Overview

overview

10

Static

static

10

xeno rat server.exe

windows10-2004-x64

xeno rat server.exe

windows10-ltsc 2021-x64

10

xeno rat server.exe

windows11-21h2-x64

3

Analysis

  • max time kernel
    300s
  • max time network
    284s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    24-01-2025 16:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xeno rat server.exe

  • Size

    2.0MB

  • MD5

    3987ee127f2a2cf8a29573d4e111a8e8

  • SHA1

    fc253131e832297967f93190217f0ce403e38cb0

  • SHA256

    3d00a800474ddf382212e003222805bd74665b69cec43b554f91c3cd9edf04c4

  • SHA512

    69d5ac7a691dde1a3ed7f495e9b9180e63152ddaaa3d1b596ad9cbeb4d7b088f3fc4b138ecf87070014cdfa9047be18940b720de60642389921a10053250787b

  • SSDEEP

    49152:EnxkNTRWjxoJochWQI3kqXfd+/9AManGhR0vNgtIeGWtOc5Q:ExkNTcaJhDI3kqXf0FtWykQDCiQ

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    svvwwer

Signatures

  • Detect XenoRat Payload 4 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe
    "C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:4680
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4376
    • C:\Users\Admin\Downloads\awdawd.exe
      "C:\Users\Admin\Downloads\awdawd.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4496
      • C:\Users\Admin\AppData\Roaming\XenoManager\awdawd.exe
        "C:\Users\Admin\AppData\Roaming\XenoManager\awdawd.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1420
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /Create /TN "svvwwer" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCF03.tmp" /F
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4688
        • C:\Users\Admin\AppData\Roaming\XenoManager\awdawd.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\awdawd.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3972
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks.exe" /Create /TN "svvwwer" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1870.tmp" /F
            4⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:4244
        • \??\c:\windows\SysWOW64\cmstp.exe
          "c:\windows\system32\cmstp.exe" /au C:\windows\temp\533gzkh0.inf
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2452
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:1976

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\awdawd.exe.log
      Filesize

      226B

      MD5

      66aea5e724c4a224d092067c3381783b

      SHA1

      ee3cc64c4370a255391bdfeef2883d5b7a6e6230

      SHA256

      04b17cab961f973464bba8924f764edef6451d1774f2405d27ef33d164296923

      SHA512

      5d719e303f491d1443cb7c7e8946481e90532522a422c98f82466e1eddcd1ef24a4505dcbf75f2191fbb66825d3550566d7f408a3854edeb4c1a192c8c9a6d06

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpCF03.tmp
      Filesize

      1KB

      MD5

      30d27e67237a2dd19853c97427efc72c

      SHA1

      4ac159b37572091236fb3359128ea46f56fa958e

      SHA256

      58546493e13180e96de22b1c567d1775a12fe97bf595e6a05db856379e9be9d1

      SHA512

      e99b14bbb92a05eb4d44e75ad6ae4603b20955e13204bef617815ffc4a6b177276c327f3a97d69dc647327585e49872e19eabaeb3db4b8adc84ade1f1c149e5a

      Download Submit

    • C:\Users\Admin\Desktop\wadawawd.exe
      Filesize

      45KB

      MD5

      833d1243289f163c4767f078bf1125c0

      SHA1

      8bb795bc6e51db5f057f0199b6e2af3b64b57658

      SHA256

      e5e59914d875c7a9877526a11b0310adb680196912f212ffb9a47786319a17d4

      SHA512

      be5c28e2012ae398f24a8b935027addf22cbb563e7df833736ce3adab48b0a96031e1c7e9f9642fa971f1d83d8d6f19b5b83e2d2a276341887681917a7626539

      Download Submit

    • C:\Users\Admin\Downloads\awdawd.exe
      Filesize

      45KB

      MD5

      5bce9d100a9354baedceb81cf72c0abb

      SHA1

      f8ed7fadc935d8f373fd86ef555521d7843b2535

      SHA256

      0e23c462677b861221ceca2061e103151fdb06adf782bd2d00459823ef0b1b45

      SHA512

      5bad8fc3a0ea1163fc6577da23ed4c9f5bf52b0cf8338658249292b6dc696bac1425c9ab12a9f4f4692d96dc7942878395ee175b44783f245d9e98f7c54161cd

      Download Submit

    • C:\windows\temp\533gzkh0.inf
      Filesize

      640B

      MD5

      411a787b6aeb2b0135dd41965158c607

      SHA1

      087bd61549935ca651d01a5a8c5840f268bb0357

      SHA256

      c7b85eeb5d449895e5eae3c061a9b75ea8ffdaf67655563c789de25633ee3bfd

      SHA512

      ade2214d4c0624bcb6ac71bbc8b79f3bbff55e84b6a0fc1c76d13ced8e28143da57dd94ff1525d341ebc33dc9e2b6f13f2864045ad73516bf5ce14525b9c3474

      Download Submit

    • memory/1420-50-0x00000000055A0000-0x00000000055AC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1420-48-0x00000000055D0000-0x0000000005636000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4496-45-0x0000000074A10000-0x00000000751C1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4496-41-0x0000000074A10000-0x00000000751C1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4496-40-0x0000000000D20000-0x0000000000D32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4680-8-0x0000000008E80000-0x0000000008E92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4680-9-0x000000000AD80000-0x000000000ADA2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4680-12-0x000000000AF60000-0x000000000B012000-memory.dmp

      Filesize

      712KB

      Download

    • memory/4680-13-0x0000000008EE0000-0x0000000009237000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4680-16-0x0000000074A10000-0x00000000751C1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4680-18-0x0000000074A10000-0x00000000751C1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4680-19-0x000000000A170000-0x000000000A294000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4680-20-0x00000000095C0000-0x00000000095DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4680-10-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4680-11-0x0000000074A10000-0x00000000751C1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4680-7-0x0000000008E60000-0x0000000008E7A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4680-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4680-6-0x0000000005FD0000-0x0000000005FE4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4680-5-0x00000000059F0000-0x00000000059FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4680-4-0x0000000074A10000-0x00000000751C1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4680-3-0x0000000005940000-0x00000000059D2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4680-49-0x000000000D840000-0x000000000D852000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4680-2-0x0000000006000000-0x00000000065A6000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4680-1-0x0000000000D40000-0x0000000000F42000-memory.dmp

      Filesize

      2.0MB

      Download