MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e11868449abb65e5cd24b8454cc993336b1fa1462f8c8b31461dcaee3c6cf0e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XenoRAT

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	e11868449abb65e5cd24b8454cc993336b1fa1462f8c8b31461dcaee3c6cf0e3
SHA3-384 hash:	0ce7c87a5313ccce1aa6fc347c4254882fbca8ff33fd42270973cd8220ca84e49bc6d07baf966eaad4becbba5f2e4dc3
SHA1 hash:	66f071119d42023a1cd24387a19662cdf906ad22
MD5 hash:	c16e69631577cf98f535b3bc87449d8d
humanhash:	lactose-delaware-mike-eighteen
File name:	Outstanding_Payment.vbs
Download:	download sample
Signature	XenoRAT Create hunting rule
File size:	10'315 bytes
First seen:	2024-12-06 08:43:19 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	192:8tdtjLrdjOmUi27Ang2iNSiHWdhWOqVNaYFPyxDpRCI:SQmM5xN7McOTYF0MI
Threatray	165 similar samples on MalwareBazaar
TLSH	T1582257E31AF0B5D8D36E6203D7F43B6843352CB7B799AE533586E94508229C19CD29F8
Magika	vba
Reporter	abuse_ch
Tags:	vbs XenoRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.VBS.Siggen.7425.9806.2498.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6752b95319fba9940b496d41

Tags:

jenxcus office macro blic

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

dropper macros macros-on-open masquerade

Link:

https://www.filescan.io/uploads/6752b953f158f0b6a3b2a3ee/reports/3b2b6f8b-7c83-48cf-9680-6bab3bea842d/overview

Verdict:

Malicious

Labled as:

TrojanDownloader_Win32_Nemucod_ml

Link:

https://www.hybrid-analysis.com/sample/e11868449abb65e5cd24b8454cc993336b1fa1462f8c8b31461dcaee3c6cf0e3

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1569774

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with hexadecimal encoded strings

Document contains an embedded VBA with many randomly named variables

Machine Learning detection for dropped file

Multi AV Scanner detection for submitted file

Office process drops PE file

Office process queries suspicious COM object (likely to drop second stage)

Sample has a suspicious name (potential lure to open the executable)

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: WScript or CScript Dropper

System process connects to network (likely due to code injection or exploit)

VBScript performs obfuscated calls to suspicious functions

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/e11868449abb65e5cd24b8454cc993336b1fa1462f8c8b31461dcaee3c6cf0e3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e11868449abb65e5cd24b8454cc993336b1fa1462f8c8b31461dcaee3c6cf0e3/

Threat name:

Script-WScript.Downloader.Nemucod

Status:

Malicious

First seen:

2024-12-05 18:12:36 UTC

File Type:

Text

AV detection:

14 of 38 (36.84%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4emgqre2xns6ltjexbcuzsmtgnvr7ikgf6giwmkgdxfo4pdm6drq._file

Verdict:

malicious

Label(s):

xenorat

XenoRAT

15ad522ec1e3313921cb6d311a87bca109ac311a3bfd416019fe64a7c60b3dc1

XenoRAT

1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9

XenoRAT

249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99

XenoRAT

2b700f4c8c95319e90414db0e22d42467ebf5843d397b907f817672b9501ade1

XenoRAT

730e7cf897c39641a53c1e8d4ae6cec4c57a79fcab3f4fb6c031ec5a7586cf99

XenoRAT

9cd848e17b7a87389f8f5c109688268d1810535d33b60616355633251f9c547d

XenoRAT

9f03174429e85aba8367f3b41fe7acba4b0c344fea47087bbd3c0c27f8213747

XenoRAT

error

XenoRAT

+ 155 additional samples on MalwareBazaar

Result

Malware family:

xenorat

Score:

10/10

Tags:

family:xenorat discovery macro macro_on_action rat trojan

Link:

https://tria.ge/reports/241206-km65wsvmfk/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Scheduled Task/Job: Scheduled Task

Script User-Agent

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Blocklisted process makes network request

Downloads MZ/PE file

Office macro that triggers on suspicious action

Suspicious Office macro

Detect XenoRat Payload

XenorRat

Xenorat family

Malware Config

C2 Extraction:

87.120.120.27

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.08

Link:

https://yomi.yoroi.company/submissions/e11868449abb65e5cd24b8454cc993336b1fa1462f8c8b31461dcaee3c6cf0e3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample