xenorat | e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

Resubmissions

Analysis

max time kernel
149s
max time network
123s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
19-02-2025 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub/xeno rat client.exe
Size

46KB
MD5

d23d8120af87a615a456a12b43d4a98a
SHA1

73b41123d6f50aecdcf1c5e87a7d0319d753b0e7
SHA256

27178a08e0d8fb6e5e31ae9bff6194a5224406666fa1f528d4719c1e4a8efd67
SHA512

99026704fef97f9f9c01348310f199ad523851e105c7ea1f39312c7370cb6e50af5044fec1041298b96b6e661ac5f48d6af80687e21364806e62738d198ad319
SSDEEP

768:Ddqf04XKojwYybbZWsiBHUuOkU7cK9F9km3XNZ5SbTDay6t22:D4z0z3ZWsiBHUuY79kmz5SbTL6B

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

localhost

Mutex

testing 123123

Attributes

delay
1000
install_path
nothingset
port
1234
startup_name
nothingset

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
behavioral18/memory/4908-1-0x0000000000320000-0x0000000000332000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat client.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	Taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings	Taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1776	powershell.exe
1776	powershell.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2768	Taskmgr.exe
Token: SeSystemProfilePrivilege	2768	Taskmgr.exe
Token: SeCreateGlobalPrivilege	2768	Taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5392	WindowsTerminal.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe
2768	Taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3920	MiniSearchHost.exe
5392	WindowsTerminal.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 5392	960	wt.exe	89
PID 960 wrote to memory of 5392	960	wt.exe	89
PID 960 wrote to memory of 5392	960	wt.exe	89
PID 5392 wrote to memory of 4684	5392	WindowsTerminal.exe	90
PID 5392 wrote to memory of 4684	5392	WindowsTerminal.exe	90
PID 5392 wrote to memory of 1076	5392	WindowsTerminal.exe	94
PID 5392 wrote to memory of 1076	5392	WindowsTerminal.exe	94
PID 5392 wrote to memory of 1076	5392	WindowsTerminal.exe	94
PID 5392 wrote to memory of 1776	5392	WindowsTerminal.exe	95
PID 5392 wrote to memory of 1776	5392	WindowsTerminal.exe	95
PID 1776 wrote to memory of 2768	1776	powershell.exe	96
PID 1776 wrote to memory of 2768	1776	powershell.exe	96

C:\Users\Admin\AppData\Local\Temp\stub\xeno rat client.exe
"C:\Users\Admin\AppData\Local\Temp\stub\xeno rat client.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4908

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3920

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2648

C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\wt.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe\wt.exe" -d "C:\Users\Admin\Desktop\."
1⤵
- Suspicious use of WriteProcessMemory
PID:960
- C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
  wt.exe -d "C:\Users\Admin\Desktop\."
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5392
- - C:\Windows\system32\wsl.exe
    C:\Windows\system32\wsl.exe --list
    3⤵
    PID:4684
- - C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe
    "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe" --headless --win32input --resizeQuirk --width 120 --height 27 --signal 0xa24 --server 0xa20
    3⤵
    PID:1076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\system32\Taskmgr.exe
      "C:\Windows\system32\Taskmgr.exe"
      4⤵
      Checks SCSI registry key(s)
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\3ffe2660-667d-42ea-90df-67336a78a03a.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
e52072c0483110c5aa1b304cb0304187

SHA1
2a51ef083fee7aa7c78ed6881c064c0e55203b11

SHA256
2038d0f02d255770ac5216a86f709bd5e7d2dc1b0a6942a86427cc76eee2c685

SHA512
8dee1c67873e338f64de674f4179ca6fd90475510ed2183e3bbff2becc3a625c8b1bb3118122cb6bf767804938cd8f9d41ac2c32101ba64579858d3309ad7959

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uolk0jvk.lpv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1776-31-0x00000221CF930000-0x00000221CF976000-memory.dmp

Filesize
280KB

Download
memory/1776-27-0x00000221B7060000-0x00000221B7082000-memory.dmp

Filesize
136KB

Download
memory/2768-33-0x0000021209D10000-0x0000021209D11000-memory.dmp

Filesize
4KB

Download
memory/2768-42-0x0000021209D10000-0x0000021209D11000-memory.dmp

Filesize
4KB

Download
memory/2768-44-0x0000021209D10000-0x0000021209D11000-memory.dmp

Filesize
4KB

Download
memory/2768-45-0x0000021209D10000-0x0000021209D11000-memory.dmp

Filesize
4KB

Download
memory/2768-43-0x0000021209D10000-0x0000021209D11000-memory.dmp

Filesize
4KB

Download
memory/2768-40-0x0000021209D10000-0x0000021209D11000-memory.dmp

Filesize
4KB

Download
memory/2768-34-0x0000021209D10000-0x0000021209D11000-memory.dmp

Filesize
4KB

Download
memory/2768-35-0x0000021209D10000-0x0000021209D11000-memory.dmp

Filesize
4KB

Download
memory/2768-39-0x0000021209D10000-0x0000021209D11000-memory.dmp

Filesize
4KB

Download
memory/2768-41-0x0000021209D10000-0x0000021209D11000-memory.dmp

Filesize
4KB

Download
memory/4908-4-0x00000000745F0000-0x0000000074DA1000-memory.dmp

Filesize
7.7MB

Download
memory/4908-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/4908-1-0x0000000000320000-0x0000000000332000-memory.dmp

Filesize
72KB

Download
memory/4908-2-0x00000000745F0000-0x0000000074DA1000-memory.dmp

Filesize
7.7MB

Download
memory/4908-3-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download