#xenorat_020924

1. #IOC #OptiData #VR #xenorat #stego #pngbase64 #PowerShell #RegAsm
2.  
3. https://pastebin.com/g3uLCCqB
4.  
5. previous_contact:
6. n/a
7.  
8. FAQ:
9. https://github.com/moom825/xeno-rat
10. https://malpedia.caad.fkie.fraunhofer.de/details/win.xenorat
11.  
12. attack_vector
13. --------------
14. email attach .rar > .rar (pwd) > .vbs > WScript > powershell > get bitbucket .jpg & .txt > RegAsm.exe > C2
15.  
16.  
17. # # # # # # # #
18. email_headers
19. # # # # # # # #
20. Date: Mon, 2 Sep 2024 10:51:51 +0200
21. From: Господарський суд Одеської області <contact @diagjfl _fr>
22. Subject: Повідомлення про виробництво щодо ТОВ _назва_жертви
23. Reply-To: Господарський суд Одеської області <inbox @od _arbitr _gov _ua>
24. Received: from ns0 _arobiz _pro ([185 _34 _32 _71]
25. Received: from (unknown [217 _196 _98 _177])
26. Message-ID: <20240902085152 _BA7402E00CF1 @mail _arobiz _pro>
27.  
28. # # # # # # # #
29. files
30. # # # # # # # #
31. SHA-256 93b777a3bf5c868c9fec5465aa912f79e45589d136cb7e32e74c995ac80c8631
32. File name Документи (СУД).rar
33. File size 11.67 KB (11955 bytes)
34.  
35. SHA-256 17504af5f0b685f934404a49fe6ce392cdaa9717b70099635383d450708d3f89
36. File name Документи (СУД).rar
37. File size 11.20 KB (11470 bytes)
38.  
39. SHA-256 5640cb7c1399cf63031ade147e623ad9f9d63fb350addc550eae4141c2fe4431
40. File name Копія вихідної позовної ухвали.vbs
41. File size 14.40 KB (14741 bytes)
42.  
43. SHA-256 3e243672f6c94dd0edc7e41d6ab0920b1cd174fe102c71ae73d013c552edd6e4
44. File name new_image(1).jpg
45. File size 4.71 MB (4942734 bytes)
46.  
47. SHA-256 f20c466371b9a1447ffd85284b95d8ec4959373f824bf0363b82eaa4ac18b4cf
48. File name 5652.txt
49. File size 61.36 KB (62836 bytes)
50.  
51. # # # # # # # #
52. activity
53. # # # # # # # #
54.  
55. PL_SCR bitbucket _org /hgdfhdfgd/test /downloads/ new_image.jpg? 11811735 [loader]
56. bitbucket _org /hgdfhdfgd/test /downloads/ new_image.jpg? 14441723 [loader]
57. bitbucket _org /sdgw/sdge /downloads/ .txt [payload]
58.  
59. C2 111 _90 _147 _147
60.  
61.  
62. netwrk
63. --------------
64. 185 _166 _143 _49 bitbucket _org 443 TLSv1.2 Client Hello (SNI=bitbucket _org)
65. 52 _216 _217 _105 bbuseruploads _s3 _amazonaws _com 443 TLSv1.2 Client Hello
66. 111 _90 _147 _147 5652 TCP 50725 → 5652 [SYN]
67.  
68. comp
69. --------------
70. powershell.exe 185 _166 _143 _49
71. powershell.exe 52 _216 _217 _105
72. RegAsm.exe 111 _90 _147 _147
73.  
74. proc
75. --------------
76. "C:\Windows\System32\WScript.exe" "C:\Users\User01\Desktop\Копія вихідної позовної ухвали.vbs"
77. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = . . .
78. startFlag = <<BASE64_START>>; endFlag = <<BASE64_END>>
79. C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
80.  
81. persist
82. --------------
83. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Mon Sep 2 16:41:22 2024
84. My Program Windows PowerShell (Verified) Microsoft Windows C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe Mon Dec 4 08:21:56 2023
85. powershell.exe Invoke-Expression 'C:\Users\User01\AppData\Local\Temp\svhost.vbs'
86.  
87. drop
88. --------------
89. C:\Users\User01\AppData\Local\Temp\svhost.vbs
90.  
91. # # # # # # # #
92. additional info
93. # # # # # # # #
94. mutex fjsjhgf
95.  
96. # # # # # # # #
97. VT & Intezer
98. # # # # # # # #
99. https://www.virustotal.com/gui/file/93b777a3bf5c868c9fec5465aa912f79e45589d136cb7e32e74c995ac80c8631/details
100. https://www.virustotal.com/gui/file/17504af5f0b685f934404a49fe6ce392cdaa9717b70099635383d450708d3f89/details
101. https://www.virustotal.com/gui/file/5640cb7c1399cf63031ade147e623ad9f9d63fb350addc550eae4141c2fe4431/details
102. https://www.virustotal.com/gui/file/3e243672f6c94dd0edc7e41d6ab0920b1cd174fe102c71ae73d013c552edd6e4/details
103. https://www.virustotal.com/gui/file/f20c466371b9a1447ffd85284b95d8ec4959373f824bf0363b82eaa4ac18b4cf/details
104.  
105. VR