xenorat | 7d5ff178c46801beba098d2705798c99392e15dbc9ccdef3e11ed737d9dfb93d | Triage

Sharing

General

Target

fn.exe
Size

45KB
Sample

250415-ea6eya1wh1
MD5

224ccb2529301b657df7c6bcc7ac6613
SHA1

1743e1b819c6a20ec5b8db1024a4f460160419e7
SHA256

7d5ff178c46801beba098d2705798c99392e15dbc9ccdef3e11ed737d9dfb93d
SHA512

c09509172cb3a662ba8cf5b1df1a4c45dc014c59388f219ed819e08890bd522e4c367e46e91740c1cf636f419e30b66f7022a23216a108e3132905a4ca319307
SSDEEP

768:FdhO/poiiUcjlJInbzH9Xqk5nWEZ5SbTDagWI7CPW5N:bw+jjgn3H9XqcnW85SbTpWIl

Score

10^/10

xenorat discovery persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
10
install_path
temp
port
4444
startup_name
fortnite

Targets

- Target
  
  fn.exe
- Size
  
  45KB
- MD5
  
  224ccb2529301b657df7c6bcc7ac6613
- SHA1
  
  1743e1b819c6a20ec5b8db1024a4f460160419e7
- SHA256
  
  7d5ff178c46801beba098d2705798c99392e15dbc9ccdef3e11ed737d9dfb93d
- SHA512
  
  c09509172cb3a662ba8cf5b1df1a4c45dc014c59388f219ed819e08890bd522e4c367e46e91740c1cf636f419e30b66f7022a23216a108e3132905a4ca319307
- SSDEEP
  
  768:FdhO/poiiUcjlJInbzH9Xqk5nWEZ5SbTDagWI7CPW5N:bw+jjgn3H9XqcnW85SbTpWIl
Score

10^/10

xenorat discovery persistence privilege_escalation rat trojan
- Detect XenoRat Payload
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Xenorat family
  xenorat
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Modifies system executable filetype association
  persistence
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Event Triggered Execution

Change Default File Association

Component Object Model Hijacking

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Event Triggered Execution

Change Default File Association

Component Object Model Hijacking

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xenoratdiscoverypersistenceprivilege_escalationrattrojan