General

  • Target

    Artisan.exe

  • Size

    50KB

  • Sample

    250330-jjfm4atscv

  • MD5

    30c32a95776430d3576e26b5280ded3f

  • SHA1

    5a644125cada2b27eb5667d73b88e3901819b9cf

  • SHA256

    556e43e88d734b8642853a480248f822bb6d5fe9d2081a3bc9ca69668d283eac

  • SHA512

    ecfd2c6e15e1da558671d53ee125e7fc952dbdfa86771b8700a4179fb71da14551f9b9bfc5bda6a7c19f183c35e9b61a2f3b3af5c07fe8d02b84b3d4045bb67a

  • SSDEEP

    768:2dhO/poiiUcjlJInIHqH9Xqk5nWEZ5SbTDaUWI7CPW5ESf:gw+jjgnfH9XqcnW85SbTNWIsSf

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Windows_SoftworksX86

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    1928

  • startup_name

    registryhandler

Targets

    • Target

      Artisan.exe

    • Size

      50KB

    • MD5

      30c32a95776430d3576e26b5280ded3f

    • SHA1

      5a644125cada2b27eb5667d73b88e3901819b9cf

    • SHA256

      556e43e88d734b8642853a480248f822bb6d5fe9d2081a3bc9ca69668d283eac

    • SHA512

      ecfd2c6e15e1da558671d53ee125e7fc952dbdfa86771b8700a4179fb71da14551f9b9bfc5bda6a7c19f183c35e9b61a2f3b3af5c07fe8d02b84b3d4045bb67a

    • SSDEEP

      768:2dhO/poiiUcjlJInIHqH9Xqk5nWEZ5SbTDaUWI7CPW5ESf:gw+jjgnfH9XqcnW85SbTNWIsSf

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks