Overview

overview

10

Static

static

1

apple.png

windows10-ltsc_2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    apple.png

  • Size

    1KB

  • Sample

    250412-qaykwavm15

  • MD5

    5f4e0c51e9a30432796fb5a2924c3e75

  • SHA1

    816522c6bce81f2e9d8d5516e0ade537df0db9b5

  • SHA256

    f59af5cc5e5d5a77ab9340f282488bac2139ebc725fde959364e8768c7a5cc98

  • SHA512

    46ffd273adbccb4e443ea45672c45b8f98d69e307ad2b7b42631c2e1a9f58f6acf8d858a5e868f86a3e46b197ba3f8b84e6a6a279489ba576e83393b5cc2a630

Score
10/10
xenoratdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

xenorat

C2

178.83.80.11

Mutex

WinStart

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4782

  • startup_name

    WinStart

Targets

    • Target

      apple.png

    • Size

      1KB

    • MD5

      5f4e0c51e9a30432796fb5a2924c3e75

    • SHA1

      816522c6bce81f2e9d8d5516e0ade537df0db9b5

    • SHA256

      f59af5cc5e5d5a77ab9340f282488bac2139ebc725fde959364e8768c7a5cc98

    • SHA512

      46ffd273adbccb4e443ea45672c45b8f98d69e307ad2b7b42631c2e1a9f58f6acf8d858a5e868f86a3e46b197ba3f8b84e6a6a279489ba576e83393b5cc2a630

    Score
    10/10
    xenoratdiscoveryratspywarestealertrojan

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Xenorat family

      xenorat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1

MITRE ATT&CK Enterprise v16

Tasks