MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0522d7e6b3fc2fbd36f0d8145de8b564146188d515099d7661de3b4d82e287f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XenoRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0522d7e6b3fc2fbd36f0d8145de8b564146188d515099d7661de3b4d82e287f4
SHA3-384 hash: dac153696214d9d1ff3a0807889fa0fef09eda03d9150e3106544d6c93d1af95077bbc1a3045e8dfb2da26f0a7439770
SHA1 hash: 3d26217dbe9f6c2ab2c78f879e348958f304527c
MD5 hash: 36e570b7964f458f06dc81b29802e947
humanhash: snake-jupiter-three-ten
File name:36E570B7964F458F06DC81B29802E947.exe
Download: download sample
Signature XenoRAT
Create hunting rule
File size:187'392 bytes
First seen:2024-10-08 11:41:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:vmXhVaFmIuuXsb0+sMAxUNb8IYaqhObXeEFkXGQYdq7guNDFtmI:vW/FHotDMA6Nb8IYa8ObvFkXGQYdq7gc
Threatray 155 similar samples on MalwareBazaar
TLSH T1E804E69C726076EEC857D072DEA86D64FA6078BB831F4613A46715ADEE0D887CF140F2
TrID 28.5% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4504/4/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon a0a2acecd6d0d0d8 (1 x XenoRAT)
Reporter abuse_ch
Tags:exe XenoRAT


Avatar
abuse_ch
XenoRAT C2:
87.120.116.119:1380

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
87.120.116.119:1380 https://threatfox.abuse.ch/ioc/1334715/

Intelligence

File Origin
# of uploads :
1
# of downloads :
391
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
36E570B7964F458F06DC81B29802E947.exe
Verdict:
Malicious activity
Analysis date:
2024-10-08 11:43:40 UTC
Tags:
xenorat rat confuser remote
Link:
https://app.any.run/tasks/ec4f9153-5cce-4481-98b4-5b84af114c81

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packed.ConfuserEx-6391397-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67051a8cdcb599bb05a4fd6b
Tags:
Dropper Quasar Packed Msil
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0522d7e6b3fc2fbd36f0d8145de8b564146188d515099d7661de3b4d82e287f4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Xeno RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c707e61-0832-4942-a03b-7fab813e36e7
Result
Threat name:
XenoRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1528937
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected XenoRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528937 Sample: 5fnrWlGa3H.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 44 15.164.165.52.in-addr.arpa 2->44 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 9 other signatures 2->54 10 5fnrWlGa3H.exe 1 2->10         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\5fnrWlGa3H.exe.log, ASCII 10->36 dropped 64 Detected unpacking (changes PE section rights) 10->64 66 Injects a PE file into a foreign processes 10->66 14 5fnrWlGa3H.exe 4 10->14         started        17 5fnrWlGa3H.exe 14 10->17         started        21 5fnrWlGa3H.exe 10->21         started        signatures6 process7 dnsIp8 38 C:\Users\user\AppData\...\5fnrWlGa3H.exe, PE32 14->38 dropped 40 C:\Users\...\5fnrWlGa3H.exe:Zone.Identifier, ASCII 14->40 dropped 23 5fnrWlGa3H.exe 14->23         started        42 87.120.116.119, 1380, 49704, 49710 UNACS-AS-BG8000BurgasBG Bulgaria 17->42 46 Tries to harvest and steal browser information (history, passwords, etc) 17->46 26 WerFault.exe 2 21->26         started        file9 signatures10 process11 signatures12 56 Antivirus detection for dropped file 23->56 58 Multi AV Scanner detection for dropped file 23->58 60 Machine Learning detection for dropped file 23->60 62 Injects a PE file into a foreign processes 23->62 28 5fnrWlGa3H.exe 23->28         started        30 5fnrWlGa3H.exe 2 23->30         started        32 5fnrWlGa3H.exe 2 23->32         started        process13 process14 34 WerFault.exe 2 28->34         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0522d7e6b3fc2fbd36f0d8145de8b564146188d515099d7661de3b4d82e287f4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0522d7e6b3fc2fbd36f0d8145de8b564146188d515099d7661de3b4d82e287f4/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-10-06 23:55:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aurnpzvt7qx32nxq3akf32fvmqkgdcgvcuez25tb3y5u3axcq72a._file
Verdict:
malicious
Label(s):
xenorat
Create hunting rule
Similar samples:
15ad522ec1e3313921cb6d311a87bca109ac311a3bfd416019fe64a7c60b3dc1
XenoRAT
1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9
XenoRAT
249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99
XenoRAT
2b700f4c8c95319e90414db0e22d42467ebf5843d397b907f817672b9501ade1
XenoRAT
730e7cf897c39641a53c1e8d4ae6cec4c57a79fcab3f4fb6c031ec5a7586cf99
XenoRAT
9cd848e17b7a87389f8f5c109688268d1810535d33b60616355633251f9c547d
XenoRAT
9f03174429e85aba8367f3b41fe7acba4b0c344fea47087bbd3c0c27f8213747
XenoRAT
error
XenoRAT
+ 145 additional samples on MalwareBazaar
Result
Malware family:
xenorat
Create hunting rule
Score:
  10/10
Tags:
family:xenorat discovery rat trojan
Link:
https://tria.ge/reports/241008-nt1hgavfkj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect XenoRat Payload
XenorRat
Malware Config
C2 Extraction:
87.120.116.119
Verdict:
Suspicious
Tags:
red_team_tool
YARA:
SUSP_NET_NAME_ConfuserEx
Link:
https://app.threat.zone/submission/8fd7c34d-0ddc-40c0-8b8c-79041f1327bb
Unpacked files
SH256 hash:
042a840734ae2b0dd7248cf15866e2448685f68029e6941fc8e7222f61b1a152
MD5 hash:
16d8cb5f6a0375c043e086a9bc50d540
SHA1 hash:
f280dea88c3873d677efad130e80f0832f2506d2
Link:
https://www.unpac.me/results/2d126338-c4c4-4989-9c56-eb559ac4a7af/
SH256 hash:
f12e945bc96aa8fa40b04999592754f8341468cd8d5bc96c9f401d1cce5643a7
MD5 hash:
35ef4b7c1c12a359db431f9f9057340e
SHA1 hash:
34710eb15a972c336a584f29c17b5d7d76466310
Detections:
XenoRAT
Create hunting rule
win_xenorat_w0
Create hunting rule
Link:
https://www.unpac.me/results/2d126338-c4c4-4989-9c56-eb559ac4a7af/
SH256 hash:
0522d7e6b3fc2fbd36f0d8145de8b564146188d515099d7661de3b4d82e287f4
MD5 hash:
36e570b7964f458f06dc81b29802e947
SHA1 hash:
3d26217dbe9f6c2ab2c78f879e348958f304527c
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_NET_NAME_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/2d126338-c4c4-4989-9c56-eb559ac4a7af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0522d7e6b3fc2fbd36f0d8145de8b564146188d515099d7661de3b4d82e287f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_EXE_Packed_ConfuserEx_Custom
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Custom; outside of GIT
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments