Analysis Overview
SHA256
ec6fcac47b52001e6b9af66588ebb95c6de3f2e6a4b942e0d04f2c114633fddb
Threat Level: Known bad
The file slinkylauncher.exe was found to be: Known bad.
Malicious Activity Summary
XenorRat
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 14:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 14:45
Reported
2024-08-13 14:48
Platform
win7-20240729-en
Max time kernel
16s
Max time network
19s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\slinkylauncher.exe
"C:\Users\Admin\AppData\Local\Temp\slinkylauncher.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 14:45
Reported
2024-08-13 14:48
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
154s
Command Line
Signatures
XenorRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\n2hvu9.exe | N/A |
Loads dropped DLL
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\n2hvu9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\slinkylauncher.exe
"C:\Users\Admin\AppData\Local\Temp\slinkylauncher.exe"
C:\Windows\system32\cmd.exe
cmd.exe /d /c call C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe
C:\Windows\system32\cmd.exe
cmd.exe /d /c call C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe
C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe
C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe
C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe
C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe
C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe
C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c title NitroGen v1.3 ~ Made by viben#6633 [Menu]
C:\Users\Admin\AppData\Roaming\XenoManager\n2hvu9.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\n2hvu9.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "NitroGenerator" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E72.tmp" /F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c title Nitro Gen v1.3 ~ Made by viben#6633 [Generator]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| ES | 88.15.130.212:4444 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| ES | 88.15.130.212:4444 | tcp | |
| ES | 88.15.130.212:4444 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| ES | 88.15.130.212:4444 | tcp | |
| ES | 88.15.130.212:4444 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe
| MD5 | b52271284fa0220c7ca7603131fefd7d |
| SHA1 | e7358d5dd9540818266b39b0699a566043408ac8 |
| SHA256 | 4263f602e56768bcec85d9b1b1852a90f9e6b68b47123d7905275f84f7cbe6b2 |
| SHA512 | 08815d1c908c9e2421ebc9111e60ce6bccbba28be1bd791ebbcdb2ba189caa7c2b373220a2e511f31fcbe8b4bfe02978f060730180ee3481a299783a441aa980 |
C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe
| MD5 | d0c36409ceed9b71c38828f8ce0c8d7f |
| SHA1 | d8e7bcaa6efd38fd99b634a6fa0b4dfc567a6fa0 |
| SHA256 | f4e646b5ff58c1c1f8de1888f1315f8953c59388060141c6f2ab07a4331b157b |
| SHA512 | 4eaebde47ff5b2b7222fdf1c9eb9b62e88424a5a9dfb0c9bdc31d639a6c23c45b6954df6fcccd1c0e6f045d0e91fdc7bf8e89c588ac2d6c12828a4c552764034 |
memory/4700-30-0x000000007444E000-0x000000007444F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI16802\python38.dll
| MD5 | 97d893cd2879f8e9a6bc8a35d203b2f4 |
| SHA1 | 68ddf1e3a98e080c4ef2c9d241a31dee6aec240b |
| SHA256 | 6e7ed993131a5beb3b96736320bafb83a063d3043015bf2b14eea6601a414ab8 |
| SHA512 | 30804c88389b54a6119c7c134af315330afb234d743b51acbb25f11d2aec3400c7498e918294f4497e49ebf7ddac557509847d785d58fe9cd381a3fbf8eb9378 |
C:\Users\Admin\AppData\Local\Temp\_MEI16802\VCRUNTIME140.dll
| MD5 | ae96651cfbd18991d186a029cbecb30c |
| SHA1 | 18df8af1022b5cb188e3ee98ac5b4da24ac9c526 |
| SHA256 | 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1 |
| SHA512 | 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7 |
C:\Users\Admin\AppData\Local\Temp\_MEI16802\base_library.zip
| MD5 | f38a879dd5ed3f790c5e9f8ecb50806d |
| SHA1 | 1573dcb23d5cc62bc7c84ced408f7a9b8aa5282a |
| SHA256 | a302c9de9089600ed3067d485fb341b7d6854ae807463c439d5ba1d66b9757c6 |
| SHA512 | 06bba13d775acfb2c8ce186bd309039f5331acb57bd3b0ee8a2413175d3890a8334b214c797c93371e5d1548f00936f94c7467c3b0f7ecabdfbb3dac7b33f8cc |
memory/4700-40-0x00000000001E0000-0x0000000000210000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI16802\_ctypes.pyd
| MD5 | e7f1c92338eb9964ea5922de823abcb8 |
| SHA1 | ae5719b87f4f6b3cdaacd6e43f5bf101e492adc0 |
| SHA256 | 497cf76470349d3cb601e1fe66c8e08f7570cfb0d25e15c3d94aae84280dba58 |
| SHA512 | 0fe48e6c7596c226d031a1c2966270589b939b54a316e44856054a933be052d5084afc4c1a9d8314aa1cf0e15cc777747645741f3efea3016a41248c01d8fc14 |
C:\Users\Admin\AppData\Local\Temp\_MEI16802\libffi-7.dll
| MD5 | bc20614744ebf4c2b8acd28d1fe54174 |
| SHA1 | 665c0acc404e13a69800fae94efd69a41bdda901 |
| SHA256 | 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57 |
| SHA512 | 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b |
C:\Users\Admin\AppData\Local\Temp\_MEI16802\_socket.pyd
| MD5 | 6f71a76bb3c8da44c671f23b4b78f901 |
| SHA1 | 444e2d7d167dbe387317a1f52396c9ccab40ee49 |
| SHA256 | 9cb6bb684c2d475c60a94d3f789cae6e662901ea408e18ac4bc34cba0baffeed |
| SHA512 | f1346f5f83717218d1d2517c022d69cb246ff01d88cbf72443b6b06545eef2fe1ff77859e2a87915fc55925847777d1721abc7085a0d81226b3356916b8871eb |
C:\Users\Admin\AppData\Local\Temp\_MEI16802\select.pyd
| MD5 | e6969a95ca8b62725206ebef19af0371 |
| SHA1 | 60bfcad0dd79267793c3b8ff109a98c4201ffc18 |
| SHA256 | 3f177ee6d35f0dbeb0f0719f4e20404abe6a101c375ab6d27fcd28aa846def2c |
| SHA512 | ae45e272f4b0207dc8720681932641b53379a8b4d1ee7c878ce7804cc475069812d8dcd8689dc6383911b51af272801dbce6b076aaf60f5287c2bacbce8d95e6 |
C:\Users\Admin\AppData\Local\Temp\_MEI16802\libcrypto-1_1.dll
| MD5 | 67c1ea1b655dbb8989a55e146761c202 |
| SHA1 | aecc6573b0e28f59ea8fdd01191621dda6f228ed |
| SHA256 | 541adbc9654d967491d11359a0e4ad4972d2bd25f260476dd7576c576478698a |
| SHA512 | 1c7612c03df85b596dc360c1a94e367d8bfba51f651b49c598e4a066a693d9aa74195a40cc849ef787eac9b6e1e1fc079b389c03fc539e53abf4aa729bef5893 |
C:\Users\Admin\AppData\Local\Temp\_MEI16802\libssl-1_1.dll
| MD5 | 9417e0d677e0f8b08398fcd57dccbafd |
| SHA1 | 569e82788ff8206e3a43c8653d6421d456ff2a68 |
| SHA256 | db16853dbc64f045ae2a972f7605a6f192d09b79cae86fd93b8434fa7d9e031f |
| SHA512 | b7dfd0b265c19d97518e638e4fcc19db3031382cda05c2cbb8965651ceadaa0f68f9d4dd62d542b2c9ef33d9703d50f4d74eb8b9f4918130895ef17feff2f6cb |
C:\Users\Admin\AppData\Local\Temp\_MEI16802\_ssl.pyd
| MD5 | 38a431e39fe4502ebbc7a17bcb519240 |
| SHA1 | 5f9990e47b03a35707639047839ad215af7cb82c |
| SHA256 | 91225559138228aaadf83d77c92835b080bbcbcc17c190c6ef7bb9d23cc17595 |
| SHA512 | cc8c635471b2ae18d1c3962812b30b1ca6d4187595bc941ca84c18028f46c3f75c9a6d66afceb75b1f454884c5a012f97d8d995a55d60b493d381bb827413c94 |
C:\Users\Admin\AppData\Local\Temp\_MEI16802\_brotli.cp38-win32.pyd
| MD5 | 458267b5b318d7baf74d286ade22718b |
| SHA1 | 52ecce4f0e84ad5b85f53c570fb095adb9093747 |
| SHA256 | f1feb3e509c3927788cb0bf16a217c8c0b7ade68f0e6170c4aa1bc0d614041a6 |
| SHA512 | 1aa7379c950a4218332221d7d46a89053dab3434511bf0c6f72e6b1eeaa8b667a0c356ea3b27725651777c43dc8c44003e6caaaef3121e4ab47b9870814bdee9 |
C:\Users\Admin\AppData\Local\Temp\_MEI16802\MSVCP140.dll
| MD5 | 8ff1898897f3f4391803c7253366a87b |
| SHA1 | 9bdbeed8f75a892b6b630ef9e634667f4c620fa0 |
| SHA256 | 51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad |
| SHA512 | cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03 |
C:\Users\Admin\AppData\Local\Temp\_MEI16802\_hashlib.pyd
| MD5 | 13e5639aa1732db7f8fd9c2820cced10 |
| SHA1 | 5f9799b1a16bbdb337766b42b9828f8da1f55e75 |
| SHA256 | b54e3474472fd318e0d94b9115238dca43c457e6253f06f92d2604df14d8247d |
| SHA512 | f4abc90e5f6ea1b204265e91f22978ca8eb04c8ce9bef5d558becadb1b6116c769d7e3401b9396438c85f5decf88b79fd8114f6054541228c753494660a949d1 |
C:\Users\Admin\AppData\Local\Temp\_MEI16802\_queue.pyd
| MD5 | b9dc46c4d8f7640c75baba109d9569bb |
| SHA1 | 3188e695eef3e0bbcf50b13a507dc87b2284c998 |
| SHA256 | 151315638f893e81d9e724615cb2e97f31d7a1aaff3c5d598094206332c78e2b |
| SHA512 | 4cb320b9639393afff2c8b955b3ab059bfd6590b3b3e02ddf9dee55a15e345ebea1387c367e7ab49c75be861cd7a4bdbe6c29c11bf0ea1c8350327bad31b221c |
C:\Users\Admin\AppData\Local\Temp\_MEI16802\_bz2.pyd
| MD5 | 7f8dc5e22155dfaeeee837bee907f960 |
| SHA1 | 9d03bd1120fd67cb4a2a6e42707c3ecc95d56a31 |
| SHA256 | f2eaab5894a666556a6ec0f7b430deb30cdcdb534e822cda8c789435d3834535 |
| SHA512 | ac4ae9f88dbebdd6619be62252275260f476bec5765644de279dadf9f10437ebec526d833fbaae70686de1ef65fc574659191c2c8050df96b7ff7ff3fb51f80c |
C:\Users\Admin\AppData\Local\Temp\_MEI16802\_lzma.pyd
| MD5 | b1abe0da66ec97e4aff97f1bd5203434 |
| SHA1 | c3bd39814c4f01b57a442da50ed515e7dfd05a8a |
| SHA256 | ee4f276ec7f0b34acd38361023173d6113d97a7de17d28a4fbbd286fe5ce2f28 |
| SHA512 | 47556e4c65aa04853520c92fdb1f88bb03ab7f4478bfc60e15186f6109cf659e68d458a7b1090a063a0f771c6eb835582464a646456d9e7f82534854c74f83b0 |
C:\Users\Admin\AppData\Local\Temp\_MEI16802\unicodedata.pyd
| MD5 | d40589a59a706d6ff0d95a1b9a5acc0f |
| SHA1 | 7a23501a1c5d2d2d300c1496f3a6e455f47769d3 |
| SHA256 | b4829151d38443389cb6af2371df4f44e3e9e217b8c7051519d365d5d107e557 |
| SHA512 | 48158c1dd1b880e33ac409581f79d69197ddfc7b8ae8ee4ea758e9d14563ad6eadaa844db2eb28bf70994a6f196319bb5614fb13fe9d9ec4f33f78c6d24146c0 |
C:\Users\Admin\AppData\Local\Temp\tmp9E72.tmp
| MD5 | d388caef6e11c5db80776b76bf58fe49 |
| SHA1 | ce4827b9aa57a9681ddaee7c07529c9023724acd |
| SHA256 | d9a8d51b24aa5cbd3c6e19f937aeac3381020af5776a1f3d1a6b6392d0a11312 |
| SHA512 | 434eb6310d29bd1695a6c67d1b4d8579f819389adb073acdf8a6055591540cf409b5985813f541ce9074b071c1de68ad4e87a34f0799268a1c852cb38b44ba79 |