MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5f629e62e8012c0ead81b462bc05ec9d20395af3121f87961f9d2dfde908895. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XenoRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5f629e62e8012c0ead81b462bc05ec9d20395af3121f87961f9d2dfde908895
SHA3-384 hash: 7d91aca43b7dc3af54ee2745a1c3e9d4048d5ca8fe829696d01c21168b1795d0230618387cb4b230c97c21cd7b0b5e46
SHA1 hash: 2123ca0e3764ba65e421d3b5dd7453da955d36f2
MD5 hash: 88696cf17417a2339b63f9452404c839
humanhash: timing-beer-lion-single
File name:88696cf17417a2339b63f9452404c839
Download: download sample
Signature XenoRAT
Create hunting rule
File size:629'724 bytes
First seen:2024-07-27 08:20:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 12288:WcrNS33L10QdrX2ZVncWqvo2GAhcWMuql8lPtahdkkB183kD:FNA3R5drXwVcWWyLZ8db3kD
Threatray 2'084 similar samples on MalwareBazaar
TLSH T147D40102B7D644B2E6721D364939B71169BCB9701F35DA2FB3C84D7ECA34180A625BB3
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 68e4d2eae8c2f070 (1 x Loki, 1 x XenoRAT)
Reporter zbetcheckin
Tags:32 exe XenoRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
336
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
88696cf17417a2339b63f9452404c839.exe
Verdict:
Malicious activity
Analysis date:
2024-07-27 08:40:25 UTC
Tags:
xenorat rat
Link:
https://app.any.run/tasks/dd0d5300-50a6-4939-907a-552cbc6b6469

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a4adf5187d0037d842f4a7
Tags:
Encryption Execution Network Static Stealth Trojan Nekark
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% directory
Running batch commands
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint installer lolbin microsoft_visual_cc overlay packed setupapi sfx shdocvw shell32
Link:
https://www.filescan.io/uploads/66a4adf15568402317160a3b/reports/27aced69-1449-4a76-bde5-a0f47b897faf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Xeno RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a14f718-a61f-489f-88b6-c31b587ec3ce
Result
Threat name:
XenoRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1483406
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected XenoRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1483406 Sample: vkXe5gkY34.exe Startdate: 27/07/2024 Architecture: WINDOWS Score: 100 81 Found malware configuration 2->81 83 Sigma detected: Scheduled temp file as task from temp location 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 6 other signatures 2->87 11 vkXe5gkY34.exe 8 2->11         started        14 efthfxj.exe 2->14         started        process3 file4 67 C:\Users\user\AppData\...\efthfxj.sfx.exe, PE32 11->67 dropped 17 cmd.exe 1 11->17         started        91 Injects a PE file into a foreign processes 14->91 19 efthfxj.exe 14->19         started        21 efthfxj.exe 14->21         started        23 efthfxj.exe 14->23         started        25 efthfxj.exe 14->25         started        signatures5 process6 process7 27 efthfxj.sfx.exe 7 17->27         started        31 conhost.exe 17->31         started        file8 69 C:\Users\user\AppData\Roaming\efthfxj.exe, PE32 27->69 dropped 89 Multi AV Scanner detection for dropped file 27->89 33 efthfxj.exe 1 27->33         started        signatures9 process10 signatures11 73 Antivirus detection for dropped file 33->73 75 Multi AV Scanner detection for dropped file 33->75 77 Detected unpacking (changes PE section rights) 33->77 79 3 other signatures 33->79 36 efthfxj.exe 3 33->36         started        39 efthfxj.exe 5 33->39         started        42 efthfxj.exe 33->42         started        44 efthfxj.exe 2 33->44         started        process12 dnsIp13 63 C:\Users\user\AppData\Roaming\...\efthfxj.exe, PE32 36->63 dropped 46 efthfxj.exe 36->46         started        71 45.66.231.63, 1243, 49710, 49711 CMCSUS Germany 39->71 65 C:\Users\user\AppData\Local\...\tmp3BF9.tmp, ASCII 39->65 dropped 49 schtasks.exe 39->49         started        51 WerFault.exe 2 42->51         started        file14 process15 signatures16 93 Antivirus detection for dropped file 46->93 95 Multi AV Scanner detection for dropped file 46->95 97 Machine Learning detection for dropped file 46->97 99 Injects a PE file into a foreign processes 46->99 53 efthfxj.exe 2 46->53         started        55 efthfxj.exe 46->55         started        57 efthfxj.exe 46->57         started        59 efthfxj.exe 46->59         started        61 conhost.exe 49->61         started        process17
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a5f629e62e8012c0ead81b462bc05ec9d20395af3121f87961f9d2dfde908895
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5f629e62e8012c0ead81b462bc05ec9d20395af3121f87961f9d2dfde908895/
Threat name:
ByteCode-MSIL.Trojan.XenoRat
Create hunting rule
Status:
Malicious
First seen:
2024-07-27 08:21:13 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ux3ctzroqajmb2wydndcxqc6zhjahfnpgeq7q6lb7hjn7xuqrckq._file
Verdict:
malicious
Similar samples:
231733d95aea19422658b004868f2634ff992714a533839e4c8cb94859ab619c
XenoRAT
3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f
XenoRAT
33d31a4576721d116977faf9687fb9832e95999d28209aabaed55a24a3d6f581
XenoRAT
55066b9bf6963a3459417d3056ecbd6b7f875168e6d11885f8506c19ddbd9872
XenoRAT
8eb8ebe00262f74321167beca9e51f62add06e4460e2f274f857e3d7664cb9a9
XenoRAT
b23e432607f98a398b19419f30eca5bdbca21b662ce18b882830bfef370a9a46
XenoRAT
dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38
XenoRAT
fbb251f9916a362e527e962c4e2b0950f75de2226f3e3092813fa35eb6392bb7
XenoRAT
ffca962687d50ad9f158e62a6c042efe67fbb9bdad9799ccd60762c03466d13c
XenoRAT
+ 2'074 additional samples on MalwareBazaar
Result
Malware family:
xenorat
Create hunting rule
Score:
  10/10
Tags:
family:xenorat discovery rat trojan
Link:
https://tria.ge/reports/240727-j8zr9szale/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
XenorRat
Malware Config
C2 Extraction:
45.66.231.63
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b1a5a099-395c-4ac7-a695-bc22df9ad8c5
Unpacked files
SH256 hash:
b6923bd1d9d2e7f0ffc2902e07ae78a14434998c5e83913eb90f117b0f74871b
MD5 hash:
890cd71bb1f5ee86a7d76d7e487b48bc
SHA1 hash:
deb6b6c115a21da19480f6bd8b4b64cbdd415852
Link:
https://www.unpac.me/results/dd6e9216-0b5f-4e00-ad93-236d6b825f06/
SH256 hash:
fcf76fac3c6d8312f552bd5a0a32ad0186f23f6044fbf654174a60216933b35d
MD5 hash:
491889a9d747727f7f135721606caa14
SHA1 hash:
7e4f6bf86a342ad5087d2cb3af9b23612d37d652
Detections:
XenoRAT
Create hunting rule
Link:
https://www.unpac.me/results/dd6e9216-0b5f-4e00-ad93-236d6b825f06/
Parent samples :
38b26e2364bc081a90145838451341f14bda3cbd15bba54bf0114cab5d2f8667
54eafd9bd8105444ccd57e92dc3bee43166532da0a71e26686fe9913956f6243
a5f629e62e8012c0ead81b462bc05ec9d20395af3121f87961f9d2dfde908895
SH256 hash:
7f880e17ed6f11e00fde4a66485989bd02b4794af0aab168f82b14cba8df51d7
MD5 hash:
2d009a7a490519b91dbadf03c41c3283
SHA1 hash:
2465bd8782ca0fffb949e24f7f2ec16511100546
Link:
https://www.unpac.me/results/dd6e9216-0b5f-4e00-ad93-236d6b825f06/
SH256 hash:
b22d728e7abbd21dded3d9d2df95b1eb9f1d2f4b1c13f8ff85d217d59f1674f5
MD5 hash:
f952e9209d0de4ede02aa4a1a6cfb72a
SHA1 hash:
9a940b2543583698c2ea6d0feeff5a62c39c68cb
Link:
https://www.unpac.me/results/dd6e9216-0b5f-4e00-ad93-236d6b825f06/
SH256 hash:
a5f629e62e8012c0ead81b462bc05ec9d20395af3121f87961f9d2dfde908895
MD5 hash:
88696cf17417a2339b63f9452404c839
SHA1 hash:
2123ca0e3764ba65e421d3b5dd7453da955d36f2
Link:
https://www.unpac.me/results/dd6e9216-0b5f-4e00-ad93-236d6b825f06/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5f629e62e8012c0ead81b462bc05ec9d20395af3121f87961f9d2dfde908895

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XenoRAT

Executable exe a5f629e62e8012c0ead81b462bc05ec9d20395af3121f87961f9d2dfde908895

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3068473/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments


Avatar
zbet commented on 2024-07-27 08:20:23 UTC

url : hxxp://94.156.67.244:5679/abincontents/sthdytjdtuoigfyuqurbjzksbfgbshbfabirgtrht/ioihirabgbrdhbgwhkebgrsryftsevrfsyubkhabvyrgbksdtg/Display1.exe