General

  • Target

    2025-03-29_de4c2b4fd1be0104eb1ff2dbb5fd8e88_amadey_karagany_rhadamanthys_smoke-loader

  • Size

    243KB

  • Sample

    250329-l9qxvs1wbs

  • MD5

    de4c2b4fd1be0104eb1ff2dbb5fd8e88

  • SHA1

    8409d7dbe95039a0914ab1880772d7a39705e7d2

  • SHA256

    3ff22427598437632ed294dccbde79e20eb5084eb6b0d7eb11555796fa67876c

  • SHA512

    c34b36e9ad1038d8dfb7c7d23dfaa4d5e0056b2142ef1962ce50ad8e6d9219cb816cd7b4e7bac934a09764a12c0588aa7b5a57e7a61ba34fc337937e16149d1e

  • SSDEEP

    6144:PSncRlmWU91Ubp+f4nKvaQhcF7qI+xuZjwxB:q4MVgvhq

Malware Config

Extracted

Family

xenorat

C2

slimedang-64046.portmap.host

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    64046

  • startup_name

    winsvchost

Targets

    • Target

      2025-03-29_de4c2b4fd1be0104eb1ff2dbb5fd8e88_amadey_karagany_rhadamanthys_smoke-loader

    • Size

      243KB

    • MD5

      de4c2b4fd1be0104eb1ff2dbb5fd8e88

    • SHA1

      8409d7dbe95039a0914ab1880772d7a39705e7d2

    • SHA256

      3ff22427598437632ed294dccbde79e20eb5084eb6b0d7eb11555796fa67876c

    • SHA512

      c34b36e9ad1038d8dfb7c7d23dfaa4d5e0056b2142ef1962ce50ad8e6d9219cb816cd7b4e7bac934a09764a12c0588aa7b5a57e7a61ba34fc337937e16149d1e

    • SSDEEP

      6144:PSncRlmWU91Ubp+f4nKvaQhcF7qI+xuZjwxB:q4MVgvhq

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks