Extracted

• • Target

    Xeno.exe

  • Size

    140KB

  • MD5

    f0d6a8ef8299c5f15732a011d90b0be1

  • SHA1

    5d2e6cc0bd4f1e810808f2a284f6c2a30b21edcf

  • SHA256

    326bae0bd1398234dcef4c3d71f00e30cc9b447fa963e21d6f29605f42bb7e5b

  • SHA512

    5b9f1517949a7fa9fdb7413146632d21a4208dc92823b673af85963ae5cc7f827b3ba27f3e9c5554c45e726ad159aac77d30306acc3559bd8712534e41ff0f27

  • SSDEEP

    3072:2hK4Uay3XrQ8habqgp9pC9Z6p5uf3C6k0xuZ04ntfxDhBury:2hK4XycqgpfCup5sVxuZ04bhA

  Score

  10^/10

  discoverywarzoneratdefense_evasioninfostealerpersistenceprivilege_escalationratrezer0trojan

  • Modifies visibility of file extensions in Explorer

    defense_evasion

  • UAC bypass

    defense_evasiontrojan

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzonerat family

    warzonerat

  • ReZer0 packer

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0

  • Warzone RAT payload

    rat

  • Downloads MZ/PE file

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies system executable filetype association

    persistence

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

  • Checks system information in the registry

    System information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2