File name:	Xeno.exe
Full analysis:	https://app.any.run/tasks/56c04046-375e-45cf-b37b-6bd9ff4f3f14
Verdict:	Malicious activity
Threats:	DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	May 16, 2025, 13:54:13
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	dcrat rat remote darkcrystal evasion auto-sch netreactor wmi-base64 susp-powershell
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	8FBD36C911330D14E7A0AFFB0CE3FF4E
SHA1:	472E08F92A4E3DDE3338199BB28158F9F022ED50
SHA256:	51096AF2CC55018C55E4092FAE2E397247798A1761BAC808F9C396B4AF67E5DA
SSDEEP:	98304:PPKgSxGnQZD2yyPhSIOOaa/FYwb3A2y4KegCtID5Qc1XGmmSkJFr+10JkGOusdik:wOAnm6G8

.exe	\|	Win32 Executable MS Visual C++ 4.x (75)
.exe	\|	Win64 Executable (generic) (15.3)
.dll	\|	Win32 Dynamic Link Library (generic) (3.6)
.exe	\|	Win32 Executable (generic) (2.5)
.exe	\|	Win16/32 Executable Delphi generic (1.1)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2013:06:15 16:44:28+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	5.12
CodeSize:	3584
InitializedDataSize:	1955840
UninitializedDataSize:	-
EntryPoint:	0x1ae1
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.1.95.0
ProductVersionNumber:	1.1.95.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	Xeno - Executor UI https://github.com/Riz-ve/Xeno
CompanyName:	XenoUI
FileDescription:	XenoUI
FileVersion:	1.1.95
InternalName:	XenoUI.dll
LegalCopyright:	Rizve
OriginalFileName:	XenoUI.dll
ProductName:	Project Xeno by Rizve
ProductVersion:	1.1.95+87ae4f96f8a0927052c1120167982fb069afd1b4
AssemblyVersion:	1.1.95.0


(PID) Process:	(4120) Update.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:	write	Name:	VBEFile
Value:
(PID) Process:	(5452) msComserverdriverdll.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\91e4d598789d1160a99b3ae6360c4a1cfac639ce
Operation:	write	Name:	711d995a7dc43671105d3305283391ff450a5c09
Value: H4sIAAAAAAAEAHWNsQ7CMBBDfwV1RnwAG00ZUSUQE8cQNQc5NclFlxTavydl6pLFku1n+dGoI8A9oSQAbTwFAMU8EhafyHLKB5yx2W+5Dl96chngsuw6HiaPIZcY5+hYUDYDZTWFLwXjHMAV35SyLLX+hloGe4qxBqz3fd+eW+GxfuOTYl/ID4oRWtW5P/v8AZnYWE/tAAAA
(PID) Process:	(6488) sihost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sihost_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6488) sihost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sihost_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6488) sihost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sihost_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6488) sihost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sihost_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6488) sihost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sihost_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(6488) sihost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sihost_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(6488) sihost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sihost_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(6488) sihost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sihost_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0

PID	Process	Filename		Type
4120	Update.exe	C:\Chainwindll\msComserverdriverdll.exe		executable
		MD5:F87B67B30BC83B2559988FC5191131B7	SHA256:5B1B6626B6CBFE4E48BFAAC7A09B31CCE6DDB637DF1151B7AC094B1DB22347DF
5452	msComserverdriverdll.exe	C:\Chainwindll\7ccfebd9e92364		text
		MD5:F1DB92800B26B2C30012325238F05149	SHA256:B5CACFB7C805349309991B1F626B109C7D9ACCD60666CCEA559CE362628AC18F
5452	msComserverdriverdll.exe	C:\Users\admin\Desktop\ROZCyeWX.log		executable
		MD5:D8BF2A0481C0A17A634D066A711C12E9	SHA256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
3180	cmd.exe	C:\Users\admin\Desktop\Xeno.exe		executable
		MD5:C41F903645119AE792D59B00BD81E13E	SHA256:0BF71E29AF6D20267D1314C33CB78577D1F89BE155FF6B45CACB085E44C5B0BF
4120	Update.exe	C:\Chainwindll\3VbOz1.bat		text
		MD5:8AD3CF8E4EFCBB1B063371716CF7AD4B	SHA256:63DA978158CEBEF8BA9958D4A434EA48768ABC5E81B2E3F941749842CB42FBA8
5452	msComserverdriverdll.exe	C:\Users\admin\Desktop\dzfAEpgA.log		executable
		MD5:E9CE850DB4350471A62CC24ACB83E859	SHA256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
5452	msComserverdriverdll.exe	C:\Chainwindll\SearchApp.exe		executable
		MD5:F87B67B30BC83B2559988FC5191131B7	SHA256:5B1B6626B6CBFE4E48BFAAC7A09B31CCE6DDB637DF1151B7AC094B1DB22347DF
5452	msComserverdriverdll.exe	C:\Users\admin\Desktop\TRMkUNbS.log		executable
		MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0	SHA256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
5452	msComserverdriverdll.exe	C:\Chainwindll\UserOOBEBroker.exe		executable
		MD5:F87B67B30BC83B2559988FC5191131B7	SHA256:5B1B6626B6CBFE4E48BFAAC7A09B31CCE6DDB637DF1151B7AC094B1DB22347DF
5452	msComserverdriverdll.exe	C:\Chainwindll\38384e6a620884		text
		MD5:5BCF2E54D148E0D790A4C06491F4D747	SHA256:0ACAE8A003D1C6773511CD5F630445C32B9441CF7AAE7A3178FB72D1201015F4

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4040	SIHClient.exe	GET	200	23.216.77.5:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
4040	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4040	SIHClient.exe	GET	200	23.216.77.5:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	23.216.77.31:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4040	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
4040	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
4040	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
4040	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
6488	sihost.exe	POST	200	185.176.43.98:80	http://zaoasderfdsxesdzx.mygamesonline.org/VmCpuprocessorMultiBaseuniversaltrack.php	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	23.216.77.31:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.159.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
google.com	142.250.181.238	whitelisted
crl.microsoft.com	23.216.77.31 23.216.77.6 23.216.77.39 23.216.77.5 23.216.77.30 23.216.77.33 23.216.77.10 23.216.77.38 23.216.77.41 23.216.77.12 23.216.77.7 23.216.77.14 23.216.77.18 23.216.77.13 23.216.77.35	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
client.wns.windows.com	172.211.123.248 172.211.123.250	whitelisted
login.live.com	20.190.159.68 20.190.159.130 20.190.159.75 20.190.159.128 20.190.159.129 40.126.31.128 20.190.159.73 40.126.31.71	whitelisted
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2 51.124.78.146	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
zaoasderfdsxesdzx.mygamesonline.org	185.176.43.98	malicious
ipinfo.io	34.117.59.81	whitelisted

PID	Process	Class	Message
6488	sihost.exe	Device Retrieving External IP Address Detected	ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
6488	sihost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup SSL Cert Observed (ipinfo .io)
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
6488	sihost.exe	A Network Trojan was detected	REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST)
6488	sihost.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

General Info

Xeno.exe

8FBD36C911330D14E7A0AFFB0CE3FF4E

472E08F92A4E3DDE3338199BB28158F9F022ED50

51096AF2CC55018C55E4092FAE2E397247798A1761BAC808F9C396B4AF67E5DA

98304:PPKgSxGnQZD2yyPhSIOOaa/FYwb3A2y4KegCtID5Qc1XGmmSkJFr+10JkGOusdik:wOAnm6G8

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses sleep, probably for evasion detection (SCRIPT)

DCRAT mutex has been found

Connects to the CnC server

DARKCRYSTAL has been detected (SURICATA)

DCRAT has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Hides command output

Runs PING.EXE to delay simulation

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Executed via WMI

The process creates files with name similar to system file names

Runs shell command (SCRIPT)

Reads the date of Windows installation

Starts application with an unusual extension

The executable file from the user directory is run by the CMD process

Checks for external IP

Reads browser cookies

There is functionality for taking screenshot (YARA)

INFO

Checks supported languages

Reads the computer name

Process checks computer location settings

Create files in a temporary directory

Drops encrypted VBS script (Microsoft Script Encoder)

Reads the machine GUID from the registry

Reads Environment values

Failed to create an executable file in Windows directory

Creates files or folders in the user directory

Changes the display of characters in the console

Disables trace logs

Checks proxy server information

Reads the software policy settings

Found Base64 encoded reference to WMI classes (YARA)

Found Base64 encoded access to Windows Defender via PowerShell (YARA)

.NET Reactor protector has been detected

Malware configuration

DcRat

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information