download:

/moom825/xeno-rat/releases/download/1.8.7/Release.zip

Full analysis: https://app.any.run/tasks/db9a8711-bb4c-4e03-b18f-2845f718e7a9
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: February 28, 2024, 01:46:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
xenorat
rat
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

89661A9FF6DE529497FEC56A112BF75E

SHA1:

2DD31A19489F4D7C562B647F69117E31B894B5C3

SHA256:

E7B275D70655DB9CB43FA606BBE2E4F22478CA4962BBF9F299D66EDA567D63CD

SSDEEP:

98304:wNVvRimoF+YQoLlfgBb+m56OGaU6CEn7F1OZdE1kg85oChtnqBVc3dw9/nf90xbS:zhlBP92q1tY45Yf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3672)
      • xeno rat server.exe (PID: 3772)

    • XenoRAT has been detected (FILE)

      • WinRAR.exe (PID: 3672)
      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)

    • XENORAT has been detected (YARA)

      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 3672)

    • Reads the Internet Settings

      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)

    • Executable content was dropped or overwritten

      • xeno rat server.exe (PID: 3772)

    • Reads security settings of Internet Explorer

      • pattern.exe (PID: 3956)

    • Starts CMD.EXE for commands execution

      • pattern.exe (PID: 3956)

  • INFO

    • Checks supported languages

      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)

    • Reads the computer name

      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)

    • Manual execution by a user

      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3672)

    • Reads the machine GUID from the registry

      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:02:14 19:18:30
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: stub/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XENORAT winrar.exe #XENORAT xeno rat server.exe #XENORAT pattern.exe no specs cmd.exe no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
952"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\admin\Desktop\pattern.exe"C:\Windows\System32\cmd.exepattern.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1216choice /C Y /N /D Y /T 3 C:\Windows\System32\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
3672"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Release.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3772"C:\Users\admin\Desktop\release\xeno rat server.exe" C:\Users\admin\Desktop\release\xeno rat server.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
xeno rat server
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\release\xeno rat server.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3956"C:\Users\admin\Desktop\pattern.exe" C:\Users\admin\Desktop\pattern.exe
explorer.exe
User:
admin
Company:
Xeno
Integrity Level:
MEDIUM
Description:
Client
Exit code:
4294967295
Version:
3.2.1.0
Modules
Images
c:\users\admin\desktop\pattern.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
22 075
Read events
21 988
Write events
81
Delete events
6

Modification events

(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3672) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Release.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
22
Suspicious files
0
Text files
255
Unknown types
1

Dropped files

PID
Process
Filename
Type
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\af.pngimage
MD5:B438E2FCC22B7B7138A2270B0C46C11C
SHA256:2E738E232BA262BD7B40D39F0A8EF1B68204381B0F5D97367C8B827AEA9E83BE
3672WinRAR.exeC:\Users\admin\Desktop\release\xeno rat server.exeexecutable
MD5:3987EE127F2A2CF8A29573D4E111A8E8
SHA256:3D00A800474DDF382212E003222805BD74665B69CEC43B554F91C3CD9EDF04C4
3672WinRAR.exeC:\Users\admin\Desktop\release\stub\xeno rat client.exeexecutable
MD5:D23D8120AF87A615A456A12B43D4A98A
SHA256:27178A08E0D8FB6E5E31AE9BFF6194A5224406666FA1F528D4719C1E4A8EFD67
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\ad.pngimage
MD5:68474A4935598753955993CCBD7062B3
SHA256:6E45D3CEC2A17A9B9353B68288934E7C4931A36EC271B595750BF8441AFAE019
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\az.pngimage
MD5:8E6C46E33D4AB8CE843FD82BF0CD164B
SHA256:95DF1829F101A8F4ADC6E3E7F4E1F8D6224CC0B8127729032D645B26CCA7B0FD
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\as.pngimage
MD5:D3FA2CAF8084EA005F29DACE6A1C1A2B
SHA256:4C4D9B46EE8B8648976FBF45F3BAA20F1D2BD81D955F4AD12E5F185F0184BEC0
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\ar.pngimage
MD5:69CF780D75E1619D4EF97A1CFB485F37
SHA256:8438D5E69E23EDC2054C6CA8F5B5EAE4BBDA37ADEC341A2F63E44EC7AF2EE3AE
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\au.pngimage
MD5:15BBD2633ED2F55B2022585C40300988
SHA256:515102FB7DAB425BB3492EAA94E7AC51306D93D01DC8FA83AAF7AD9D3DF00B62
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\ax.pngimage
MD5:27E057F1AA91F3A3FDBF354C701E9AB8
SHA256:F81DF1B62A4476DBBC0237F024F18BB509C62037C319FB252B86D8DE8D59D122
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\ba.pngimage
MD5:4EB708FB9510B271281D25752D504718
SHA256:7B523C68FEFE0A7DF99E8703980206E728D3C339E1326B70824292CE654097FF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/moom825/xeno-rat/releases/download/1.8.7/Release.zip