General

  • Target

    1.exe

  • Size

    45KB

  • Sample

    250331-nhxx7syvh1

  • MD5

    408dd8a1624076a6257c252be6c8144c

  • SHA1

    eb0fa69cbf1877e04f70df3c7473abcb51097c00

  • SHA256

    bdf25d1a291916711f8f98784bb4dac59662c19edeb59fcecb5a9602ac6b450e

  • SHA512

    6de633fa73ed7abb35d1e75d6b3d8a7b4dad8c37d90426fa8497b8e6bf8a9099a20fa8257608e4bf08a1d0577034131a691f150d88150666058fe628eb052575

  • SSDEEP

    768:ZdhO/poiiUcjlJInuC2H9Xqk5nWEZ5SbTDaSuI7CPW5i:Xw+jjgnP2H9XqcnW85SbT3uIa

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    system32

Targets

    • Target

      1.exe

    • Size

      45KB

    • MD5

      408dd8a1624076a6257c252be6c8144c

    • SHA1

      eb0fa69cbf1877e04f70df3c7473abcb51097c00

    • SHA256

      bdf25d1a291916711f8f98784bb4dac59662c19edeb59fcecb5a9602ac6b450e

    • SHA512

      6de633fa73ed7abb35d1e75d6b3d8a7b4dad8c37d90426fa8497b8e6bf8a9099a20fa8257608e4bf08a1d0577034131a691f150d88150666058fe628eb052575

    • SSDEEP

      768:ZdhO/poiiUcjlJInuC2H9Xqk5nWEZ5SbTDaSuI7CPW5i:Xw+jjgnP2H9XqcnW85SbT3uIa

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks