Overview

overview

10

Static

static

10

xeno rat client.exe

windows7-x64

10

xeno rat client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    32s
  • max time network
    36s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2025 19:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xeno rat client.exe

  • Size

    52KB

  • MD5

    00fbdc8040c8ec388d90ea5133c141fd

  • SHA1

    ce9d3e4d3d6f81794310758b22eaad333e40ad88

  • SHA256

    c940228f2d719b88e181afd94962c3857b666b4da623c5a38acee9ffde406106

  • SHA512

    c8dcb2ea2931ccb29949579c425b07f1f19cfb2d7d28d774afbc0466203da002a344d8266fa002183a156c575ced63a4519bfc2d6b9d6719eab0fb100258122d

  • SSDEEP

    1536:8TtpJ3fm+8UDTxhfcM0RBsN3s+YebFMB/fubiTRE:8Tt7mW3xhEMOWN8sbFMB/fubGE

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

localhost

Mutex

testing 123123

Attributes
  • delay

    1000

  • install_path

    nothingset

  • port

    1234

  • startup_name

    nothingset

Signatures

  • Detect XenoRat Payload 1 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\xeno rat client.exe
    "C:\Users\Admin\AppData\Local\Temp\xeno rat client.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:3096
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4472
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc14111d-66f6-471a-8593-5422f8981e77} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" gpu
        3⤵
          PID:4216
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2344 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68e43844-51b3-40f2-84f0-de7b01433820} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" socket
          3⤵
          • Checks processor information in registry
          PID:4136
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3184 -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 2744 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c673ad39-2834-45f2-bdf4-09b128053b81} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" tab
          3⤵
            PID:1608
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4324 -childID 2 -isForBrowser -prefsHandle 4316 -prefMapHandle 4312 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2faef99f-7211-47c7-aedb-110f8d76bcd7} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" tab
            3⤵
              PID:1648
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4928 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4820 -prefMapHandle 4876 -prefsLen 29144 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71737fe2-6688-4f3f-8873-65f8cb11543f} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" utility
              3⤵
              • Checks processor information in registry
              PID:5504
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5056 -childID 3 -isForBrowser -prefsHandle 5044 -prefMapHandle 5048 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db26cacb-7030-4601-b1be-603da372e14b} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" tab
              3⤵
                PID:5520
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5216 -childID 4 -isForBrowser -prefsHandle 5292 -prefMapHandle 5288 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e32f6764-6823-446f-a216-4c149be9f3e4} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" tab
                3⤵
                  PID:5536
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5196 -childID 5 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2452e9da-fb90-45c4-9773-02d6fa83be1b} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" tab
                  3⤵
                    PID:5548
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5860 -childID 6 -isForBrowser -prefsHandle 5756 -prefMapHandle 5844 -prefsLen 27077 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed1c1b0a-30ac-4a9a-b83d-a53a1c7b0d7b} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" tab
                    3⤵
                      PID:3120

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  19KB

                  MD5

                  2a1c4b9ca3ff6053ce933ec43dfbe254

                  SHA1

                  072b5a54ba19f8679f316f30f70f0b493336ab64

                  SHA256

                  5e9a38d52c7b9d3cd164274a19dd648b975561dfb5cb5c699d64b8ef6df40ac7

                  SHA512

                  f752bd5df087a02f64a3048658723aa1fa5dc4c27d5da66dbfaabf8d7439f0f788928f624caaa19af8f736ea78affd047a5540b3dcd9dc93b245a788b73dcd8f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  4fde828fd4d84f734d012d7b4727a9e4

                  SHA1

                  1a46737156ec1a52fe77d2979645c21b510692a0

                  SHA256

                  0259148b54d37e1cbc45431229054d151cd5a16753e72e24ded26897df2fdcff

                  SHA512

                  be96c1f782107a75e158e8e5cab091b4930a5b6623f1040c84d7b5bc4d0af4bef9ea6224ff454d36c0bf934351246f1f1cb2f7fbf7b13a39776a08cf1f4786fa

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  bf6f18a1536363932e15b4321d52188a

                  SHA1

                  8ab76077d01df11b1c36acaf1d2edd17c382dca8

                  SHA256

                  3f20390ed45f8490e92de0fab4485eb566829d5d613345117ae239fe72061993

                  SHA512

                  239e6643e26ae33cb00070da6ccccc5670d7ace0a67b154be9d48fa2f5ec0b49f23ee04ab337ccb47495b60b7ade3ac639d463c3c03b674e422d1cec0e34964e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\2d1cea62-badd-4350-b51e-a69867ce3711
                  Filesize

                  777B

                  MD5

                  c325e27be354353a741f08b2dde3a98d

                  SHA1

                  92b2516901b16d7975ab06e76146d3c436721c70

                  SHA256

                  7b5a041477742e63d410aaf3a33797f1d07f27d09f4e6da1a9c5f8dc2d8f76b7

                  SHA512

                  567d3c090dfca27aee8491ce38cffb1ceae5f9e300a1cf13a8230cfa7da0ec93a3ff9e5f87e9e914c7b0e0a12036d1e3836622b1dccc4a7ab2b97bac9be4d7c2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\78f7717e-31e8-4848-8d49-9168bad987f4
                  Filesize

                  671B

                  MD5

                  0efe4f3a840289d4cde492aa3213b495

                  SHA1

                  a49c72488039fb3f9b7db641df56b3d57eba245d

                  SHA256

                  d3eecc8b8293e39cca50654b208e87aacc2ff65b8c93f648c55dfa9d2c6a32da

                  SHA512

                  4d055129a00efd63e0706c8b1252b332c37112b3de818ca777a7f79e3cecef830f6ab8e3f062888fad4da56f4970d790074b8fb3f846229bddd549d5a64e99f4

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\ec98beaf-3563-442e-aeb5-d97b29732b45
                  Filesize

                  25KB

                  MD5

                  bc0cc53b1cb635a69be9ac80bb00f79a

                  SHA1

                  63fe591445a942d0b179949501019d95651afa4f

                  SHA256

                  19de218ed5d54addc61b4e3ded840100b63c610ca91a666b660e51ea99de4d7b

                  SHA512

                  73b2643e1aba4491cce5d702fa9962a33283e9efab26be65c61db8ae0eb16507f9a7b2343562896deaadf52dc964e072ebda4e973e833b609d873e65983efec7

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\fb39c9d1-1516-40a9-951f-79ded90affdd
                  Filesize

                  982B

                  MD5

                  fbb872a6a526dcdd2b1a8a2b53ef08ba

                  SHA1

                  841af645c1b1ccf165347c4d9fb68192ef7de2ad

                  SHA256

                  e03e5736ff4965882539dc26be9014f9ba6d1f3fe6802738002efb2e7f35b3dc

                  SHA512

                  a287f1ed1904f719a387a42c33ead32395f12f1989791848648006cc3076fde0096021e436a933bffae90abb3be8ca0798884ce998347ad3e5da96aba1c6160b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js
                  Filesize

                  11KB

                  MD5

                  f8f4addddd86945c9c0e5617065aa67b

                  SHA1

                  2b3862107e69c4a261fd3e3cb49892975fc16ab5

                  SHA256

                  03deef9d89b1d4974861ee6ec47d6d8f353164809642985371b48cc17d6d93ae

                  SHA512

                  23130754778ede8a2e12d816472f57ac3cc2b4940ab048b143891c0c0e0b1b5c65381fa914f7683ac0a089748a3dfaaaf852b556b3fa35c06bdfe2c4988a3a46

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  be8182e88e27aaa0a72af10cccf5e414

                  SHA1

                  db07cc16c23d8650f7642e41958a07600dd9e525

                  SHA256

                  0ac500c5b2d9e5b38d2e4c49ddabad909e4c090980e4e4b4358f01243b8b8b36

                  SHA512

                  e21f03ab4df758cb5be07a71c9657ea8aefadb323a14dff0d15e70422307968e35a4d19106c9935ab0fd2a9f42e9f51b5137da8b9b7219022d4bafae6eb72cad

                  Download Submit

                • memory/3096-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3096-16-0x00000000749D0000-0x0000000075180000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/3096-12-0x00000000749DE000-0x00000000749DF000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3096-2-0x00000000749D0000-0x0000000075180000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/3096-1-0x0000000000E90000-0x0000000000EA4000-memory.dmp

                  Filesize

                  80KB

                  Download