Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

AuthClient.exe

windows10-1703-x64

10

AuthClient.exe

windows10-2004-x64

10

AuthClient.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240319-en
  • resource tags

    arch:x64arch:x86image:win11-20240319-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24/03/2024, 16:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AuthClient.exe

  • Size

    45KB

  • MD5

    9f3540bc47fad7d3e44b77bd7d393cb9

  • SHA1

    75a3c191551c6e2383a889e19944999dcaca082e

  • SHA256

    13f183db5e4f7cbdef0673b81f35e99b712c08c6c545152ab0f8ee1ac140a8b5

  • SHA512

    465a5b0f1ddaee38fd5c28cbcc9d69489146a816d3420ed1a7ea2c0f0816b0f9a0b8f40fe88680af324404ed97db95ad8e236d06a2ea144d1c5fc8791f7226c7

  • SSDEEP

    768:7dhO/poiiUcjlJInkwH9Xqk5nWEZ5SbTDaHWI7CPW5p:pw+jjgnFH9XqcnW85SbTOWIh

Score
10/10
xenoratratspywarestealertrojan

Malware Config

Extracted

Family

xenorat

C2

Vallithebest-32755.portmap.host

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    2000

  • install_path

    temp

  • port

    32755

  • startup_name

    AuthClient

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AuthClient.exe
    "C:\Users\Admin\AppData\Local\Temp\AuthClient.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4320
    • C:\Users\Admin\AppData\Local\Temp\XenoManager\AuthClient.exe
      "C:\Users\Admin\AppData\Local\Temp\XenoManager\AuthClient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "AuthClient" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9078.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:1436

Network

  • flag-us
    DNS
    Vallithebest-32755.portmap.host
    AuthClient.exe
    Remote address:
    8.8.8.8:53
    Request
    Vallithebest-32755.portmap.host
    IN A
    Response
    Vallithebest-32755.portmap.host
    IN A
    193.161.193.99
  • flag-us
    DNS
    99.193.161.193.in-addr.arpa
    AuthClient.exe
    Remote address:
    8.8.8.8:53
    Request
    99.193.161.193.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    AuthClient.exe
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ctldl.windowsupdate.com
    AuthClient.exe
    Remote address:
    8.8.8.8:53
    Request
    ctldl.windowsupdate.com
    IN A
    Response
    ctldl.windowsupdate.com
    IN CNAME
    wu-bg-shim.trafficmanager.net
    wu-bg-shim.trafficmanager.net
    IN CNAME
    download.windowsupdate.com.edgesuite.net
    download.windowsupdate.com.edgesuite.net
    IN CNAME
    a767.dspw65.akamai.net
    a767.dspw65.akamai.net
    IN A
    96.17.179.74
    a767.dspw65.akamai.net
    IN A
    96.17.179.81
    a767.dspw65.akamai.net
    IN A
    96.17.179.49
    a767.dspw65.akamai.net
    IN A
    96.17.179.48
    a767.dspw65.akamai.net
    IN A
    96.17.179.65
    a767.dspw65.akamai.net
    IN A
    96.17.179.61
    a767.dspw65.akamai.net
    IN A
    96.17.179.53
    a767.dspw65.akamai.net
    IN A
    96.17.179.56
  • flag-us
    DNS
    74.179.17.96.in-addr.arpa
    AuthClient.exe
    Remote address:
    8.8.8.8:53
    Request
    74.179.17.96.in-addr.arpa
    IN PTR
    Response
    74.179.17.96.in-addr.arpa
    IN PTR
    a96-17-179-74deploystaticakamaitechnologiescom
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.229.19
  • flag-us
    DNS
    self.events.data.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    self.events.data.microsoft.com
    IN A
    Response
    self.events.data.microsoft.com
    IN CNAME
    self-events-data.trafficmanager.net
    self-events-data.trafficmanager.net
    IN CNAME
    onedscolprdeus05.eastus.cloudapp.azure.com
    onedscolprdeus05.eastus.cloudapp.azure.com
    IN A
    20.42.65.85
  • flag-us
    DNS
    85.65.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    85.65.42.20.in-addr.arpa
    IN PTR
    Response
  • 193.161.193.99:32755
    Vallithebest-32755.portmap.host
    AuthClient.exe
    1.1kB
     970 B
     18
    16
  • 193.161.193.99:32755
    Vallithebest-32755.portmap.host
    AuthClient.exe
    8.6kB
     13.2kB
     142
    256
  • 193.161.193.99:32755
    Vallithebest-32755.portmap.host
    AuthClient.exe
    7.3kB
     7.4kB
     84
    143
  • 193.161.193.99:32755
    Vallithebest-32755.portmap.host
    AuthClient.exe
    18.1kB
     1.0MB
     382
    735
  • 193.161.193.99:32755
    Vallithebest-32755.portmap.host
    AuthClient.exe
    1.1kB
     14.4kB
     20
    20
  • 8.8.8.8:53
    Vallithebest-32755.portmap.host
    dns
    AuthClient.exe
    362 B
     841 B
     5
    5

    DNS Request

    Vallithebest-32755.portmap.host

    DNS Response

    193.161.193.99

    DNS Request

    99.193.161.193.in-addr.arpa

    DNS Request

    19.229.111.52.in-addr.arpa

    DNS Request

    ctldl.windowsupdate.com

    DNS Response

    96.17.179.74
    96.17.179.81
    96.17.179.49
    96.17.179.48
    96.17.179.65
    96.17.179.61
    96.17.179.53
    96.17.179.56

    DNS Request

    74.179.17.96.in-addr.arpa

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    288 B
     581 B
     4
    4

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.229.19

    DNS Request

    self.events.data.microsoft.com

    DNS Response

    20.42.65.85

    DNS Request

    85.65.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AuthClient.exe.log
    Filesize

    226B

    MD5

    1294de804ea5400409324a82fdc7ec59

    SHA1

    9a39506bc6cadf99c1f2129265b610c69d1518f7

    SHA256

    494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

    SHA512

    033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\XenoManager\AuthClient.exe
    Filesize

    45KB

    MD5

    9f3540bc47fad7d3e44b77bd7d393cb9

    SHA1

    75a3c191551c6e2383a889e19944999dcaca082e

    SHA256

    13f183db5e4f7cbdef0673b81f35e99b712c08c6c545152ab0f8ee1ac140a8b5

    SHA512

    465a5b0f1ddaee38fd5c28cbcc9d69489146a816d3420ed1a7ea2c0f0816b0f9a0b8f40fe88680af324404ed97db95ad8e236d06a2ea144d1c5fc8791f7226c7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp9078.tmp
    Filesize

    1KB

    MD5

    9d60ef385e8562d61fef048cc05ad99f

    SHA1

    1f752c67fd59dfe50e2f7b06d3109a7a6d3a6270

    SHA256

    8d53562b932443a99514ff45ffa0be0b542638327c1b8c8f09553064517733c8

    SHA512

    e7145d9fc1866469c0a3ca494a89bcd08641810d816944ee45356465833df55e3d0a5dfb88e285d51d927943f6db9b3811fc11331c546432ba90f997c20bb37f

    Download Submit

  • memory/1100-22-0x0000000005C10000-0x0000000005D0A000-memory.dmp

    Filesize

    1000KB

    Download

  • memory/1100-24-0x0000000005D60000-0x0000000005DB0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1100-16-0x0000000075190000-0x0000000075941000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1100-17-0x0000000004C60000-0x0000000004C70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1100-61-0x0000000006EC0000-0x0000000006ECA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1100-20-0x00000000056E0000-0x0000000005746000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1100-21-0x0000000075190000-0x0000000075941000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1100-60-0x0000000006F00000-0x0000000006F92000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1100-23-0x0000000005EE0000-0x00000000060A2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1100-59-0x0000000007410000-0x00000000079B6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1100-25-0x0000000005E30000-0x0000000005EA6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1100-26-0x00000000066E0000-0x0000000006C0C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1100-27-0x0000000006230000-0x000000000624E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1100-28-0x0000000004C60000-0x0000000004C70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1100-30-0x00000000062F0000-0x000000000638C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1100-38-0x0000000006390000-0x0000000006610000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1100-58-0x0000000006620000-0x000000000662C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4320-15-0x0000000075190000-0x0000000075941000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4320-0-0x0000000075190000-0x0000000075941000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4320-1-0x0000000000020000-0x0000000000032000-memory.dmp

    Filesize

    72KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.