General

  • Target

    SHCPWZUZ.zip

  • Size

    2.1MB

  • Sample

    250604-l51lhafq2s

  • MD5

    3d13d54f6b33fe9b68d804c64c911167

  • SHA1

    9bc8ef688e94137710decbd4112a9b1eac7db037

  • SHA256

    c4430b3e016c2ca5fd095eadc638c27bbd1a96a1315b04a4fffad5ff900abe0f

  • SHA512

    5dc3b55935172491819b3d01bccdc0f61b8932c7070eaec8a63ef321fde12af00796f3582d0e72cb2cb87d96ea12a1380d552d4c4f3501aad0af0c31f0758b06

  • SSDEEP

    49152:ui3gzuyFDPEDMymAS7SvxL3Rr5orXFzBLQ+MZ/Hkh3S+Jm:ui3gzuyeDEA3vXAXF9LQN/khC+Jm

Malware Config

Extracted

Family

hijackloader

Attributes
  • directory

    %APPDATA%\debugComanr_alpha

  • inject_dll

    %windir%\SysWOW64\pla.dll

xor.hex

Extracted

Family

xenorat

C2

94.130.65.160

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    600000

  • install_path

    nothingset

  • port

    4444

  • startup_name

    nothingset

Targets

    • Target

      Package/BugSplat64.dll

    • Size

      377KB

    • MD5

      77332b787c5a521cf69434278cf61c51

    • SHA1

      a9b6c1ec377188a0c4a3c17eee29421d49d3199f

    • SHA256

      044faa9060d345fb43d44a8bd8e85fe7aac597ff5444ebe5b35489eceb312783

    • SHA512

      0df5dffbc59bad8f5fe4c9ac6710079f82be0765a43f33d7ef723ce092bfa8f8083432d8c3ca2b7a61688c6bac9bbe672682b89ec56dad7cc042d5557e17f75d

    • SSDEEP

      6144:8pPawwQxTcl7BytWPZVEsTRGRXvRyZK4rtx9TYo6JqXJrhCsRiw:8aQw7VPZ9zr5YnFw

    Score
    1/10
    • Target

      Package/Device_Synth.exe

    • Size

      270KB

    • MD5

      6a06b58d738d47e93f08ff39112fba2c

    • SHA1

      3d4cbc2bf0362c3a7af191b69e310589d86bc1fb

    • SHA256

      fdbe7dbe0228baad747bf7e8d830cbfbed7d2bd3013b8080dc50e726b21ddac6

    • SHA512

      e021f725e01cb5018ec05c06f54d95b24758d137b80cbde52217bb85e2d809204f5afb90e9d57117b48135003cb7d7ba3773eb6b23dcde2bae246bd208e4f7ea

    • SSDEEP

      6144:VIaCAK/UGjgTPD/CRe4GvTS8w9hzc9ap+zGd:qz7KmH9tpT

    • Detect XenoRat Payload

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

    • Hijackloader family

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks