download:

/moom825/xeno-rat/releases/download/1.8.7/Release.zip

Full analysis: https://app.any.run/tasks/db9a8711-bb4c-4e03-b18f-2845f718e7a9
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: February 28, 2024, 01:46:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
xenorat
rat
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

89661A9FF6DE529497FEC56A112BF75E

SHA1:

2DD31A19489F4D7C562B647F69117E31B894B5C3

SHA256:

E7B275D70655DB9CB43FA606BBE2E4F22478CA4962BBF9F299D66EDA567D63CD

SSDEEP:

98304:wNVvRimoF+YQoLlfgBb+m56OGaU6CEn7F1OZdE1kg85oChtnqBVc3dw9/nf90xbS:zhlBP92q1tY45Yf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3672)
      • xeno rat server.exe (PID: 3772)

    • XenoRAT has been detected (FILE)

      • WinRAR.exe (PID: 3672)
      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)

    • XENORAT has been detected (YARA)

      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 3672)

    • Reads the Internet Settings

      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)

    • Executable content was dropped or overwritten

      • xeno rat server.exe (PID: 3772)

    • Starts CMD.EXE for commands execution

      • pattern.exe (PID: 3956)

    • Reads security settings of Internet Explorer

      • pattern.exe (PID: 3956)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3672)

    • Checks supported languages

      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)

    • Manual execution by a user

      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)

    • Reads the computer name

      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)

    • Reads the machine GUID from the registry

      • xeno rat server.exe (PID: 3772)
      • pattern.exe (PID: 3956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:02:14 19:18:30
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: stub/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XENORAT winrar.exe #XENORAT xeno rat server.exe #XENORAT pattern.exe no specs cmd.exe no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
952"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\admin\Desktop\pattern.exe"C:\Windows\System32\cmd.exepattern.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1216choice /C Y /N /D Y /T 3 C:\Windows\System32\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
3672"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Release.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3772"C:\Users\admin\Desktop\release\xeno rat server.exe" C:\Users\admin\Desktop\release\xeno rat server.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
xeno rat server
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\release\xeno rat server.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3956"C:\Users\admin\Desktop\pattern.exe" C:\Users\admin\Desktop\pattern.exe
explorer.exe
User:
admin
Company:
Xeno
Integrity Level:
MEDIUM
Description:
Client
Exit code:
4294967295
Version:
3.2.1.0
Modules
Images
c:\users\admin\desktop\pattern.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
22 075
Read events
21 988
Write events
81
Delete events
6

Modification events

(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3672) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Release.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
22
Suspicious files
0
Text files
255
Unknown types
1

Dropped files

PID
Process
Filename
Type
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\af.pngimage
MD5:B438E2FCC22B7B7138A2270B0C46C11C
SHA256:2E738E232BA262BD7B40D39F0A8EF1B68204381B0F5D97367C8B827AEA9E83BE
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\al.pngimage
MD5:8109ADB0C3BAF5D82C44385AFB369943
SHA256:2E005216BE2A847983EBE9A5A4B4FF2936C9008CC7C925ED7059350D4FCF370D
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\ad.pngimage
MD5:68474A4935598753955993CCBD7062B3
SHA256:6E45D3CEC2A17A9B9353B68288934E7C4931A36EC271B595750BF8441AFAE019
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\ag.pngimage
MD5:F16D86D6CD9EFED9D56C4E27222225CC
SHA256:8CF632B5D10C24E29C68082BDBA8737269F5160360985F9C306E8B20940552AC
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\ai.pngimage
MD5:2E5628753B22D149925F2EDCA861CCE8
SHA256:D95DF82E43D2E94018A777083E68BB5A00260912037FC02243DDFE3A0A377F45
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\ao.pngimage
MD5:1B6993D439CD730838399AEC3B0FB44B
SHA256:27E99589098BF031636FA0EAE8AD7881E54181978135375C7F599F6E49FA8FA6
3672WinRAR.exeC:\Users\admin\Desktop\release\stub\xeno rat client.exeexecutable
MD5:D23D8120AF87A615A456A12B43D4A98A
SHA256:27178A08E0D8FB6E5E31AE9BFF6194A5224406666FA1F528D4719C1E4A8EFD67
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\at.pngimage
MD5:47386D35C3BC3D7BA01D5A1ADCB240EE
SHA256:F9167D1381D27D03C461B8D467406B08B1EC1CA128EF455224A79A54EF1C4CBA
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\as.pngimage
MD5:D3FA2CAF8084EA005F29DACE6A1C1A2B
SHA256:4C4D9B46EE8B8648976FBF45F3BAA20F1D2BD81D955F4AD12E5F185F0184BEC0
3672WinRAR.exeC:\Users\admin\Desktop\release\country_flags\aw.pngimage
MD5:15B939B6F1E18D1C00C7365CBEFE135F
SHA256:88DFE3018FF9550227B65D71EB80CA826E77CD760B12790FCD84BB6C2A6EA79A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/moom825/xeno-rat/releases/download/1.8.7/Release.zip