Analysis Overview
SHA256
add0eddbaee1ea36c8f7879c17b3b5fc0f2cf0982b47c9aecf66b6b97a2d3ca4
Threat Level: Known bad
The file Client.exe was found to be: Known bad.
Malicious Activity Summary
Detect XenoRat Payload
XenorRat
Xenorat family
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-22 19:53
Signatures
Detect XenoRat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xenorat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-22 19:53
Reported
2025-03-22 19:56
Platform
win7-20240903-en
Max time kernel
131s
Max time network
142s
Command Line
Signatures
Detect XenoRat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XenorRat
Xenorat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Update.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA69B.tmp" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | anyone-center.gl.at.ply.gg | udp |
| US | 147.185.221.27:8080 | anyone-center.gl.at.ply.gg | tcp |
| US | 147.185.221.27:8080 | anyone-center.gl.at.ply.gg | tcp |
| US | 147.185.221.27:8080 | anyone-center.gl.at.ply.gg | tcp |
| US | 147.185.221.27:8080 | anyone-center.gl.at.ply.gg | tcp |
| US | 147.185.221.27:8080 | anyone-center.gl.at.ply.gg | tcp |
Files
memory/2900-0-0x000000007408E000-0x000000007408F000-memory.dmp
memory/2900-1-0x0000000000CB0000-0x0000000000CC2000-memory.dmp
C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe
| MD5 | dd96a8b21fb100affb8df038d0b8b571 |
| SHA1 | d51aaf85de04ba1f9d0fdb15579d9bd7a2fd343c |
| SHA256 | add0eddbaee1ea36c8f7879c17b3b5fc0f2cf0982b47c9aecf66b6b97a2d3ca4 |
| SHA512 | fe509d0e9719e20ea85775f96f9367d91881c1e485e50aa22cfb677e186c1ffd9352deed72373ca37abe06180097438e6038164b30991b1e9087f53298942d47 |
memory/2400-9-0x0000000000A90000-0x0000000000AA2000-memory.dmp
memory/2400-10-0x0000000074080000-0x000000007476E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA69B.tmp
| MD5 | e8866bed06a0b5155010fbbf77e2c1b6 |
| SHA1 | ac340e71878732fdb9baa7370e46e0d131b587ea |
| SHA256 | 1dd2854ea9bd999669c85d57a63402a9cd2879ad3c94b86981e9eb3251d87a2a |
| SHA512 | 1d702e5d9273af39aea0df3fcce0df4979f9c361d52673d7a0916c2b55765536596d8dc1aadb3c27d2e3a001c3a5269e7146fc44d20af11c08394932ff633990 |
memory/2400-13-0x0000000074080000-0x000000007476E000-memory.dmp
memory/2400-14-0x0000000074080000-0x000000007476E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-22 19:53
Reported
2025-03-22 19:56
Platform
win10v2004-20250314-en
Max time kernel
133s
Max time network
152s
Command Line
Signatures
Detect XenoRat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XenorRat
Xenorat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2664 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe |
| PID 2664 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe |
| PID 2664 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe |
| PID 2852 wrote to memory of 1764 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2852 wrote to memory of 1764 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2852 wrote to memory of 1764 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Update.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9ED0.tmp" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | anyone-center.gl.at.ply.gg | udp |
| US | 147.185.221.27:8080 | anyone-center.gl.at.ply.gg | tcp |
| US | 147.185.221.27:8080 | anyone-center.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 147.185.221.27:8080 | anyone-center.gl.at.ply.gg | tcp |
| US | 147.185.221.27:8080 | anyone-center.gl.at.ply.gg | tcp |
| US | 147.185.221.27:8080 | anyone-center.gl.at.ply.gg | tcp |
Files
memory/2664-0-0x00000000747DE000-0x00000000747DF000-memory.dmp
memory/2664-1-0x0000000000270000-0x0000000000282000-memory.dmp
C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe
| MD5 | dd96a8b21fb100affb8df038d0b8b571 |
| SHA1 | d51aaf85de04ba1f9d0fdb15579d9bd7a2fd343c |
| SHA256 | add0eddbaee1ea36c8f7879c17b3b5fc0f2cf0982b47c9aecf66b6b97a2d3ca4 |
| SHA512 | fe509d0e9719e20ea85775f96f9367d91881c1e485e50aa22cfb677e186c1ffd9352deed72373ca37abe06180097438e6038164b30991b1e9087f53298942d47 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Client.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/2852-15-0x00000000747D0000-0x0000000074F80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9ED0.tmp
| MD5 | e8866bed06a0b5155010fbbf77e2c1b6 |
| SHA1 | ac340e71878732fdb9baa7370e46e0d131b587ea |
| SHA256 | 1dd2854ea9bd999669c85d57a63402a9cd2879ad3c94b86981e9eb3251d87a2a |
| SHA512 | 1d702e5d9273af39aea0df3fcce0df4979f9c361d52673d7a0916c2b55765536596d8dc1aadb3c27d2e3a001c3a5269e7146fc44d20af11c08394932ff633990 |
memory/2852-18-0x00000000747D0000-0x0000000074F80000-memory.dmp
memory/2852-19-0x00000000747D0000-0x0000000074F80000-memory.dmp