ebf56e405f11d217c5e54c43a9ee111c6c57e63b8189720a2b4029433

    • SHA512

      74a24a65911f89829486921e8f18bc493d201c5c1ac618a7c99b4fa39658d14648e4154eee9fa92080eddb40c921a90656fccee1596c405c5f1da363e707f55d

    • SSDEEP

      3072:qw+jq+91UbT5wtYX8YUSl6s2rGYiDHjommEAT0FDu7HJdZ/JmBhejFA9mkVjvs:HWH91UbCtYMYUSl6hCHNm5TBT/aeji9T

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks