xenorat | a3254b90b2c6e12c29f7d9f538087da2d4bb7f64d003c591c8936cee7dd74b39

Analysis

max time kernel
132s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
31-05-2024 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hjhjjhjh.exe
Size

45KB
MD5

4091b1844d11374da445542dae37c305
SHA1

029f3396c39f543dd984031eb82edcc035ed0a25
SHA256

a3254b90b2c6e12c29f7d9f538087da2d4bb7f64d003c591c8936cee7dd74b39
SHA512

c0a7709ed26d1643776dddb992fdf4910247da5b7548b1780212ad7183bc295a58832243d99ea68e84807ad4db4d5895dcec79f32f3464a1a97ba6ae02d447eb
SSDEEP

768:5dhO/poiiUcjlJIn1sPH9Xqk5nWEZ5SbTDaLluI7CPW5o:3w+jjgnGPH9XqcnW85SbTEuIg

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

character-acquisitions.gl.at.ply.gg

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
5050
startup_name
gggggg

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Executes dropped EXE 1 IoCs

Processes:

hjhjjhjh.exe

pid process

1468 hjhjjhjh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4000 schtasks.exe

pid	process
1468	hjhjjhjh.exe

pid	process
4000	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

hjhjjhjh.exehjhjjhjh.exe

description	pid	process	target process
PID 4348 wrote to memory of 1468	4348	hjhjjhjh.exe	hjhjjhjh.exe
PID 4348 wrote to memory of 1468	4348	hjhjjhjh.exe	hjhjjhjh.exe
PID 4348 wrote to memory of 1468	4348	hjhjjhjh.exe	hjhjjhjh.exe
PID 1468 wrote to memory of 4000	1468	hjhjjhjh.exe	schtasks.exe
PID 1468 wrote to memory of 4000	1468	hjhjjhjh.exe	schtasks.exe
PID 1468 wrote to memory of 4000	1468	hjhjjhjh.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\hjhjjhjh.exe
"C:\Users\Admin\AppData\Local\Temp\hjhjjhjh.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\Users\Admin\AppData\Roaming\XenoManager\hjhjjhjh.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\hjhjjhjh.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "gggggg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp65BF.tmp" /F
3⤵
- Creates scheduled task(s)
PID:4000

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hjhjjhjh.exe.log
Filesize
226B

MD5
1294de804ea5400409324a82fdc7ec59

SHA1
9a39506bc6cadf99c1f2129265b610c69d1518f7

SHA256
494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

SHA512
033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp65BF.tmp
Filesize
1KB

MD5
1da92f89439d606693cb5fe544506d3f

SHA1
6b16ca9e828f603b4dab3da05a41b7581e11eccf

SHA256
5395d00c0c209d074abb317ce84f2bea3b59d9a5988a6f1dce1a726efdd551b7

SHA512
2a7803ef21453f8597de421b2aa12cad262dbb5f29d27f6307877469079d4b07a18d6e65ada7c268eeaed3f57111f8c1a100d6e86881c886a6da5950856700ea

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\hjhjjhjh.exe
Filesize
45KB

MD5
4091b1844d11374da445542dae37c305

SHA1
029f3396c39f543dd984031eb82edcc035ed0a25

SHA256
a3254b90b2c6e12c29f7d9f538087da2d4bb7f64d003c591c8936cee7dd74b39

SHA512
c0a7709ed26d1643776dddb992fdf4910247da5b7548b1780212ad7183bc295a58832243d99ea68e84807ad4db4d5895dcec79f32f3464a1a97ba6ae02d447eb

Download Submit
C:\Users\Admin\Desktop\AddSplit.shtml
Filesize
352KB

MD5
c10e394177ae8a694a259fabc1075e4e

SHA1
7d2fddad3c660c1f7755571659d99e5757953748

SHA256
350a4342f282aa90ed172781285ae1d08eeff1166b5efb1e5da2140a0f04444e

SHA512
4b6585e6ff197756296c5223e3cb06033651619b31039fb4f7a0a7f71d8992b961a2a112e083091d2bcc008f6ba262955c3f044288fe4f089e209e15c5129615

Download Submit
C:\Users\Admin\Desktop\ConvertFromSubmit.vsd
Filesize
330KB

MD5
fbe10c400f94e0accea60491a52ce6e6

SHA1
b3b37ef96a2ca05874a5a5b2009ad7b74f07aed8

SHA256
479f550d3c1ad9a424c2c71370d80d5f7ac91f5015ea888341f78a0d9a3d102b

SHA512
cb605f54fbb266e815f5aac2609971b5c6e1588d76b86dea7e9bb9b34fb273d5a142b60b0be14919a1e7fbd15d46780554fdcef475359f75be2837d7050b0ab9

Download Submit
C:\Users\Admin\Desktop\ConvertFromSwitch.otf
Filesize
181KB

MD5
7da359bb4b3af50280e2d4b077f392fe

SHA1
8eb59559490e4fbca9f1b835b069f08197990ce7

SHA256
60f8d1d0d11dfc2e46ee8234731306237947ab20d83d9aec28308ea015097a6a

SHA512
285cceb6d8baaa796b6fdd9fa1bc6a02c860d3d6cb37c0d73adc5e5ccc3cb7e772317179d88c76135fc3d476200300d39cb4b26f549db9ad859fb3fdad484324

Download Submit
C:\Users\Admin\Desktop\DebugAdd.rtf
Filesize
277KB

MD5
572816d0999f0544118c9d57a8b3308b

SHA1
db5e2030404b5471c18149d26bf81bba89b961f1

SHA256
8c73024820d3d2ea5ff19f64e1d7389124468da42720338657de88f52e069338

SHA512
fa28b6f0572c638e27390dcb8637a8df5809c91703877fcacdf1871081ec4cad65b13c571023951c3a37952dc37822e945c5d27fa41e2bb8efb2360744651c35

Download Submit
C:\Users\Admin\Desktop\EnterStop.odp
Filesize
192KB

MD5
0fd57088953af1854276c5e898a4b206

SHA1
23fe32cfadee20f3c64790e90c1ab91cc3fff167

SHA256
d984f643e230587697c186d40f317c4317dea4d2dcdaea270e1540276ed75d75

SHA512
ecbe312a59155c57f89c5e82f591beace316c7210581f49f61a012445c6f947ad90e65cc777d867962dc8ea52826b5a516dec13bd3deb8ee40757250fd626441

Download Submit
C:\Users\Admin\Desktop\ExitClose.iso
Filesize
341KB

MD5
2347c654220546e72aa9870edece6371

SHA1
dfc16a5e769dadf61b643545609688ee50760310

SHA256
0c064e1647c8c6b6157063dff7de0059071ad73bbb2211712ccb74de22d509e8

SHA512
71df064e6f1b376fa0642e67b1a3204e1ec5b779ce41f9db2e5091ea918b5001288a507b112bc0075e68050d9d3008cf2edd9ff0d51f14232333e2dd763b431b

Download Submit
C:\Users\Admin\Desktop\ExpandRead.001
Filesize
298KB

MD5
2751f95393952c7e9a19bddb0a067589

SHA1
d8e4875d1d270c3fd7eff354f83d472cc5c4a14a

SHA256
5b14741e293f26a9c764da825e401a8dba2fd17ff931431adc64658ea2773642

SHA512
ef3dc123d834bcecd96389badd6e7e085d55f3a9045057ac4d276655a8d36a60593b2357a5bee4940d3e99a2a2123628a1d9375ad87de8312769d18d5855e246

Download Submit
C:\Users\Admin\Desktop\ExpandSelect.xsl
Filesize
245KB

MD5
e68c3449f7693f32d7728d22d60d98bd

SHA1
60a3d7fb5e6cdcc2f8103ac45f8d7c8ec3f461f6

SHA256
e077d2f2695c3f87c03669b54847162f2c82bc1f15660c8a39c11f5efb2d8b71

SHA512
16a6c8cd7bb89a96fddcbbb87730c8ac26bfd4d5ce9b2be1b3ebe948436a3d90dd9a7e789c3e6c9f923dee8c6ad0335074ca4140900722076879e4f1b3b60af6

Download Submit
C:\Users\Admin\Desktop\FormatProtect.snd
Filesize
309KB

MD5
cd5bfec149aa8bdfba6efcb52865da14

SHA1
239eda79a3e9b89c513f9dc345627994c42cc691

SHA256
87b394ad200c06292fbc87b9269ac49c79a49674a588c05114682c42bcac7db8

SHA512
4bc190151aaa41206bee569268b2dde9b734f90d8695c765e5efcf45c313c7efa1e06f00c02449aac4a9c656fb638a512e811404e08f5287ea6e5a66ab153e14

Download Submit
C:\Users\Admin\Desktop\GroupSuspend.odt
Filesize
256KB

MD5
7b0e0e9c4f1c2afa5bc8cf983950f74c

SHA1
80652e8b74b5ac295168fdea5424f8f129f9fb5a

SHA256
39225ae1e78f8c2f21df4d2c0d282af72173f31506e331677be7f7dd03281896

SHA512
12fd60fa2a61f0fb68195256760d5ef70c6c0833fb2bac6441f458652cfff0f4066cec29af79e094a8865db7d559a56d2a7d974e3400b8d4590e4b83f385aed2

Download Submit
C:\Users\Admin\Desktop\ImportSync.mpeg3
Filesize
362KB

MD5
ae91b1455ea24165f6f8c5f2d8f5caa1

SHA1
ba6db900ff35cce2b2b70ccf1acd3120f2d0c8d8

SHA256
781836e3086420cae3bf8e62171c22da762210f2b87f38f61a0d7c2af01be4d1

SHA512
da9e7eeee9a25ba83a03a57cff6e54437914c8e347adf87947cbaed02199c46d9fefc28dc7aaa49a1c80d35d1b0c6fd5780c77eaf1eab76b3e98d8f52bc0ce4c

Download Submit
C:\Users\Admin\Desktop\LockEnter.vsw
Filesize
288KB

MD5
1c28e7fed35a0557800e3d5dc5252e16

SHA1
47982b76f4d141648a590d1a57fa02e7aa72dddf

SHA256
21eac83e7ed6cdbfc03da5bedba39765e9273c3ac114804945143cfd82660ac2

SHA512
8879fc7981539a5594d2b40d2fa496abc66865eba4f9b6d1cb4e9e1075ef076e0078e4ce0c7e3b64d41bf942badd09b9c4516cfe045dee0e6ef5be9163af41a9

Download Submit
C:\Users\Admin\Desktop\MergeWrite.mov
Filesize
202KB

MD5
7e2817a5c13073cec3777528f939d35c

SHA1
e23b0b5d1ba6b0d41323eb5b5bb06e137b0293c5

SHA256
06aa7b3c7b8f62f5a93367f5ade9c513a68266b99e5345923b75a6a9f95f3c9c

SHA512
a83d1a7dd7d55f028183fd2903f35d7e99f73d4a6f46962f947e4af4e106556734a5f84aafd37094a37e17dbb00a8c845878b2939dd5f75a0ff90ce469831ae2

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
df47fd7ae962d9b1044ed98310404a71

SHA1
d5ebf33ac616c087480780e86882711414582b52

SHA256
902042b86861ce27140f969f1ef8916dfe11d556879c28e0dad6ec83297abbad

SHA512
657f1ed96368fecf50cc3f5ddcdef828d5c1b281aeb4c8a2b70aa45ca7ef27b1f97162039edfc2a2258d97e0d1fe91568d6b84da1adfbc04a30db6ee7db7dcd1

Download Submit
C:\Users\Admin\Desktop\NewExport.lnk
Filesize
501KB

MD5
0afe855a3c7be3a4c364bb27d7deadf4

SHA1
1685488b848eb8d6d51b06e1f2123e3fc2e5d8fb

SHA256
7c3a4e0e222a814ab95cdf7c30c36b1c0f7284c84f6410170df3f9dad764b5a0

SHA512
293ba2fcde4ff89c1cf584e184b64f7e20514e08c2f72010b804d18f2841dbc27bd6cf2e9b409cd08d0638f371b878d632e4ab7cc34c7eb48dbd69e54e1523a9

Download Submit
C:\Users\Admin\Desktop\OpenMeasure.jpeg
Filesize
266KB

MD5
029ab880550c16073c30616d8b5c755f

SHA1
d386a32cc91129931e21d55ed9e9ded025108a9a

SHA256
3c43d3bff8147d649d19b81f08f23a38479df1e20e8929f41877b3de78296e5b

SHA512
d69941b7cbc2f47fba010effc840793001db2e93c48d858b1e839e7953c2ac5eac8f34a0891ec0226d654fe37462d08efff4f62393a0a3ade1c455be53e4c057

Download Submit
C:\Users\Admin\Desktop\OutRegister.pps
Filesize
320KB

MD5
6c54e079dbcd795f66f2d50d8012f366

SHA1
e1cd4ccdbd12a4259fdc2a69fbf1bd3fc398935f

SHA256
20da181f389e6fcd1f6cd8c12712436cf19ea459376fa2c9d660b73cffed6e68

SHA512
7db77c67c59b1bb23253007abb6ab84d6e596ba5eca6a34c702d751742c63a0cf1641b422ce74613144cd5496dd6210e570e74dd00c963c0bec4e9e5433f24b4

Download Submit
C:\Users\Admin\Desktop\PopResolve.au3
Filesize
149KB

MD5
2130de3ba75166a13f31c2c50bede05e

SHA1
d1e8fd8995ba3c5e46aa3afbe84cc42f792c0013

SHA256
2941cc2efdfc1d4d6118deb872d1861d163c4aacb2f45a387142dfad3c8445e0

SHA512
681c91f601841485d06673925081f0febdb11eb9a605949dd4506b336ac67b40559032bcd11a0fa4c70eb1b2b7a52d1b1a7a3aea99a49da6798da21c47203aa3

Download Submit
C:\Users\Admin\Desktop\RegisterDismount.tif
Filesize
224KB

MD5
d529956bfe4fe47ada3a9861a818f926

SHA1
3e0b59227383eb13623e8caa086d475fd5a46375

SHA256
5a17c8ab9abaf7fadd9a3aa773f30069e694377bb0b441fb2bd927ac740b6538

SHA512
faad75aae0c7577d33556df0c9552ec6c53d0f88fb6a32409da6e8413729b4729457165bf62857f0e18ee0a4e821ac9c8b8a308816864b57d0716d6b7057843e

Download Submit
C:\Users\Admin\Desktop\RestoreRemove.xlt
Filesize
213KB

MD5
ef8e15994c10eeda66fc840f516d703e

SHA1
68b22c9fbbc8ab0bf9dd5e3a3ffdb668129265bc

SHA256
33884594aabada9195b4fa205528f64afb93045b0c19e92700a2d7fbc9fe06b8

SHA512
aa08bc00fcf6e17206ecaecb75b0a0ffc49367feeded0fe9acbe9b563150e8f2ff74b3b00ca51dc552852a755a85c9397349b0ead91747e5aaf9573bfd68555d

Download Submit
C:\Users\Admin\Desktop\RestoreUse.jpeg
Filesize
234KB

MD5
16fc2134c5575b8be3c91996ac1267b7

SHA1
92a150d480bb3234f614310e07ae1924f52c77a4

SHA256
b39f96fc4b626ad6d056baf1e2427f294a51fec523505acea178b3575fec560e

SHA512
17f9b260b8c29fce19b5c72ff921e798ea04185c03a27e5cdb60214bcd2da0beacaac5c9605ad709758347f671d46ed78e312c8e5852687456a2a42b5a04fe2c

Download Submit
C:\Users\Admin\Desktop\SendMove.MOD
Filesize
138KB

MD5
f1134d3b9723c3bfc9c029ccc255e5bd

SHA1
eacf9a93daf5d707e1fe30fa3db551aeab173669

SHA256
df916a74bb5a3d2051e9a6cce996ce28db93bd9b0af4d882e136c0db06a21669

SHA512
02e21d7d6df83990e3b6b834c096e086f6d4df8804ac73d64cc7ac7007cbe36f22940723a78b993756d8ac7b42f42f6bc80bb60934248a516b2ce6d7c44d4bea

Download Submit
C:\Users\Admin\Desktop\SplitFormat.ram
Filesize
128KB

MD5
a001dfad7fa0e47935d7714c735726a7

SHA1
1225bae061b32d360fd789f94e50f61b462eeae3

SHA256
8c5190091a7c7fa48c9852977768888243b33c679cf92da9b1b97d10d0926827

SHA512
dca757cb9586afa77d24d4190101d66f9f3fdfd01c7c5f0340e1e74a451003774f0ad5c780a6e3aeb5db7f42186c7166ad08f93f91c48947991e628ffca001eb

Download Submit
C:\Users\Admin\Desktop\StepUnregister.wmx
Filesize
170KB

MD5
b0585fbb5902d483f1b76bde2d508e10

SHA1
3cb8dba5c8cdaab2a1d2f8f1307f96a912b0c66d

SHA256
cbc83a3c94197be9d959698f6a57aa90933575fec7a18761e444363088498940

SHA512
836ab3b92bfd14db0fa826c1bd65f163876ec06c626fda60b56dcf45a5f47e1986974ceb1778f274df1a943c78072a801e98bd0c4fb27f91164911aba751bb1d

Download Submit
C:\Users\Admin\Desktop\UnlockSplit.cab
Filesize
160KB

MD5
a9b1b4c603cf5b3d2cf1b5800b344de0

SHA1
b1514b6b8ebbda23bae562f47172705f171addfc

SHA256
79d2205dc1737489e1f18843d890702c101224bab5d823b0262695b41d2f381a

SHA512
6c0945122d1d52fe20050ceff26bc879734ebf5cc0951a2c9bcf531ca2f8a5debca121bb67c2185af59a94000bd933b4a46c0f61a49534677d6835638036945c

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
Filesize
2KB

MD5
ee35b089030ec91819fee975675b1fed

SHA1
8212050ac2dc6d9c1b9bf762ef1c47f0226c4ceb

SHA256
2e6377cdd8f352c73f956d2888aca057b28b74bbe1760aa55de30f23acfd658b

SHA512
c0d606f41d63d3b279d2bf35400c4b86dc34fbc48276d942dd5e437a2123039c3650e4d28328d75f8ae00473f6f79c5baca14be21dcfc01fc7b07f8a1fbdbc09

Download Submit
C:\Users\Public\Desktop\Firefox.lnk
Filesize
1000B

MD5
76ee20775e47f5f40e5f216d85f7f0bb

SHA1
d1849321974de5f39e69986165b33011332cf942

SHA256
9cc9bd7a4c7dcbce05d4033ba06424ed8bf4d9829204a763f61bb67bcb6406d2

SHA512
dc949848d830b0a1289306b7da491d390e117143b0a57ac2399d7435efc864a95f42dc62ec4aa7b894231fbc3b5131a6c23298843516005263db2a1a4b4d5fc0

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
f3270104f972b080a402eab7623f0492

SHA1
a540f5dbb21ef6cba15488235126837ecc0ee542

SHA256
ea796431163905d0123b2866605076476965ab6bb80d38026d98ad2350aa7d41

SHA512
87756a6dc356c3cd6edc8910cc0ebcf8f21509ffef9dc1e8236e5ee1603c2abcf27ae83043dd8ad269f7c93c81d7f221185929380f70dbff5e617648535bae86

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk
Filesize
923B

MD5
4b89cf22544f4e5400f6254c0ac6d06c

SHA1
13503eb478312003d5e7b7e19e465f83a670425a

SHA256
e52141cc2ceec8397a2460331c98a5089ae978cf57ae319df0b9ddea75b1fbf2

SHA512
e059c11180e2bb97417b2e8e342a53e5d698d711ec8ca7a162103e04d5f966c189185c3bdd8aabf7f9eecb4559811c3be182d4b7e1ec536a95bd9aba2da0bfc8

Download Submit
memory/1468-30-0x00000000751B0000-0x0000000075961000-memory.dmp

Filesize
7.7MB

Download
memory/1468-15-0x00000000751B0000-0x0000000075961000-memory.dmp

Filesize
7.7MB

Download
memory/4348-0-0x00000000751BE000-0x00000000751BF000-memory.dmp

Filesize
4KB

Download
memory/4348-1-0x0000000000F90000-0x0000000000FA2000-memory.dmp

Filesize
72KB

Download