analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

xeno rat server.exe

Full analysis: https://app.any.run/tasks/860cf9b1-e687-446b-a01b-0bfbff36a2df
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Analysis date: June 30, 2024, 11:31:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
xenorat
rat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

3987EE127F2A2CF8A29573D4E111A8E8

SHA1:

FC253131E832297967F93190217F0CE403E38CB0

SHA256:

3D00A800474DDF382212E003222805BD74665B69CEC43B554F91C3CD9EDF04C4

SSDEEP:

98304:2eYQH56f6BclJkmK7TpbMb61RPC9JxsOCf5bZd69EkflB2bz14bdZagk3gx6qqFt:qH1H

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • xeno rat server.exe (PID: 3392)
    • XenoRAT has been detected (FILE)

      • xeno rat server.exe (PID: 3392)
    • XENORAT has been detected (YARA)

      • xeno rat server.exe (PID: 3392)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads the machine GUID from the registry

      • xeno rat server.exe (PID: 3392)
    • Checks supported languages

      • xeno rat server.exe (PID: 3392)
    • Reads the computer name

      • xeno rat server.exe (PID: 3392)
    • Create files in a temporary directory

      • xeno rat server.exe (PID: 3392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

AssemblyVersion: 1.0.0.0
ProductVersion: 1.0.0.0
ProductName: xeno rat server
OriginalFileName: xeno rat server.exe
LegalTrademarks: -
LegalCopyright: Copyright © 2023
InternalName: xeno rat server.exe
FileVersion: 1.0.0.0
FileDescription: xeno rat server
CompanyName: -
Comments: -
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 4
EntryPoint: 0x1c975e
UninitializedDataSize: -
InitializedDataSize: 215040
CodeSize: 1865728
LinkerVersion: 48
PEType: PE32
ImageFileCharacteristics: Executable, Large address aware, 32-bit
TimeStamp: 2055:12:08 14:14:02+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XENORAT xeno rat server.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3392"C:\Users\admin\AppData\Local\Temp\xeno rat server.exe" C:\Users\admin\AppData\Local\Temp\xeno rat server.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
xeno rat server
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\xeno rat server.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
8 462
Read events
8 354
Write events
102
Delete events
6

Modification events

(PID) Process:(3392) xeno rat server.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Operation:writeName:5
Value:
780065006E006F00200072006100740020007300650072007600650072002E006500780065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000
(PID) Process:(3392) xeno rat server.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(3392) xeno rat server.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
01000000070000000000000002000000060000000B0000000C0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(3392) xeno rat server.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0
Operation:writeName:2
Value:
7A00310000000000AD58218A11004465736B746F7000640008000400EFBE454B814AAD58218A2A0000007B0100000000020000000000000000003A00000000004400650073006B0074006F007000000040007300680065006C006C00330032002E0064006C006C002C002D0032003100370036003900000016000000
(PID) Process:(3392) xeno rat server.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\2
Operation:delete valueName:MRUList
Value:
(PID) Process:(3392) xeno rat server.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0
Operation:writeName:MRUListEx
Value:
020000000000000001000000FFFFFFFF
(PID) Process:(3392) xeno rat server.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(3392) xeno rat server.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\2
Operation:writeName:NodeSlot
Value:
228
(PID) Process:(3392) xeno rat server.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\2
Operation:writeName:MRUListEx
Value:
FFFFFFFF
(PID) Process:(3392) xeno rat server.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\228\Shell
Operation:writeName:KnownFolderDerivedFolderType
Value:
{57807898-8C4F-4462-BB63-71042380B109}
Executable files
0
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3392xeno rat server.exeC:\Users\admin\AppData\Local\Temp\Config.jsonbinary
MD5:583A319B6DEA1F675F81B83860ABA123
SHA256:596290A83136810084638ABE18DFE86EE2A576360406E57C9836A5C7B6B5B70F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1060
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
unknown
1372
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
svchost.exe
239.255.255.250:3702
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
88.221.125.143:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1060
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.125.143
whitelisted

Threats

No threats detected
No debug info