download:

/moom825/xeno-rat/releases/download/1.8.7/Release.zip

Full analysis: https://app.any.run/tasks/db9a8711-bb4c-4e03-b18f-2845f718e7a9
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: February 28, 2024, 01:46:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
xenorat
rat
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

89661A9FF6DE529497FEC56A112BF75E

SHA1:

2DD31A19489F4D7C562B647F69117E31B894B5C3

SHA256:

E7B275D70655DB9CB43FA606BBE2E4F22478CA4962BBF9F299D66EDA567D63CD

SSDEEP:

98304:wNVvRimoF+YQoLlfgBb+m56OGaU6CEn7F1OZdE1kg85oChtnqBVc3dw9/nf90xbS:zhlBP92q1tY45Yf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3672)
      • xeno rat server.exe (PID: 3772)

    • XenoRAT has been detected (FILE)

      • WinRAR.exe (PID: 3672)
      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)

    • XENORAT has been detected (YARA)

      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)

  • SUSPICIOUS

    • Reads the Internet Settings

      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)

    • Executable content was dropped or overwritten

      • xeno rat server.exe (PID: 3772)

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 3672)

    • Starts CMD.EXE for commands execution

      • pattern.exe (PID: 3956)

    • Reads security settings of Internet Explorer

      • pattern.exe (PID: 3956)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3672)

    • Checks supported languages

      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)

    • Manual execution by a user

      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)

    • Reads the machine GUID from the registry

      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)

    • Reads the computer name

      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:02:14 19:18:30
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: stub/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XENORAT winrar.exe #XENORAT xeno rat server.exe #XENORAT pattern.exe no specs cmd.exe no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
952"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\admin\Desktop\pattern.exe"C:\Windows\System32\cmd.exepattern.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1216choice /C Y /N /D Y /T 3 C:\Windows\System32\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
3672"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Release.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3772"C:\Users\admin\Desktop\release\xeno rat server.exe" C:\Users\admin\Desktop\release\xeno rat server.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
xeno rat server
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\release\xeno rat server.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3956"C:\Users\admin\Desktop\pattern.exe" C:\Users\admin\Desktop\pattern.exe
explorer.exe
User:
admin
Company:
Xeno
Integrity Level:
MEDIUM
Description:
Client
Exit code:
4294967295
Version:
3.2.1.0
Modules
Images
c:\users\admin\desktop\pattern.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
22 075
Read events
21 988
Write events
81
Delete events
6

Modification events

(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3672) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Release.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
22
Suspicious files
0
Text files
255
Unknown types
1

Dropped files

PID
Process
Filename
Type
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\al.pngimage
MD5:8109ADB0C3BAF5D82C44385AFB369943
SHA256:2E005216BE2A847983EBE9A5A4B4FF2936C9008CC7C925ED7059350D4FCF370D
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\at.pngimage
MD5:47386D35C3BC3D7BA01D5A1ADCB240EE
SHA256:F9167D1381D27D03C461B8D467406B08B1EC1CA128EF455224A79A54EF1C4CBA
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\am.pngimage
MD5:D833529F7FA3D6229F5D2022DFEFD1E6
SHA256:484FB381D03D5E519FAB2C4DDE2B78F13E67594713DCF4083A55D713A1EDDAE7
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\ad.pngimage
MD5:68474A4935598753955993CCBD7062B3
SHA256:6E45D3CEC2A17A9B9353B68288934E7C4931A36EC271B595750BF8441AFAE019
3672WinRAR.exeC:\Users\admin\Desktop\release\xeno rat server.exeexecutable
MD5:3987EE127F2A2CF8A29573D4E111A8E8
SHA256:3D00A800474DDF382212E003222805BD74665B69CEC43B554F91C3CD9EDF04C4
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\aq.pngimage
MD5:BF7280A322BAC987EE3E421DBC5F6330
SHA256:956390E90C1A201ED454B741EEAD49964393C3026D5882C47B02F564C7C94564
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\ao.pngimage
MD5:1B6993D439CD730838399AEC3B0FB44B
SHA256:27E99589098BF031636FA0EAE8AD7881E54181978135375C7F599F6E49FA8FA6
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\ai.pngimage
MD5:2E5628753B22D149925F2EDCA861CCE8
SHA256:D95DF82E43D2E94018A777083E68BB5A00260912037FC02243DDFE3A0A377F45
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\ar.pngimage
MD5:69CF780D75E1619D4EF97A1CFB485F37
SHA256:8438D5E69E23EDC2054C6CA8F5B5EAE4BBDA37ADEC341A2F63E44EC7AF2EE3AE
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\ag.pngimage
MD5:F16D86D6CD9EFED9D56C4E27222225CC
SHA256:8CF632B5D10C24E29C68082BDBA8737269F5160360985F9C306E8B20940552AC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/moom825/xeno-rat/releases/download/1.8.7/Release.zip