MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccefb2e84c53d0542fb29deee6bcc3f83583aac48f94c9e7e3a97b9473d73f5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XenoRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccefb2e84c53d0542fb29deee6bcc3f83583aac48f94c9e7e3a97b9473d73f5f
SHA3-384 hash: e620e8dbc89d072d236b1870358c6f4819136e1df1112b82d623dc99836ee532f4cb65ff6d5b927b0851db0400f84703
SHA1 hash: 598acaf9ca68fff4842a7aa6ddff7355bc3be437
MD5 hash: ec9a0a802977a1ad347f5dc2c9afe2a0
humanhash: twelve-mobile-victor-idaho
File name:RFQ 2347272627727 (2).exe
Download: download sample
Signature XenoRAT
Create hunting rule
File size:538'112 bytes
First seen:2024-09-26 16:54:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'739 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:mTPF847SX3pdFRtoXyLAz68Q6awWLMzqrc2ip:mTd82SXRRIyaQ6aw7zqs
TLSH T151B4018457EE4AA0E17D6F740972922483F17493ED72C37D0EC4A6E92B71B809F523A7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe XenoRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
409
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ 2347272627727 (2).exe
Verdict:
No threats detected
Analysis date:
2024-09-26 16:56:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1208a96e-68a0-4c44-810c-dbab2be5eb40

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.SpywareX-gen.19576.23492.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f591ecc5ef4567b6c9d892
Tags:
Generic Static Kryptik Micro Tori Remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed phishing vbnet
Link:
https://www.filescan.io/uploads/66f591e9b9237cd7319af988/reports/9e29a238-50a4-45fb-b57c-8c6dd0590585/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/ccefb2e84c53d0542fb29deee6bcc3f83583aac48f94c9e7e3a97b9473d73f5f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/abe8d539-d471-43b7-a944-df22f7cc0044
Result
Threat name:
DarkTortilla, XenoRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1519631
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected XenoRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ccefb2e84c53d0542fb29deee6bcc3f83583aac48f94c9e7e3a97b9473d73f5f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ccefb2e84c53d0542fb29deee6bcc3f83583aac48f94c9e7e3a97b9473d73f5f/
Threat name:
ByteCode-MSIL.Trojan.Dothetuk
Create hunting rule
Status:
Malicious
First seen:
2024-09-26 14:17:24 UTC
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ztx3f2cmkpifil5stxxonpgd7a2yhkwer6kmtz7dvf5zi46xh5pq._file
Verdict:
malicious
Label(s):
xenorat
Create hunting rule
Result
Malware family:
xenorat
Create hunting rule
Score:
  10/10
Tags:
family:xenorat discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/240926-ve41ns1dlc/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detect XenoRat Payload
XenorRat
Malware Config
C2 Extraction:
66.63.168.142
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/eb5ecde3-5fca-4f24-93b2-6a2fd33c63e0
Unpacked files
SH256 hash:
2cb5b8fbcd0994c8371837858c1f6dfe8e0de017e86437c7aee38d710209f10a
MD5 hash:
4f5880d558000b383fbb6efb21100997
SHA1 hash:
d2ceb9140d797b0f4db46a0a02c274e4fe89f349
Link:
https://www.unpac.me/results/2b5fcbcd-a490-4bb7-acdd-fc41db3b3b46/
SH256 hash:
da4cb91d96214c7134a9e8799fdf241bd6b8103eecd4efb1b8c228ca3c8e7e91
MD5 hash:
9a06e083cd0531927dcd616b9b601ffa
SHA1 hash:
9584f7e1c8ab7be5900762abcaedf20cb92e4ae7
Link:
https://www.unpac.me/results/2b5fcbcd-a490-4bb7-acdd-fc41db3b3b46/
SH256 hash:
22fbb1222166f504b08a82f4de9b451634c4c69db8ed6ba7ff7c76ebf996561c
MD5 hash:
f585ce1830f52d77d88005a7a24e30ac
SHA1 hash:
540202508700a3ad05896e8997eb6068a2142727
Detections:
XenoRAT
Create hunting rule
win_xenorat_w0
Create hunting rule
Link:
https://www.unpac.me/results/2b5fcbcd-a490-4bb7-acdd-fc41db3b3b46/
Parent samples :
ccefb2e84c53d0542fb29deee6bcc3f83583aac48f94c9e7e3a97b9473d73f5f
509070cd30eb4cb05c29fe8cb222166c1c7db0f6084ea5b91e37bac79c14ac30
SH256 hash:
a1e2fd545bc3dbb0ef4bd8642ba544995f2325ee2c5256559155a9973aaf9e9a
MD5 hash:
ce95d2b1718a1adac8af55c412074551
SHA1 hash:
2cd5838a32cc01f8396a05c270e57f5367be1921
Link:
https://www.unpac.me/results/2b5fcbcd-a490-4bb7-acdd-fc41db3b3b46/
SH256 hash:
ccefb2e84c53d0542fb29deee6bcc3f83583aac48f94c9e7e3a97b9473d73f5f
MD5 hash:
ec9a0a802977a1ad347f5dc2c9afe2a0
SHA1 hash:
598acaf9ca68fff4842a7aa6ddff7355bc3be437
Link:
https://www.unpac.me/results/2b5fcbcd-a490-4bb7-acdd-fc41db3b3b46/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ccefb2e84c53/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ccefb2e84c53d0542fb29deee6bcc3f83583aac48f94c9e7e3a97b9473d73f5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XenoRAT

Executable exe ccefb2e84c53d0542fb29deee6bcc3f83583aac48f94c9e7e3a97b9473d73f5f

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments