General

  • Target

    MonkeModManager.exe

  • Size

    45KB

  • Sample

    250330-j1rfxstwez

  • MD5

    3d75be9fe85086a7952241df59014816

  • SHA1

    f7d45777b90ad26b81f939fe10b3c7c3a7a815dc

  • SHA256

    c8a3a8db0ca4a6e9edd28a219fbffb20459e823fe8651c449ab69ed10e9d9e12

  • SHA512

    fd1d0a03ac9f98399208739e0d5659efac02dff5af30358a2679d56ef6975b1df343fdaab4d30b2f8600538207e091cc20a712689184ae18bed3f5729552c46d

  • SSDEEP

    768:pdhO/poiiUcjlJInseqIH9Xqk5nWEZ5SbTDa1WI7CPW5C:nw+jjgn3H9XqcnW85SbTEWIq

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    1111

  • startup_name

    Windows Firewall Protection

Targets

    • Target

      MonkeModManager.exe

    • Size

      45KB

    • MD5

      3d75be9fe85086a7952241df59014816

    • SHA1

      f7d45777b90ad26b81f939fe10b3c7c3a7a815dc

    • SHA256

      c8a3a8db0ca4a6e9edd28a219fbffb20459e823fe8651c449ab69ed10e9d9e12

    • SHA512

      fd1d0a03ac9f98399208739e0d5659efac02dff5af30358a2679d56ef6975b1df343fdaab4d30b2f8600538207e091cc20a712689184ae18bed3f5729552c46d

    • SSDEEP

      768:pdhO/poiiUcjlJInseqIH9Xqk5nWEZ5SbTDa1WI7CPW5C:nw+jjgn3H9XqcnW85SbTEWIq

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks