Analysis
-
max time kernel
245s -
max time network
244s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
20-12-2024 11:55
Errors
General
-
Target
https://github.com/moom825/xeno-rat
Malware Config
Extracted
xenorat
127.0.0.1
Xeno_rat_nd8912d
-
delay
5000
-
install_path
nothingset
-
port
1234
-
startup_name
nothingset
Signatures
-
Detect XenoRat Payload 6 IoCs
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Executes dropped EXE 2 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/moom825/xeno-rat1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe8bbb3cb8,0x7ffe8bbb3cc8,0x7ffe8bbb3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,17189407542163347268,16633600356105512123,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,17189407542163347268,16633600356105512123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,17189407542163347268,16633600356105512123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17189407542163347268,16633600356105512123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17189407542163347268,16633600356105512123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,17189407542163347268,16633600356105512123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,17189407542163347268,16633600356105512123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17189407542163347268,16633600356105512123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,17189407542163347268,16633600356105512123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17189407542163347268,16633600356105512123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17189407542163347268,16633600356105512123,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1204 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17189407542163347268,16633600356105512123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17189407542163347268,16633600356105512123,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,17189407542163347268,16633600356105512123,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5104 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\xeno rat server.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\xeno rat server.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Release\xeno rat server.exe"C:\Users\Admin\Downloads\Release\xeno rat server.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\rat.exe"C:\Users\Admin\Downloads\rat.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\rat.exe"C:\Users\Admin\Downloads\rat.exe"1⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004CC1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54c1a24fa898d2a98b540b20272c8e47b
SHA13218bff9ce95b52842fa1b8bd00be073177141ef
SHA256bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95
SHA512e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e
-
Filesize
152B
MD5f1d2c7fd2ca29bb77a5da2d1847fbb92
SHA1840de2cf36c22ba10ac96f90890b6a12a56526c6
SHA25658d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5
SHA512ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14
-
Filesize
1KB
MD544656095a0fe8c2e109fbb43b792636e
SHA158605013818dd75f58861ca82f062d9ecea31df8
SHA2561c0b13966c4dd02ccb2caca73f86d286e32669e09c754f6534b0d5c4a321715d
SHA51260a7d9d1d90a22f5fa459b38a3023fcedaa1aa3b344511d3731eb5c71e69399bbdea17862923b711174323db5e3245f2ca255f9f0e45b2ce828a79d0c17b4b4c
-
Filesize
1KB
MD52e2d4044edec086706862f72505c9185
SHA18e2278bcd0139f174682dc39c5fd7095d084eaaa
SHA25618545d24899a0dea44d5410437df645e6dabffbfb28e1f0d866363c054c5b44b
SHA512818a852d6ad2767f718db085ad38f95632fc84147258a1d1f629d519cfe604c3e044ff0d59565cb03d871b875eebdec1ef79071c2b962ca20e1cf358356b6dc3
-
Filesize
579B
MD5698ff6dd22f4368101b2f5794f7a18a4
SHA170ecbbe13ec6e225224ba66db3a8ed559f5d0411
SHA2560eab1fd6b69900b4edf4aac8461d7a67b3741ddc478675372b81d2cd944c5a11
SHA51217634b1dbe5e5bcb6cd22ef8f3f68d1d9e1db0628dfff0df8343726dbabfaa660ab6a7cdc33da8e415db122206cfb50cf1a1aeff32d8235d2860b624fb1ab281
-
Filesize
6KB
MD526b18c111557ed4b6d149f99f8d0011c
SHA14694aed3249a831e1ccf878de8177087d8af3ebe
SHA2561a5ba9f112436cec4f9bafd55c25dd956f36613229fb7595e2eb550bd6808ab6
SHA512025f95b4135a74ca42ea2a02e42ae96bb957bff68bbf16297ef37d8d53e6dffc12912ec1158f66cca6dfe53b0837fc9019156257bf84c91d138e07151abd92a3
-
Filesize
5KB
MD52202f0a1247c6cc7cb33bc0d37c13fc6
SHA11293310e49b4362692e2ce67d3f596db4b34887b
SHA25645112dac062cff1026d186cdf8367a566e7978fbb7230b09415db8ce9777b319
SHA512680630c23a7bdd508ac3f8ca110b737d0fc61f934cc87fd26290d76396f2717b512f3de7c67016d5e6cebeadb5bf79156a68d44f48b44b5dec3e7d07769f91e4
-
Filesize
1KB
MD527900b2abd8708237f653bc857b23aba
SHA182a73379a76245f044ad9ec7b7abb1c16c4a7b18
SHA25694beb57187f6e53946ca93fdb4ebe33f3900b892b8ebd52d815b9afb280bf873
SHA5129acea9d66e484e77d29925d82ecee4b559d013156f6ace487e3a02e6c98d6e9c140b21aba9525db8e100352431c4820650b9bc7d4bb317566eed61c819b51ede
-
Filesize
874B
MD538ae1e5829619323c78468818917d120
SHA1cd0a925ecdb354d6bf02e9b6555630c608429683
SHA256e0f8a015836400236d2385752117f65b7f173bee15ca6db6dc4800aeebe1754e
SHA512d5b584e4c731b448262c2233c625fa30b97def1bd8652251d24a32c700dfdc702cefaf17c083291d61d3ae7f072d68ce7c26f3034b40cd563f4cdd462a7ceac9
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD598a01ff0bdd74276f2c1a066caef1bd1
SHA102b7ccbc50bf1cd49e3d05263133569415bb63fc
SHA2560214d78aaa7205e7c9a12b848a2dbcd2196722a91024137e98cd72381f4f55fe
SHA5128bbb47a1523d2b62e963bf165abab3b9051d0bda74665e2c9578059b8959b24daf6bfd3c40706c56cc802d8668c4e23106fc17fda2c667a1a5ed8c4ea36b3a5d
-
Filesize
10KB
MD50a55f71da9e23e158f202de6c9d6b8c9
SHA175c8aa16e23098d11541369b7faa9e22fda0c05e
SHA256d482780256cdd2fb0a3211719d8f406ee884c1e5f469b95d12cb4f777b0bf0b1
SHA51234ecc639a3f5324968bd3bda1327b78633516f48ee5a9b5881602ba64b0c7a5ca01d8453779592133066524df16b093ffbc25133d50a44185f6650ee5d013a07
-
Filesize
10KB
MD53ee8764dc0ed92cf8b3d8291abbca6af
SHA1f96ab6da6dec400d866fc7de9c09ff4e994e6847
SHA256d10fe5c9b2535f5f012a4a92320bdc4a18674cd62d9f9ca124b4fedcdebab116
SHA512d713fac72c8cf8445c8a15865ee6eeab594c574ce4e0ddbd50cfc7005a9df9cf99e890e6e955802cc1e1427af330f9bfcc62191c1ba0fcd10d762a7e23a6934e
-
Filesize
45KB
MD5c5df06809a0c1436168c7d724fe9ffd1
SHA1bc07547b92c6d2cfde5169ac7be60898489adcfe
SHA256bcade8a03bbceafe5182874a7499e9c4d1069c6729351ec98fa0ed9cababdc0f
SHA512b14f91922f80dee41e3dd8451c70b4dc0bd66fa9b881448453755a5207a8b4387c781db37f14b6cdee7818e94978bfe58aa8595f75981f4938a47ada67228100
-
Filesize
6.4MB
MD589661a9ff6de529497fec56a112bf75e
SHA12dd31a19489f4d7c562b647f69117e31b894b5c3
SHA256e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd
SHA51233c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f
-
Filesize
94B
MD5cced52b34bfd2387c302c3d496259fb2
SHA1a79d213261354f108441ff54499b139e3bf08f58
SHA2560c5027dc525ff889968304a5303a2b4ff978be996cf7df2b02df1a01cecf47bf
SHA51204080f3321d80560d749238073dce291ca35f2a8e61176dbd76ac4fa368f3436b848568ea746be85cd4c9acda145d8cb9b423ba44b7e624944b4de4024a5024b
-
Filesize
45KB
MD549af6057ecbb668b5c87d41cac31cc64
SHA13cf6f550d278065caba3abbf4a74b92e2262d324
SHA25614c5612de16de605ff4bbb89efa3f9707841787a0667f8def30f1f2658b342d6
SHA5124861d1543f4bbc0aa43c7b88e04f975b4f09167fc15dfbe6aa6fefdee5b683bd2ceb595fae5999307af96e340ee60e98081852555931a562d6337ef78505a466
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
72KB
-
Filesize
80KB
-
Filesize
72KB
-
Filesize
3.3MB
-
Filesize
72KB
-
Filesize
712KB
-
Filesize
1.1MB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
2.0MB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
80KB