Analysis
-
max time kernel
85s -
max time network
77s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
22-12-2024 13:18
General
-
Target
https://github.com/moom825/xeno-rat/releases/tag/1.8.7
Malware Config
Signatures
-
Detect XenoRat Payload 2 IoCs
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Drops file in Program Files directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 60 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/moom825/xeno-rat/releases/tag/1.8.71⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb8a0246f8,0x7ffb8a024708,0x7ffb8a0247182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,12421168140951394098,577804361002509197,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,12421168140951394098,577804361002509197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,12421168140951394098,577804361002509197,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12421168140951394098,577804361002509197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12421168140951394098,577804361002509197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,12421168140951394098,577804361002509197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x148,0x114,0x158,0x248,0x254,0x7ff739a25460,0x7ff739a25470,0x7ff739a254803⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,12421168140951394098,577804361002509197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,12421168140951394098,577804361002509197,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6192 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12421168140951394098,577804361002509197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,12421168140951394098,577804361002509197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6528 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12421168140951394098,577804361002509197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12421168140951394098,577804361002509197,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12421168140951394098,577804361002509197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12421168140951394098,577804361002509197,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Release\xeno rat server.exe"C:\Users\Admin\Downloads\Release\xeno rat server.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e8978379b8b4dac705f196c82cddb401
SHA1873169c69e4aaa8c3e1da1c95f3fc6b005f63112
SHA25683528bc9af5e037e40f14bece26788301e4555a6164b31e6010d93d7d18f0afa
SHA5122d73194d03ea51d4154ee9556950dee1e666720c4b53fe671cf2e7647889d480c2941757d6b9b4c60a29a6799478450136f4847b0bec5d4b6aa630d9ca856308
-
Filesize
152B
MD5c8c74ab5c035388c9f8ca42d04225ed8
SHA11bb47394d88b472e3f163c39261a20b7a4aa3dc0
SHA256ea821d15371cdfef9f4c01c71fbe39f9db7bfd61e6a83e09b14886c5756cd9d9
SHA51288922af80d561b3cf10963160d245044554f9011e4aec4fd40c740b06e5e87e9bc16ed309e296f549d9244b6cc93f627d6dd010eb2d325b38cbb1d43d8b95157
-
Filesize
48B
MD5c34203b608ab18192ed778e6aba53fc8
SHA12ec8d3cdf37b7ddb2e54b9282553cb33a8ef1670
SHA256ae7ee639c3a4696a38581cbdbe3782920edfbab17d84870801f6eb08d63287b2
SHA512f14badf3c943d8de466849acebbb8404879cb6400f5ae423d719d02249b9081dcf30d6244ea0bb7a512b1e20a8bfecb21003aafb677532552a28955b670857b2
-
Filesize
1KB
MD5fb3603c866a230484d887395e57a006b
SHA1128c326f62f560cd835542d3637abc67cbbc0983
SHA2564aa3f915d502e2f6c7f20ffcb17c126d516f1b27d6d585900453b856b96d6178
SHA5125ccc7c0eb8cd8000206a2b850a5e3de10be88b425c48e6826ddf7b33c0dad0ad07d630dd220926bdd94ab0dd1a27f72d9b1c478452f7ce192cf953c3ed6b54bb
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
496B
MD55022b10efc3c6d669ded7960cc594a19
SHA1a79ad985b345f09f5f4f265ba1867800ab4d3be1
SHA256a6c395932ed70d3a45247d91c6593b48d6d389a52aa806ad484aef62b63c8e53
SHA512a496101a7c30b7205f91698eec23c53b52d80a24a2208f3184733b905fd34066163df9688e00856278fc536fd955bcb0d2c62f3561f28718e378a08754c53c00
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
5KB
MD5fc94b3456cfaea3679c263bc20d716bb
SHA1ae6a8c7ccb6aaf4a27663fd446ff21e0d15bbe54
SHA2565458265e0d7ad810420c3459fade4152ef8b111452a689a3d16895767c2f70c6
SHA51222c3ffa766e2bf1cb069ef26243e13421dd1ef9493535d964c2d8583fb1af3ebbb38848feee78c6203fcdf9277bdcd146e3d18a448a0d94af7942bac5b51f3e1
-
Filesize
5KB
MD52f1dd71d153f34c74df6f7f40d23e29c
SHA1daf8a9cbf6874d3cac11d3aeaebd25a4946ff0f2
SHA256e1e301cedf62c5480a5f9c46d1f776cb674074fcc23e4a26960fc628feac4f25
SHA512887b021bd4fc3270b2cfd56ce6c2e2f07135f6f4b51a0ad8d15d37278704033ae41237ee7d62e44ce40e0ce65b7596088e44755de60c9eaecb7c7e51efed8db7
-
Filesize
5KB
MD5f38d3191a364da6be6ba1ed74a55a66b
SHA170183a7c80949a9227da9cadca7a69e9c98e1653
SHA2566697818ca67af5d953a44140588d3d987a179cd6750e6cffa51418e459ee9d2a
SHA512ffc58965526ae6d7731f363473aced324f5e7a5d859780efd9c104e8f65bd7e9deeb094f6930ed573f263375e9567c619608b8897867b165a60092e8889fe400
-
Filesize
24KB
MD5671cfbd0275770e681ef4ede37140969
SHA1ac145dd046e86ab6aff6340664c509c4fd5f1746
SHA256dfafdb318c177ff96d9b85ed518f229398c3f5161f0ca48ff427516292b9d823
SHA512d76a8d3a91d1e5e84b35cfa815736c1d0bd7252381f4e540a8d7102385224167b995f698559c95fa18ed3a50e14a58fb0a96bcedb57d4770df50f98c6d331faf
-
Filesize
24KB
MD555182d891d98ec9d988cec04bac8752d
SHA1e18a06e1498ff69c1c2697df7e195cf922a92e01
SHA25608dc082566b36f693f93e341a5eb4e93a95d5bfed35b952f5ddcf4a5d51e963d
SHA51235b9bf0c05da26bcebb4e259deca27c84e28521aff5a27af8205624581d1b0a7da6350ee7de0a2329c9cbc1d8cf205c1487638196232cbe794aaa91b0d86d0f7
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
8KB
MD509608783b77b2dfd08096c0ad19d9ecc
SHA184b6c803de148cfccabd12e0427600e2e8f4503f
SHA2565d9d74338b19c5603549edee80955115a6256ba816d3165616419b1b64da1aaa
SHA5128fa505904cb18b7ffa06675dae6959534d695c16425ad27f921fbeb391c662efe71248b8488f14fff1a44f5914f71f4615379567b8f28cd39a5a2bb7257ce1d2
-
Filesize
10KB
MD5ccfee1a6cbc600cbfc9d1d131222cfc3
SHA15d837a411cc1fc99198e36932b1aa304f7cf1d18
SHA256dee3f5217f0c57c0837b0e5ec0657c26d666dcd2f601daab465bfbf99261f0c0
SHA5121565db336688917367153d3f194f836a3ee3d543e9f656148c9e4a4ba754442505444ccafc567aed314459c36c6f800d94b27e6553c2e3f78d174975b525f8f9
-
Filesize
3KB
MD52953d2fab8619014358bbefdce2d24a3
SHA1adf2e1822622fbe83adb851661bc56f57c3ad366
SHA256fd5e01b36420d8afaaadaf170c2d2f0134b8ca36569a029151003a99f1947ce1
SHA5125cb5c18edf752c74f323dc9e261b805b9f71b80d2f4c68b4747083c245650e7533cf195a2526912d59ac8634af93e4cb6cf0bec2bd3b73f8e9c7b52339698715
-
Filesize
3KB
MD5305126f98b4f4fa64b61c689750ffb52
SHA16adc0f9df6364cf4d80235b41c20e2327a2f0704
SHA2568902714564b9d699f545a112e6a8466c84042fa0aa48d05aa801d079581bd4a6
SHA5123d362866e05ae8cb437158d86be0ed53b7b4491e47ce25ba3067ef54913f9546b2bbe94937bd3dc3d88f2ba6c15ca6ee20cfa45a44dadddbc9ad802bf66bc71a
-
Filesize
45KB
MD542faf67435979c1245010683d8e916b5
SHA1b93b780736398c6e4001c150276ccb24982ed67f
SHA256eef18c81faeee1877aa9cd8d8aef18b643a434fd3da221cc724070ec863e5fcd
SHA512ff0fd19b423da9c89a6729790f5f39bac4e2dd03d62ad8c8fcf9628afb7e57a58b0a4700ee8811ba6c6191390c7cf3816342852fb90fc583ba261fd4637fcd86
-
Filesize
6.4MB
MD589661a9ff6de529497fec56a112bf75e
SHA12dd31a19489f4d7c562b647f69117e31b894b5c3
SHA256e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd
SHA51233c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f
-
Filesize
45KB
MD5e069304f72f1993e3a4227b5fb5337a1
SHA1131c2b3eb9afb6a806610567fe846a09d60b5115
SHA2565d00cfc66ae11f68bae4ac8e5a0f07158dae6bfd4ea34035b8c7c4e3be70f2c5
SHA51226f18e40b1d4d97d997815fe3921af11f8e75e99a9386bbe39fb8820af1cbe4e9f41d3328b6a051f1d63a4dfff5b674a0abafae975f848df4272aa036771e2e9
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
72KB
-
Filesize
136KB
-
Filesize
712KB
-
Filesize
3.3MB
-
Filesize
1.1MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
2.0MB