xenorat | 4b464a4f2349980f053288514e7e25b20319cf7655576f702def8bbf1a6e49af

Analysis

max time kernel
143s
max time network
130s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08/02/2025, 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xeno cheat.exe
Size

45KB
MD5

724a1a11d4fe58feafde5ea5d5cb0ee7
SHA1

4c6a67d87338ff6060ad83d84e78c4e4e4ed044d
SHA256

4b464a4f2349980f053288514e7e25b20319cf7655576f702def8bbf1a6e49af
SHA512

0b486edf69b4715a92eb887086a9161fb98ab06c5aabd7a33fa4bc42077f70d5ce7e1cc8f38ee8de734541309fbf1c5d15204566b62e6279fa9b7ed7b41a82fd
SSDEEP

768:+dhO/poiiUcjlJInUkiH9Xqk5nWEZ5SbTDamWI7CPW5X:Iw+jjgngH9XqcnW85SbTfWIf

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

xeno_cheat

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
nothingset

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2568-1-0x00000000003B0000-0x00000000003C2000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2500	schtasks.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2500	2568	xeno cheat.exe	31
PID 2568 wrote to memory of 2500	2568	xeno cheat.exe	31
PID 2568 wrote to memory of 2500	2568	xeno cheat.exe	31
PID 2568 wrote to memory of 2500	2568	xeno cheat.exe	31

C:\Users\Admin\AppData\Local\Temp\xeno cheat.exe
"C:\Users\Admin\AppData\Local\Temp\xeno cheat.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "XenoUpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE447.tmp" /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE447.tmp

Filesize
1KB

MD5
2b0036a4e98783edb6ce787ea303230b

SHA1
d15cbbe5d8fa46fe81826fd29baf1359d3f5bf99

SHA256
d5c94ef52af094f435620583487e70461ef6c41c45bf7b42287f4a93e246bb3f

SHA512
b0f5dc630e335b5aff0fd0d81273cc1585fdccdee4faf7fb509ca67ab4229845f5eaf0797861d031bbdb3041b869e78d7b593544091309c49b25f17ace575560

Download Submit
memory/2568-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/2568-1-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2568-4-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/2568-5-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads