MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a340745a55997188efd34c9d83c186de3b899c3b98d05982f327f142deafe790. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XenorRat


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a340745a55997188efd34c9d83c186de3b899c3b98d05982f327f142deafe790
SHA3-384 hash: 896119340cdc84c6a0f449a577606b6c333f538136c5595aabb12dc50dfc60276d5789a1bccb9cdc70020d78baed0737
SHA1 hash: d0906a55b742bd11e29c2bf6a87dfe3a6dbd547e
MD5 hash: a5825c821946808fb1f3b22645fbfd9d
humanhash: wisconsin-winter-massachusetts-idaho
File name:Comprobante.exe
Download: download sample
Signature XenorRat
Create hunting rule
File size:184'832 bytes
First seen:2024-05-08 15:26:44 UTC
Last seen:2024-05-08 16:23:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 3072:+h9LvhVRMQ8at9vMJdr5QckDMV3HycZg8dZuFyjwUZpVTdlRI:tFaj8mMxHy9yQyjwUZpVTdLI
Threatray 16 similar samples on MalwareBazaar
TLSH T1F60408DD726072DFC867C4729EA81CA8EA64747B831F9213A02715ADDE4D897CF250F2
TrID 28.5% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4504/4/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter lowmal3
Tags:exe XenorRat

Intelligence

File Origin
# of uploads :
2
# of downloads :
308
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a340745a55997188efd34c9d83c186de3b899c3b98d05982f327f142deafe790.exe
Verdict:
Malicious activity
Analysis date:
2024-05-08 15:27:19 UTC
Tags:
xenorat rat remote
Link:
https://app.any.run/tasks/79b14fe0-27fb-426c-80b9-7a7afb3c3151

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packed.ConfuserEx-6391397-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a process from a recently created file
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
confuser confuserex packed packed
Link:
https://www.filescan.io/uploads/663b99c611114a9ab5e3122a/reports/52d82048-3949-4bd6-a34a-f525665f0ab5/overview
Verdict:
Malicious
Labled as:
Ransom.Jigsaw.Generic
Link:
https://www.hybrid-analysis.com/sample/a340745a55997188efd34c9d83c186de3b899c3b98d05982f327f142deafe790
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f705de97-a0c9-4ef6-a6b2-3c68547cde7c
Result
Threat name:
XenoRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1438405
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected XenoRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1438405 Sample: Comprobante.exe Startdate: 08/05/2024 Architecture: WINDOWS Score: 100 52 dns.requimacofradian.site 2->52 56 Snort IDS alert for network traffic 2->56 58 Found malware configuration 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 10 other signatures 2->62 9 Comprobante.exe 1 2->9         started        12 Comprobante.exe 2->12         started        signatures3 process4 signatures5 64 Detected unpacking (changes PE section rights) 9->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 9->66 14 Comprobante.exe 4 9->14         started        17 Comprobante.exe 25 9->17         started        21 Comprobante.exe 9->21         started        68 Injects a PE file into a foreign processes 12->68 23 Comprobante.exe 12->23         started        25 Comprobante.exe 12->25         started        27 Comprobante.exe 12->27         started        process6 dnsIp7 46 C:\Users\user\AppData\...\Comprobante.exe, PE32 14->46 dropped 29 Comprobante.exe 14->29         started        50 dns.requimacofradian.site 91.92.243.131, 1253, 49706, 49707 THEZONEBG Bulgaria 17->50 48 C:\Users\user\AppData\Local\...\tmp5947.tmp, ASCII 17->48 dropped 54 Tries to harvest and steal browser information (history, passwords, etc) 17->54 32 schtasks.exe 1 17->32         started        34 WerFault.exe 2 21->34         started        36 WerFault.exe 23->36         started        file8 signatures9 process10 signatures11 70 Antivirus detection for dropped file 29->70 72 Multi AV Scanner detection for dropped file 29->72 74 Machine Learning detection for dropped file 29->74 76 Injects a PE file into a foreign processes 29->76 38 Comprobante.exe 2 29->38         started        40 Comprobante.exe 2 29->40         started        42 Comprobante.exe 2 29->42         started        44 conhost.exe 32->44         started        process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a340745a55997188efd34c9d83c186de3b899c3b98d05982f327f142deafe790
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a340745a55997188efd34c9d83c186de3b899c3b98d05982f327f142deafe790/
Threat name:
ByteCode-MSIL.Trojan.XenoRat
Create hunting rule
Status:
Malicious
First seen:
2024-05-08 12:57:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=unahiwsvtfyyr36tjsoyhqmg3y5ythb3tdiftaxte7yufxvp46ia._file
Verdict:
malicious
Similar samples:
19074e7a2c8b41cebef774134e1caac0d9f085c58143d3a2ccdc46e77cadb61d
XenorRat
505268b44ef9ce6e0653c581fd39bb4479d9df99b4c5f184e264ffe7e1714f2b
XenorRat
52c06bcb8fad3ada3f6d6eeabff5f2a8fe7876a92bc12b1ff256d6daf1f29e56
XenorRat
64a7cb7696b989b9efd4dc55d27734ff145947bdb1f00cc8ccb3aef375482b13
XenorRat
9cd848e17b7a87389f8f5c109688268d1810535d33b60616355633251f9c547d
XenorRat
a340745a55997188efd34c9d83c186de3b899c3b98d05982f327f142deafe790
XenorRat
b9680d8e2432301e9626ea6e2cf95049f34c4f1a7332c3d6d02f571ab41ef888
XenorRat
+ 6 additional samples on MalwareBazaar
Result
Malware family:
xenorat
Create hunting rule
Score:
  10/10
Tags:
family:xenorat rat spyware stealer trojan
Link:
https://tria.ge/reports/240508-svqrwadd85/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
XenorRat
Malware Config
C2 Extraction:
dns.requimacofradian.site
Unpacked files
SH256 hash:
ce0b35fd34629ca0910b7869f706b6caf7bde22b136255d828895accd89de5a4
MD5 hash:
b296b57acaae45e465bd250c635c33fd
SHA1 hash:
fdbb5a0f7569a95ae56d22174b833242b721fb4b
Detections:
XenoRAT
Create hunting rule
Link:
https://www.unpac.me/results/da7b8646-4fa4-4457-a7c3-7fb9f454cf94/
Parent samples :
a340745a55997188efd34c9d83c186de3b899c3b98d05982f327f142deafe790
2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a
SH256 hash:
efe3d2796f8eaffa2f825addbcae04499c4e07e1ccb88e1dbfadee4b62b1a5a5
MD5 hash:
6da5e865fabb07dc5e6bc029fc4a1e64
SHA1 hash:
227eb16a015a411564f391a58c6cbaefacf765e1
Link:
https://www.unpac.me/results/da7b8646-4fa4-4457-a7c3-7fb9f454cf94/
SH256 hash:
a340745a55997188efd34c9d83c186de3b899c3b98d05982f327f142deafe790
MD5 hash:
a5825c821946808fb1f3b22645fbfd9d
SHA1 hash:
d0906a55b742bd11e29c2bf6a87dfe3a6dbd547e
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/da7b8646-4fa4-4457-a7c3-7fb9f454cf94/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a340745a5599/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a340745a55997188efd34c9d83c186de3b899c3b98d05982f327f142deafe790

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XenorRat

Executable exe a340745a55997188efd34c9d83c186de3b899c3b98d05982f327f142deafe790

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments