MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XenoRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9
SHA3-384 hash: fd7e62cee47f60dda694ca16505ef5fc0fb11e07237cef207a105876c43a4215bae263c0e2e4a2d1b26419b537658320
SHA1 hash: 5d09095bde071815b26624712352a9b0cc579d16
MD5 hash: 0551dcf55adc23a07d56580729730d50
humanhash: jupiter-papa-zebra-aspen
File name:1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9
Download: download sample
Signature XenoRAT
Create hunting rule
File size:240'640 bytes
First seen:2024-07-01 14:29:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:v5N2IzPXRuvbd0hT0rh+PGdhhG1soMRxPqs9sm6I:72IzPXYZ0+l+OPcVixPqs9smP
Threatray 92 similar samples on MalwareBazaar
TLSH T1F6345A9D765072DFC867C476DEA82C64EB64747B531BC203A06726ADAE0C99BCF140F2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 1404170f0fc2cce2 (6 x XenoRAT, 4 x Loki)
Reporter adrian__luca
Tags:exe XenoRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9
Verdict:
Malicious activity
Analysis date:
2024-07-01 14:28:56 UTC
Tags:
xenorat rat amsi
Link:
https://app.any.run/tasks/9658ee9b-8c6f-4373-bd87-5caca0f76a52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Jalapeno-10031830-0
Create hunting rule

PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6682bdb74aef5fb03e2ed9f3win10vpnfull_triage
Tags:
Execution Network Stealth Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Xeno RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/20a82b4a-29b7-402d-9415-fa876d0874a3
Result
Threat name:
XenoRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1465432
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected XenoRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465432 Sample: xzMyweCMgr.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 57 86.23.85.13.in-addr.arpa 2->57 59 171.39.242.20.in-addr.arpa 2->59 63 Found malware configuration 2->63 65 Sigma detected: Scheduled temp file as task from temp location 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 5 other signatures 2->69 10 xzMyweCMgr.exe 1 2->10         started        14 xzMyweCMgr.exe 2->14         started        signatures3 process4 file5 55 C:\Users\user\AppData\...\xzMyweCMgr.exe.log, ASCII 10->55 dropped 71 Uses schtasks.exe or at.exe to add and modify task schedules 10->71 73 Injects a PE file into a foreign processes 10->73 16 xzMyweCMgr.exe 4 10->16         started        19 xzMyweCMgr.exe 5 10->19         started        22 xzMyweCMgr.exe 10->22         started        24 xzMyweCMgr.exe 14->24         started        26 xzMyweCMgr.exe 2 14->26         started        28 xzMyweCMgr.exe 2 14->28         started        signatures6 process7 dnsIp8 49 C:\Users\user\AppData\...\xzMyweCMgr.exe, PE32 16->49 dropped 51 C:\Users\...\xzMyweCMgr.exe:Zone.Identifier, ASCII 16->51 dropped 30 xzMyweCMgr.exe 16->30         started        61 91.92.248.167, 1280, 56715, 56716 THEZONEBG Bulgaria 19->61 53 C:\Users\user\AppData\Local\...\tmpADFF.tmp, ASCII 19->53 dropped 33 schtasks.exe 1 19->33         started        35 WerFault.exe 2 22->35         started        37 WerFault.exe 2 24->37         started        file9 process10 signatures11 75 Multi AV Scanner detection for dropped file 30->75 77 Machine Learning detection for dropped file 30->77 79 Injects a PE file into a foreign processes 30->79 39 xzMyweCMgr.exe 30->39         started        41 xzMyweCMgr.exe 2 30->41         started        43 xzMyweCMgr.exe 2 30->43         started        45 conhost.exe 33->45         started        process12 process13 47 WerFault.exe 2 39->47         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-06-27 03:21:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dtechfrnul5hutlp52btltunsldlis7ge6adzoufug63qgcnuhmq._file
Verdict:
malicious
Similar samples:
19074e7a2c8b41cebef774134e1caac0d9f085c58143d3a2ccdc46e77cadb61d
XenoRAT
1f1edcaa93fcbb4885cdaddd701fcbe129866a50f98fe027700901b5cbb9847a
XenoRAT
505268b44ef9ce6e0653c581fd39bb4479d9df99b4c5f184e264ffe7e1714f2b
XenoRAT
64a7cb7696b989b9efd4dc55d27734ff145947bdb1f00cc8ccb3aef375482b13
XenoRAT
9cd848e17b7a87389f8f5c109688268d1810535d33b60616355633251f9c547d
XenoRAT
a340745a55997188efd34c9d83c186de3b899c3b98d05982f327f142deafe790
XenoRAT
b9680d8e2432301e9626ea6e2cf95049f34c4f1a7332c3d6d02f571ab41ef888
XenoRAT
+ 82 additional samples on MalwareBazaar
Result
Malware family:
xenorat
Create hunting rule
Score:
  10/10
Tags:
family:xenorat rat trojan
Link:
https://tria.ge/reports/240701-rt5nzawgng/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
XenorRat
Malware Config
C2 Extraction:
91.92.248.167
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/00bc5286-dc05-4fce-8ff0-feb2d8da18c9
Unpacked files
SH256 hash:
394a76ae2a670209d103f04414fe42027aee51f6e6ea4ad5dfbc5f85aaea39fd
MD5 hash:
b25c4ec8c0fc341130b4a354c3a73123
SHA1 hash:
c7881fd32ac35c6aeb2bc89001b3d1b54e4491ea
Detections:
XenoRAT
Create hunting rule
Link:
https://www.unpac.me/results/b9d56e36-aa5d-4bdf-b8d6-b6982a5a7ffd/
Parent samples :
dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a
ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2
697098bd0a7aed4fa228af96addb4e6635c6ff69c80f729f3f0e82db62fc95ab
884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce
1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9
d484104256e41a509ff52bb9a5bbd7bd63aaf18e0b32b68fe3c4bfa6b81aa267
4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb
730e7cf897c39641a53c1e8d4ae6cec4c57a79fcab3f4fb6c031ec5a7586cf99
SH256 hash:
6904c2c10ac3d272676a4c24036e3b8f9918a6162b9c5206c97432dd6f7437e1
MD5 hash:
551d75956f4f6e8f80751bbd2f676256
SHA1 hash:
c603f289a0e9622fc97699e0b20b2d63e455957d
Link:
https://www.unpac.me/results/b9d56e36-aa5d-4bdf-b8d6-b6982a5a7ffd/
SH256 hash:
836eb27f5d66fe307459a8c4e92207cdac824c5e5a6d1af6ab5e56fe8d047196
MD5 hash:
f4318516a16518d6e50c7c50ae5b1098
SHA1 hash:
0fb0cffeee70167f91258b63d44bee268673e859
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/b9d56e36-aa5d-4bdf-b8d6-b6982a5a7ffd/
SH256 hash:
1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9
MD5 hash:
0551dcf55adc23a07d56580729730d50
SHA1 hash:
5d09095bde071815b26624712352a9b0cc579d16
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/b9d56e36-aa5d-4bdf-b8d6-b6982a5a7ffd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1cc823962da2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments