MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13bd3ee226114db8e18f2fe414a7e2c4e0937eda7d8a02b2efebaa2af8238564. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XenoRAT


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13bd3ee226114db8e18f2fe414a7e2c4e0937eda7d8a02b2efebaa2af8238564
SHA3-384 hash: 56548b4ea93f868b8533bf86e6f57e42a038483b923aedb9a51e0cc2f7900d2ee17f4a03e62d1f9941eeba8282a8dbac
SHA1 hash: 83032ec361ea8b15ef956536999b754db6a12423
MD5 hash: 57fcc042b0f7783567878d217ae69e25
humanhash: pizza-december-mockingbird-sad
File name:57fcc042b0f7783567878d217ae69e25.exe
Download: download sample
Signature XenoRAT
Create hunting rule
File size:170'496 bytes
First seen:2024-12-10 07:20:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 3072:sx0yjrZkg1DP9onHyAhZKoQd0z269TAfL7/Rwf+hO3IyYPC+X4og6Rd:iRjfAi7ymn/LhO3IyYPzX4oVd
Threatray 192 similar samples on MalwareBazaar
TLSH T14FF3BF8C799471DFC85BD476CAAC1CA4BBA1747B930BC203A41721A9AE0DA97CF151F3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 70e88894e8b2e458 (1 x AveMariaRAT, 1 x XenoRAT)
Reporter abuse_ch
Tags:exe XenoRAT


Avatar
abuse_ch
XenoRAT C2:
87.120.121.160:4567

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
87.120.121.160:4567 https://threatfox.abuse.ch/ioc/1354122/

Intelligence

File Origin
# of uploads :
1
# of downloads :
504
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ac8c49cef98c9ba6667891694a81169222cb53feed5c22fbeac0afbf7c31208c
Verdict:
Malicious activity
Analysis date:
2024-12-08 21:32:41 UTC
Tags:
macros macros-on-open loader xenorat rat confuser
Link:
https://app.any.run/tasks/d3693452-2d50-4252-b3d9-831a61181548

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6757ec1148182d1685576bb6
Tags:
packed virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Searching for synchronization primitives
Creating a file
Creating a file in the %AppData% subdirectories
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the %temp% directory
Launching a process
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
confuser confuserex net obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/6757ec629944edf9271a33f0/reports/5db580f5-cf1d-4356-a99e-df7c58b9237e/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/13bd3ee226114db8e18f2fe414a7e2c4e0937eda7d8a02b2efebaa2af8238564
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Xeno RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7602b3f-6972-4fbb-9cb5-c9615f87a009
Result
Threat name:
XenoRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1572194
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected XenoRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572194 Sample: XUhf3m5FmK.exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 56 dns.stipamana.com 2->56 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Sigma detected: Scheduled temp file as task from temp location 2->64 66 8 other signatures 2->66 9 XUhf3m5FmK.exe 1 2->9         started        13 XUhf3m5FmK.exe 2->13         started        signatures3 process4 file5 48 C:\Users\user\AppData\...\XUhf3m5FmK.exe.log, ASCII 9->48 dropped 68 Uses schtasks.exe or at.exe to add and modify task schedules 9->68 15 XUhf3m5FmK.exe 4 9->15         started        18 XUhf3m5FmK.exe 5 9->18         started        21 XUhf3m5FmK.exe 9->21         started        70 Injects a PE file into a foreign processes 13->70 23 XUhf3m5FmK.exe 13->23         started        25 XUhf3m5FmK.exe 2 13->25         started        27 XUhf3m5FmK.exe 2 13->27         started        signatures6 process7 dnsIp8 50 C:\Users\user\AppData\...\XUhf3m5FmK.exe, PE32 15->50 dropped 52 C:\Users\...\XUhf3m5FmK.exe:Zone.Identifier, ASCII 15->52 dropped 29 XUhf3m5FmK.exe 15->29         started        58 dns.stipamana.com 87.120.121.160, 4567, 49730, 49733 UNACS-AS-BG8000BurgasBG Bulgaria 18->58 54 C:\Users\user\AppData\Local\...\tmpE4A7.tmp, ASCII 18->54 dropped 32 schtasks.exe 1 18->32         started        34 WerFault.exe 2 21->34         started        36 WerFault.exe 23->36         started        file9 process10 signatures11 72 Multi AV Scanner detection for dropped file 29->72 74 Machine Learning detection for dropped file 29->74 76 Injects a PE file into a foreign processes 29->76 38 XUhf3m5FmK.exe 2 29->38         started        40 XUhf3m5FmK.exe 2 29->40         started        42 XUhf3m5FmK.exe 2 29->42         started        44 WMIADAP.exe 29->44         started        46 conhost.exe 32->46         started        process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/13bd3ee226114db8e18f2fe414a7e2c4e0937eda7d8a02b2efebaa2af8238564
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13bd3ee226114db8e18f2fe414a7e2c4e0937eda7d8a02b2efebaa2af8238564/
Threat name:
ByteCode-MSIL.Trojan.Xenorat
Create hunting rule
Status:
Malicious
First seen:
2024-12-06 16:37:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=co6t5yrgcfg3rympf7sbjj7cytqjg7w2pwfafmxp5ovcv6bdqvsa._file
Verdict:
malicious
Label(s):
xenorat
Create hunting rule
Similar samples:
505268b44ef9ce6e0653c581fd39bb4479d9df99b4c5f184e264ffe7e1714f2b
XenoRAT
9037601de282b706cf457116b42b3d36e3ccd7842b13b08efced4337230ced80
XenoRAT
a5f629e62e8012c0ead81b462bc05ec9d20395af3121f87961f9d2dfde908895
XenoRAT
c9ab3c4481da95348f1d65fecb8da349ecdb1826f16d27ee3e5c5a0d49384c52
XenoRAT
e62a8640510e8a72b5f5b9115b94439df31cfe186970ce831fc2ac200605dcaf
XenoRAT
error
XenoRAT
+ 182 additional samples on MalwareBazaar
Result
Malware family:
xenorat
Create hunting rule
Score:
  10/10
Tags:
family:xenorat discovery rat trojan
Link:
https://tria.ge/reports/241210-h6nfsatlaj/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect XenoRat Payload
XenorRat
Xenorat family
Malware Config
C2 Extraction:
dns.stipamana.com
Verdict:
Malicious
Tags:
red_team_tool XenoRat
YARA:
SUSP_NET_NAME_ConfuserEx
Link:
https://app.threat.zone/submission/89b4674c-69c5-49e2-8f77-2a646af646ff
Unpacked files
SH256 hash:
98f3ed6c819b4269a3a48b98aeb13d493edaf2ac926703e87a24d49b0eea82a0
MD5 hash:
712a43a8614c2343a647d62234afa0ae
SHA1 hash:
ef1a2aa45b2abb4ea9782a90c396dcf571464a2c
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_NET_NAME_ConfuserEx
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx_Custom
Create hunting rule
Link:
https://www.unpac.me/results/6411ff4c-a03b-4d0b-8225-a3dbcc80bcdf/
SH256 hash:
97b65f9ec21a8b04c4589316e3a301c671a39f1fe4299e5d493545861f91a7e0
MD5 hash:
ead52a1cc6adc511fda89398c864d35b
SHA1 hash:
25a29ee5dbeb3032131b9bef2352fc6c17cf3a07
Detections:
XenoRAT
Create hunting rule
win_xenorat_w0
Create hunting rule
Link:
https://www.unpac.me/results/6411ff4c-a03b-4d0b-8225-a3dbcc80bcdf/
SH256 hash:
f1d4ce0c1231b49e4db0184fd7cb2c1639c2124fb71f731a281fba408ba1bb1d
MD5 hash:
d5c007ddcce18dbc2ad1453d5a3426a2
SHA1 hash:
1b1afb3aff4ac4aee699e6cb981525dcccc6973b
Link:
https://www.unpac.me/results/6411ff4c-a03b-4d0b-8225-a3dbcc80bcdf/
SH256 hash:
13bd3ee226114db8e18f2fe414a7e2c4e0937eda7d8a02b2efebaa2af8238564
MD5 hash:
57fcc042b0f7783567878d217ae69e25
SHA1 hash:
83032ec361ea8b15ef956536999b754db6a12423
Link:
https://www.unpac.me/results/6411ff4c-a03b-4d0b-8225-a3dbcc80bcdf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13bd3ee226114db8e18f2fe414a7e2c4e0937eda7d8a02b2efebaa2af8238564

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_EXE_Packed_ConfuserEx_Custom
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Custom; outside of GIT
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (Unrestricted:true)high

Comments