Overview

overview

10

Static

static

10

plugins/Chat.dll

windows10-2004-x64

1

plugins/Fi...er.dll

windows10-2004-x64

1

plugins/Fun.dll

windows10-2004-x64

1

plugins/Hvnc.dll

windows10-2004-x64

1

plugins/InfoGrab.dll

windows10-2004-x64

1

plugins/KeyLogger.dll

windows10-2004-x64

1

plugins/Ke...ne.dll

windows10-2004-x64

1

plugins/Li...ne.dll

windows10-2004-x64

1

plugins/Pr...er.dll

windows10-2004-x64

1

plugins/Re...er.dll

windows10-2004-x64

1

plugins/Re...xy.dll

windows10-2004-x64

1

plugins/Sc...ol.dll

windows10-2004-x64

1

plugins/Shell.dll

windows10-2004-x64

1

plugins/Startup.dll

windows10-2004-x64

1

plugins/Sy...er.dll

windows10-2004-x64

1

plugins/Uacbypass.dll

windows10-2004-x64

1

plugins/WebCam.dll

windows10-2004-x64

1

stub/xeno ...nt.exe

windows10-2004-x64

10

xeno rat server.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    208s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2024 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xeno rat server.exe

  • Size

    2.0MB

  • MD5

    3987ee127f2a2cf8a29573d4e111a8e8

  • SHA1

    fc253131e832297967f93190217f0ce403e38cb0

  • SHA256

    3d00a800474ddf382212e003222805bd74665b69cec43b554f91c3cd9edf04c4

  • SHA512

    69d5ac7a691dde1a3ed7f495e9b9180e63152ddaaa3d1b596ad9cbeb4d7b088f3fc4b138ecf87070014cdfa9047be18940b720de60642389921a10053250787b

  • SSDEEP

    49152:EnxkNTRWjxoJochWQI3kqXfd+/9AManGhR0vNgtIeGWtOc5Q:ExkNTcaJhDI3kqXf0FtWykQDCiQ

Score
10/10
xenoratcredential_accessdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

BLACK

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    8888

  • startup_name

    windows

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 52 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe
    "C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:3880
  • C:\Users\Admin\Desktop\die.exe
    "C:\Users\Admin\Desktop\die.exe"
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Users\Admin\AppData\Roaming\XenoManager\die.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\die.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:116
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "windows" /XML "C:\Users\Admin\AppData\Local\Temp\tmp43C6.tmp" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2704
  • C:\Users\Admin\Desktop\die.exe
    "C:\Users\Admin\Desktop\die.exe"
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "windows" /XML "C:\Users\Admin\AppData\Local\Temp\tmp66DE.tmp" /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3568
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c start "" "%windir%\system32\fodhelper.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4840
      • C:\Windows\system32\fodhelper.exe
        "C:\Windows\system32\fodhelper.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4132
        • C:\Users\Admin\Desktop\die.exe
          "C:\Users\Admin\Desktop\die.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4944
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks.exe" /Create /TN "windows" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB387.tmp" /F
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:3048
    • C:\Users\Admin\Desktop\die.exe
      "C:\Users\Admin\Desktop\die.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4184
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "windows" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD93F.tmp" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\die.exe.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp43C6.tmp
    Filesize

    1KB

    MD5

    e74313e3560514e08520bf3e68c8f022

    SHA1

    7aa0b9c044970e0c62fdefd3f0a68fd16455cf44

    SHA256

    eb4e925135a76337f45795562600d60868c9d1f70baaea0fed7d0e136dfc3dd1

    SHA512

    7d6a821c227227ac50faeeff4a194ac10780c667877028024d8b0563e838a14c23ff7565c2189bb2d19d2945ab9947aceede4c8860b48d8b33b7eef46917fe71

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp66DE.tmp
    Filesize

    1KB

    MD5

    2e5ac93d4c8858833080baa5bd7918ec

    SHA1

    feecb7c588f9f731ff749752c5103f34257a780d

    SHA256

    1a140e864da2ef3de5017299a798f4b3fadf94d72348fa8c3fb389813378212e

    SHA512

    432afebd234058311c51e8c50141b9b9eddb229ce1990a4b65c399c193ecb01f89a32e2d5c9eb274fa1fae7141250a500cc6acf0e9b1192e00991b3cb61bf95e

    Download Submit

  • C:\Users\Admin\Desktop\die.exe
    Filesize

    45KB

    MD5

    facf67d96edad6ea939bdcbc104fab68

    SHA1

    33f02dfe3b6593bcc5dca7d48b2519d0e34b3a14

    SHA256

    3c7e514191f1576bd8fcb8e150d46a4cf3426477a078c9c266cc59b41cd1917c

    SHA512

    a9a490a5ee75b556aff3313858b603c6a2f975efb18ccc5198d0174c355b50f44ed3001932ae0561cb330ad76540fcfd3046018fa381474fc50aaec7bbafe5a9

    Download Submit

  • memory/116-52-0x0000000006190000-0x00000000061F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1612-49-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1612-36-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1612-34-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2120-65-0x0000000000F20000-0x0000000000F2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2120-64-0x0000000006310000-0x0000000006322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2120-57-0x0000000005CB0000-0x0000000005CBC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3880-10-0x0000000009B00000-0x0000000009BB2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3880-4-0x0000000004FD0000-0x0000000004FDA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3880-15-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3880-16-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3880-18-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3880-21-0x0000000000B50000-0x0000000000C74000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3880-22-0x0000000000C90000-0x0000000000CAA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3880-11-0x0000000007A80000-0x0000000007DD4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3880-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3880-9-0x0000000009920000-0x0000000009942000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3880-8-0x0000000007A20000-0x0000000007A32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3880-7-0x0000000007A00000-0x0000000007A1A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3880-6-0x0000000005620000-0x0000000005634000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3880-5-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3880-54-0x000000000C1A0000-0x000000000C1B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3880-13-0x0000000074A00000-0x00000000751B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3880-3-0x0000000004F10000-0x0000000004FA2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3880-2-0x0000000005670000-0x0000000005C14000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3880-1-0x0000000000320000-0x0000000000522000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4184-66-0x00000000015C0000-0x00000000015D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4184-67-0x00000000067C0000-0x00000000068BA000-memory.dmp

    Filesize

    1000KB

    Download

  • memory/4184-68-0x0000000006A90000-0x0000000006C52000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4184-69-0x0000000006910000-0x0000000006960000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4184-70-0x00000000069E0000-0x0000000006A56000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4184-71-0x0000000007190000-0x00000000076BC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4184-72-0x0000000006C90000-0x0000000006CAE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4184-74-0x0000000006E60000-0x0000000006EFC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4184-95-0x0000000006740000-0x000000000674A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4184-96-0x0000000006750000-0x000000000675A000-memory.dmp

    Filesize

    40KB

    Download