Analysis Overview
SHA256
b26ff883b2cbd4fb188d37e7ec073ac5db545346b3ba748108bd5c55fb48cc23
Threat Level: Known bad
The file EacSpoofr.exe was found to be: Known bad.
Malicious Activity Summary
Detect XenoRat Payload
Xenorat family
XenorRat
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-26 04:33
Signatures
Detect XenoRat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xenorat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-26 04:33
Reported
2025-03-26 04:36
Platform
win10v2004-20250314-en
Max time kernel
129s
Max time network
129s
Command Line
Signatures
Detect XenoRat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XenorRat
Xenorat family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EacSpoofr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EacSpoofr.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2252 wrote to memory of 5936 | N/A | C:\Users\Admin\AppData\Local\Temp\EacSpoofr.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2252 wrote to memory of 5936 | N/A | C:\Users\Admin\AppData\Local\Temp\EacSpoofr.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2252 wrote to memory of 5936 | N/A | C:\Users\Admin\AppData\Local\Temp\EacSpoofr.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\EacSpoofr.exe
"C:\Users\Admin\AppData\Local\Temp\EacSpoofr.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Microsoft" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A74.tmp" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | Knokaaa-35772.portmap.host | udp |
| DE | 193.161.193.99:35772 | Knokaaa-35772.portmap.host | tcp |
| DE | 193.161.193.99:35772 | Knokaaa-35772.portmap.host | tcp |
| DE | 193.161.193.99:35772 | Knokaaa-35772.portmap.host | tcp |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/2252-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp
memory/2252-1-0x00000000003A0000-0x00000000003B2000-memory.dmp
memory/2252-2-0x0000000074B20000-0x00000000752D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5A74.tmp
| MD5 | 85780967de318c4ee5165c72e59d310a |
| SHA1 | 7e603003a56c100a92d0b513b09778959fb7997b |
| SHA256 | 1b8bd19684f99800f63ae2376f445f9cb696972bd11a3c54d5e8041fac98ff88 |
| SHA512 | cf106c6fadc564344c3f15c11648941ab402f3085f3177a7703d41c026dc72478b56e5e888667197d01c814f496026a992326ae11e8cba80e5a0be591526623c |
memory/2252-5-0x0000000074B2E000-0x0000000074B2F000-memory.dmp
memory/2252-6-0x00000000058C0000-0x0000000005926000-memory.dmp
memory/2252-7-0x0000000074B20000-0x00000000752D0000-memory.dmp