File name:

BootstrapperNew.exe

Full analysis: https://app.any.run/tasks/7c7b8f31-17e2-46b2-b94b-ac3534230100
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: February 17, 2025, 06:45:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xenorat
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

E04FFBC3F3DD5111FF1334D266652B79

SHA1:

B84171D543DD9F345813F0220142B9CFD9132E12

SHA256:

CD2C66350BCCDD0152B592B3E7CB2C999E7923171F21A2CE887AC0D4EAF2032A

SSDEEP:

768:9SH6yksiDKADNyU2uijj/sjAeh7nmNMUEuS5gZ5SbTDaTyInvJ3:o9uDDjAeh7mGUEuSi5SbT+yId

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XenoRAT has been detected (FILE)

      • BootstrapperNew.exe (PID: 2008)
      • BootstrapperNew.exe (PID: 4528)

    • XENORAT mutex has been found

      • BootstrapperNew.exe (PID: 4528)

    • XENORAT has been detected

      • BootstrapperNew.exe (PID: 4528)

    • Changes the autorun value in the registry

      • BootstrapperNew.exe (PID: 4528)

    • XENORAT has been detected (YARA)

      • BootstrapperNew.exe (PID: 4528)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • BootstrapperNew.exe (PID: 2008)

    • Executable content was dropped or overwritten

      • BootstrapperNew.exe (PID: 2008)

    • Starts itself from another location

      • BootstrapperNew.exe (PID: 2008)

    • Connects to unusual port

      • BootstrapperNew.exe (PID: 4528)

  • INFO

    • Checks supported languages

      • BootstrapperNew.exe (PID: 2008)
      • BootstrapperNew.exe (PID: 4528)

    • Creates files or folders in the user directory

      • BootstrapperNew.exe (PID: 2008)

    • Reads the computer name

      • BootstrapperNew.exe (PID: 2008)
      • BootstrapperNew.exe (PID: 4528)

    • Process checks computer location settings

      • BootstrapperNew.exe (PID: 2008)

    • Reads the machine GUID from the registry

      • BootstrapperNew.exe (PID: 4528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2067:04:09 13:44:02+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 44032
InitializedDataSize: 6656
UninitializedDataSize: -
EntryPoint: 0xcb5e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.2.1.0
ProductVersionNumber: 1.2.3.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Solara
FileDescription: Dependinces for Solara Bootstrapper
FileVersion: 3.2.1.0
InternalName: xeno rat client.exe
LegalCopyright: Copyright © 2022
LegalTrademarks: Solara
OriginalFileName: BootstrapperNew 1
ProductName: Solara Bootstrapper
ProductVersion: 1.2.3.0
AssemblyVersion: 1.2.3.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
113
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XENORAT bootstrappernew.exe #XENORAT bootstrappernew.exe

Process information

PID
CMD
Path
Indicators
Parent process
2008"C:\Users\admin\Desktop\BootstrapperNew.exe" C:\Users\admin\Desktop\BootstrapperNew.exe
explorer.exe
User:
admin
Company:
Solara
Integrity Level:
MEDIUM
Description:
Dependinces for Solara Bootstrapper
Exit code:
0
Version:
3.2.1.0
Modules
Images
c:\users\admin\desktop\bootstrappernew.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4528"C:\Users\admin\AppData\Roaming\XenoManager\BootstrapperNew.exe" C:\Users\admin\AppData\Roaming\XenoManager\BootstrapperNew.exe
BootstrapperNew.exe
User:
admin
Company:
Solara
Integrity Level:
MEDIUM
Description:
Dependinces for Solara Bootstrapper
Version:
3.2.1.0
Modules
Images
c:\users\admin\appdata\roaming\xenomanager\bootstrappernew.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
502
Read events
501
Write events
1
Delete events
0

Modification events

(PID) Process:(4528) BootstrapperNew.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Solara Bootstrapper Dependinces
Value:
"C:\Users\admin\AppData\Roaming\XenoManager\BootstrapperNew.exe"
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2008BootstrapperNew.exeC:\Users\admin\AppData\Roaming\XenoManager\BootstrapperNew.exeexecutable
MD5:E04FFBC3F3DD5111FF1334D266652B79
SHA256:CD2C66350BCCDD0152B592B3E7CB2C999E7923171F21A2CE887AC0D4EAF2032A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
21
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.186:443
Akamai International B.V.
DE
unknown
4712
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4528
BootstrapperNew.exe
108.77.173.66:4758
ATT-INTERNET4
US
malicious
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.106
  • 2.16.164.43
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 52.168.117.174
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BootstrapperNew.exe