Analysis Overview
SHA256
dbd2a1eddad30b8a9f2de5f519a2b97f5f3b7bf9306688729b06a01886e75990
Threat Level: Known bad
The file RAT.exe was found to be: Known bad.
Malicious Activity Summary
XenorRat
Xenorat family
Executes dropped EXE
Resource Forking
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-04 09:58
Signatures
Xenorat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-04 09:58
Reported
2024-09-04 10:01
Platform
win11-20240802-en
Max time kernel
141s
Command Line
Signatures
XenorRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1240 wrote to memory of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe |
| PID 1240 wrote to memory of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe |
| PID 1240 wrote to memory of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe |
| PID 3036 wrote to memory of 4432 | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 3036 wrote to memory of 4432 | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 3036 wrote to memory of 4432 | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\RAT.exe
"C:\Users\Admin\AppData\Local\Temp\RAT.exe"
C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "XenoUpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmp18E2.tmp" /F
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:4444 | tcp | |
| N/A | 127.0.0.1:4444 | tcp | |
| N/A | 127.0.0.1:4444 | tcp | |
| N/A | 127.0.0.1:4444 | tcp | |
| N/A | 127.0.0.1:4444 | tcp | |
| N/A | 127.0.0.1:4444 | tcp | |
| N/A | 127.0.0.1:4444 | tcp | |
| N/A | 127.0.0.1:4444 | tcp | |
| N/A | 127.0.0.1:4444 | tcp | |
| N/A | 127.0.0.1:4444 | tcp | |
| N/A | 127.0.0.1:4444 | tcp | |
| N/A | 127.0.0.1:4444 | tcp |
Files
memory/1240-0-0x00000000748FE000-0x00000000748FF000-memory.dmp
memory/1240-1-0x0000000000E10000-0x0000000000E22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe
| MD5 | dac50dd8ad6a423bdf5cc713c732a5ad |
| SHA1 | cfaf95d0c4dcc0bce53677ba6e7900bcaf38bd9b |
| SHA256 | dbd2a1eddad30b8a9f2de5f519a2b97f5f3b7bf9306688729b06a01886e75990 |
| SHA512 | d7f034fdedad982adbb0ab2112a106965ec6e7bb8f48ac356856d2d8beccfe4f952e0b84dab3c98d8c07b17c9a67ae78e1f5d5f3779c7c83fba9e567a55fe008 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RAT.exe.log
| MD5 | 1294de804ea5400409324a82fdc7ec59 |
| SHA1 | 9a39506bc6cadf99c1f2129265b610c69d1518f7 |
| SHA256 | 494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0 |
| SHA512 | 033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1 |
memory/3036-15-0x00000000748F0000-0x00000000750A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp18E2.tmp
| MD5 | 82ea8ff2747d81323c4df445fdad9385 |
| SHA1 | 802e47d14c98d9f2f76bfa86ae1c27e4a4cacb07 |
| SHA256 | fd2682af230aec75b6a025f8130ecbe95173246bbdd61055c427809ccd856150 |
| SHA512 | a6e57a5126d39d65a7786d90a11ca030c0047cb998a32a96a3342327d8b7d0f1709fae9aed4b7d8bf5437e7d5e217e34eb004c1a2a0b08d192cbb545aea21c95 |
memory/3036-18-0x00000000748F0000-0x00000000750A1000-memory.dmp
memory/3036-19-0x00000000748F0000-0x00000000750A1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-04 09:58
Reported
2024-09-04 10:01
Platform
macos-20240711.1-en
Max time kernel
113s
Max time network
125s
Command Line
Signatures
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/RAT.exe"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/RAT.exe"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/RAT.exe]
/bin/zsh
[/bin/zsh -c /Users/run/RAT.exe]
/Users/run/RAT.exe
[/Users/run/RAT.exe]
/usr/libexec/xpcproxy
[xpcproxy com.apple.systemprofiler]
/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information
[/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information]
/usr/libexec/xpcproxy
[xpcproxy com.apple.replayd]
/usr/libexec/replayd
[/usr/libexec/replayd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.system_installd]
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.installd]
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ReportMemoryException]
/usr/libexec/ReportMemoryException
[/usr/libexec/ReportMemoryException]
/usr/libexec/xpcproxy
[xpcproxy com.apple.storedownloadd]
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
[/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Safari.CacheDeleteExtension 520]
/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
[/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
Network
| Country | Destination | Domain | Proto |
| GB | 17.250.81.69:443 | tcp | |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| FR | 23.217.247.196:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| GB | 23.36.169.108:443 | help.apple.com | tcp |
| GB | 23.36.169.108:443 | help.apple.com | tcp |
| N/A | 224.0.0.251:5353 | udp |