Malware Analysis Report

2024-10-23 20:26

Sample ID 240904-lzvs3azakd
Target RAT.exe
SHA256 dbd2a1eddad30b8a9f2de5f519a2b97f5f3b7bf9306688729b06a01886e75990
Tags
xenorat discovery rat trojan evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dbd2a1eddad30b8a9f2de5f519a2b97f5f3b7bf9306688729b06a01886e75990

Threat Level: Known bad

The file RAT.exe was found to be: Known bad.

Malicious Activity Summary

xenorat discovery rat trojan evasion

XenorRat

Xenorat family

Executes dropped EXE

Resource Forking

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-04 09:58

Signatures

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-04 09:58

Reported

2024-09-04 10:01

Platform

win11-20240802-en

Max time kernel

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RAT.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RAT.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RAT.exe

"C:\Users\Admin\AppData\Local\Temp\RAT.exe"

C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe

"C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "XenoUpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmp18E2.tmp" /F

Network

Country Destination Domain Proto
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp

Files

memory/1240-0-0x00000000748FE000-0x00000000748FF000-memory.dmp

memory/1240-1-0x0000000000E10000-0x0000000000E22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe

MD5 dac50dd8ad6a423bdf5cc713c732a5ad
SHA1 cfaf95d0c4dcc0bce53677ba6e7900bcaf38bd9b
SHA256 dbd2a1eddad30b8a9f2de5f519a2b97f5f3b7bf9306688729b06a01886e75990
SHA512 d7f034fdedad982adbb0ab2112a106965ec6e7bb8f48ac356856d2d8beccfe4f952e0b84dab3c98d8c07b17c9a67ae78e1f5d5f3779c7c83fba9e567a55fe008

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RAT.exe.log

MD5 1294de804ea5400409324a82fdc7ec59
SHA1 9a39506bc6cadf99c1f2129265b610c69d1518f7
SHA256 494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0
SHA512 033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

memory/3036-15-0x00000000748F0000-0x00000000750A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp18E2.tmp

MD5 82ea8ff2747d81323c4df445fdad9385
SHA1 802e47d14c98d9f2f76bfa86ae1c27e4a4cacb07
SHA256 fd2682af230aec75b6a025f8130ecbe95173246bbdd61055c427809ccd856150
SHA512 a6e57a5126d39d65a7786d90a11ca030c0047cb998a32a96a3342327d8b7d0f1709fae9aed4b7d8bf5437e7d5e217e34eb004c1a2a0b08d192cbb545aea21c95

memory/3036-18-0x00000000748F0000-0x00000000750A1000-memory.dmp

memory/3036-19-0x00000000748F0000-0x00000000750A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-04 09:58

Reported

2024-09-04 10:01

Platform

macos-20240711.1-en

Max time kernel

113s

Max time network

125s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/RAT.exe"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd N/A N/A
N/A /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/RAT.exe"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/RAT.exe"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/RAT.exe]

/bin/zsh

[/bin/zsh -c /Users/run/RAT.exe]

/Users/run/RAT.exe

[/Users/run/RAT.exe]

/usr/libexec/xpcproxy

[xpcproxy com.apple.systemprofiler]

/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information

[/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information]

/usr/libexec/xpcproxy

[xpcproxy com.apple.replayd]

/usr/libexec/replayd

[/usr/libexec/replayd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.system_installd]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.installd]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ReportMemoryException]

/usr/libexec/ReportMemoryException

[/usr/libexec/ReportMemoryException]

/usr/libexec/xpcproxy

[xpcproxy com.apple.storedownloadd]

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd

[/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.CacheDeleteExtension 520]

/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension

[/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
GB 17.250.81.69:443 tcp
US 8.8.8.8:53 cds.apple.com udp
FR 23.217.247.196:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
GB 23.36.169.108:443 help.apple.com tcp
GB 23.36.169.108:443 help.apple.com tcp
N/A 224.0.0.251:5353 udp

Files

N/A