MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21b7b8656a008ad3e5df1725cddf55e650812c1f3d59609f14c0d3089a886de6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XenoRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21b7b8656a008ad3e5df1725cddf55e650812c1f3d59609f14c0d3089a886de6
SHA3-384 hash: 6dbc6fe230731d2f8150eaa3a2dc151c030cc3d3062b0c4541c0eb85e335182727b5a801d6dbc64bbd5f102968e3c98f
SHA1 hash: 127d6ec83904de48d90c293e53c905fc4206bfb8
MD5 hash: f44302503ea4eedfa831c25711df51b7
humanhash: leopard-oven-lima-music
File name:f44302503ea4eedfa831c25711df51b7.exe
Download: download sample
Signature XenoRAT
Create hunting rule
File size:169'984 bytes
First seen:2024-12-06 09:00:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:XdkwdXAqPEHTJJuVqhHjFV2xEEbh9pKP2qYCp65nTGsAeXy0fkd:XmwBAQeVmWHHePH02qYCp6NGsAeXy9d
Threatray 169 similar samples on MalwareBazaar
TLSH T12BF3BEDC355472EFC85BC0B6DAA85DA4AB60347B431BD253A01B25E9AE1CA97CF041F3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 393dccda9a8c3d39 (4 x RemcosRAT, 3 x XenoRAT, 2 x AsyncRAT)
Reporter abuse_ch
Tags:exe XenoRAT


Avatar
abuse_ch
XenoRAT C2:
87.120.120.27:2222

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
87.120.120.27:2222 https://threatfox.abuse.ch/ioc/1352894/

Intelligence

File Origin
# of uploads :
1
# of downloads :
393
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Outstanding_Payment.vbs
Verdict:
Malicious activity
Analysis date:
2024-12-06 08:48:53 UTC
Tags:
rat remote
Link:
https://app.any.run/tasks/dac2137f-3410-4210-a181-1c9986089333

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6752bd5419fba9940b496ea2
Tags:
packed virus micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a process from a recently created file
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
confuser confuserex net obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/6752bd53c14b32cf1c94b5a0/reports/ed2faac7-d2be-4425-9ff7-50e9fc3ad835/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/21b7b8656a008ad3e5df1725cddf55e650812c1f3d59609f14c0d3089a886de6
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df7cb7d6-a302-4447-8bf4-a0ba78f5a36d
Result
Threat name:
XenoRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1569808
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected XenoRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1569808 Sample: gjot5vxpIC.exe Startdate: 06/12/2024 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 7 other signatures 2->62 9 gjot5vxpIC.exe 1 2->9         started        13 gjot5vxpIC.exe 2->13         started        process3 file4 46 C:\Users\user\AppData\...\gjot5vxpIC.exe.log, ASCII 9->46 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 9->64 66 Injects a PE file into a foreign processes 9->66 15 gjot5vxpIC.exe 3 9->15         started        18 gjot5vxpIC.exe 6 9->18         started        21 gjot5vxpIC.exe 2 9->21         started        23 gjot5vxpIC.exe 2 13->23         started        25 gjot5vxpIC.exe 2 13->25         started        27 gjot5vxpIC.exe 2 13->27         started        signatures5 process6 dnsIp7 48 C:\Users\user\AppData\...\gjot5vxpIC.exe, PE32 15->48 dropped 50 C:\Users\...\gjot5vxpIC.exe:Zone.Identifier, ASCII 15->50 dropped 29 gjot5vxpIC.exe 15->29         started        54 87.120.120.27, 2222, 49730, 49737 UNACS-AS-BG8000BurgasBG Bulgaria 18->54 52 C:\Users\user\AppData\Local\...\tmp52FC.tmp, ASCII 18->52 dropped 32 schtasks.exe 1 18->32         started        file8 process9 signatures10 68 Multi AV Scanner detection for dropped file 29->68 70 Machine Learning detection for dropped file 29->70 72 Injects a PE file into a foreign processes 29->72 34 gjot5vxpIC.exe 29->34         started        36 gjot5vxpIC.exe 29->36         started        38 gjot5vxpIC.exe 2 29->38         started        40 conhost.exe 32->40         started        process11 process12 42 WerFault.exe 2 34->42         started        44 WerFault.exe 2 36->44         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/21b7b8656a008ad3e5df1725cddf55e650812c1f3d59609f14c0d3089a886de6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21b7b8656a008ad3e5df1725cddf55e650812c1f3d59609f14c0d3089a886de6/
Threat name:
ByteCode-MSIL.Trojan.XenoRat
Create hunting rule
Status:
Malicious
First seen:
2024-12-06 09:02:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eg33qzlkacfnhzo7c4s43x2v4ziicla7hvmwbhyuydjqrguinxta._file
Verdict:
malicious
Label(s):
xenorat
Create hunting rule
Similar samples:
40ec6278632cd557b1b4a71756f605cd1579e1c54f1534c74f15751199fd521c
XenoRAT
505268b44ef9ce6e0653c581fd39bb4479d9df99b4c5f184e264ffe7e1714f2b
XenoRAT
9037601de282b706cf457116b42b3d36e3ccd7842b13b08efced4337230ced80
XenoRAT
a5f629e62e8012c0ead81b462bc05ec9d20395af3121f87961f9d2dfde908895
XenoRAT
e62a8640510e8a72b5f5b9115b94439df31cfe186970ce831fc2ac200605dcaf
XenoRAT
error
XenoRAT
+ 159 additional samples on MalwareBazaar
Result
Malware family:
xenorat
Create hunting rule
Score:
  10/10
Tags:
family:xenorat discovery rat trojan
Link:
https://tria.ge/reports/241206-kyxqlavrcl/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect XenoRat Payload
XenorRat
Xenorat family
Malware Config
C2 Extraction:
87.120.120.27
Verdict:
Malicious
Tags:
red_team_tool
YARA:
SUSP_NET_NAME_ConfuserEx
Link:
https://app.threat.zone/submission/c0365d64-7988-4acc-ab2a-35f886e23f0a
Unpacked files
SH256 hash:
e0f0cd2324fa981ad7a27135647049be63e92ffe857ee799c9dca240f0d7f7b7
MD5 hash:
fba192b2b660a7eb362ac2b4387df6f4
SHA1 hash:
df664b8ffd27080fadcf65575d3cf51fa1402726
Link:
https://www.unpac.me/results/ae460e19-7c1b-4731-bf42-e5690b672f3f/
SH256 hash:
ff8980e638788e967a4094e55783c8c49e9a58e55150337a45308a2ca3d8e379
MD5 hash:
dee2eb0cee2555112da58a10388f0d53
SHA1 hash:
7d8ab1a0bdffc2b69c37a60a6c2bc26a2f5e0348
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_NET_NAME_ConfuserEx
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx_Custom
Create hunting rule
Link:
https://www.unpac.me/results/ae460e19-7c1b-4731-bf42-e5690b672f3f/
SH256 hash:
a08605d0344a88d2612f7c0aada8f042ff1979e16c79c1208c2c2a211fefbabb
MD5 hash:
bed99f4ff3bd262e038d04840164f424
SHA1 hash:
32de4a745878c8e37a14a67cd69ce28fcbdb731b
Detections:
XenoRAT
Create hunting rule
win_xenorat_w0
Create hunting rule
Link:
https://www.unpac.me/results/ae460e19-7c1b-4731-bf42-e5690b672f3f/
SH256 hash:
21b7b8656a008ad3e5df1725cddf55e650812c1f3d59609f14c0d3089a886de6
MD5 hash:
f44302503ea4eedfa831c25711df51b7
SHA1 hash:
127d6ec83904de48d90c293e53c905fc4206bfb8
Link:
https://www.unpac.me/results/ae460e19-7c1b-4731-bf42-e5690b672f3f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21b7b8656a008ad3e5df1725cddf55e650812c1f3d59609f14c0d3089a886de6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_EXE_Packed_ConfuserEx_Custom
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Custom; outside of GIT
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XenoRAT

Executable exe 21b7b8656a008ad3e5df1725cddf55e650812c1f3d59609f14c0d3089a886de6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3332897/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (Unrestricted:true)high

Comments