File name:

Svchosts.exe

Full analysis: https://app.any.run/tasks/1606e03d-3f35-41f0-b3e3-0b9763a9c137
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: September 24, 2024, 09:56:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xenorat
rat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

283C2F66CCEF3A27A10E74FE8F063918

SHA1:

CA9387655FF9B533DD36CF5641FD4EB8F88FB999

SHA256:

F770B7E25D959F700C9119CB1D9A5EF444634A335EA9F230F06B51FDAA487AD1

SSDEEP:

768:+H6yksiDKADNyN2B+ijjIhjAeh7nmNMUEuS5gZ5SbTDamaInvJd:i9uDQjAeh7mGUEuSi5SbTfaI/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XenoRAT has been detected (FILE)

      • Svchosts.exe (PID: 6644)
      • Svchosts.exe (PID: 4600)

    • XENORAT has been detected (YARA)

      • Svchosts.exe (PID: 4600)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Svchosts.exe (PID: 6644)

    • Executable content was dropped or overwritten

      • Svchosts.exe (PID: 6644)

    • Starts itself from another location

      • Svchosts.exe (PID: 6644)

  • INFO

    • Checks supported languages

      • Svchosts.exe (PID: 6644)
      • Svchosts.exe (PID: 4600)

    • Creates files or folders in the user directory

      • Svchosts.exe (PID: 6644)

    • The process uses the downloaded file

      • Svchosts.exe (PID: 6644)

    • Reads the computer name

      • Svchosts.exe (PID: 6644)
      • Svchosts.exe (PID: 4600)

    • Process checks computer location settings

      • Svchosts.exe (PID: 6644)

    • Reads the machine GUID from the registry

      • Svchosts.exe (PID: 4600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2067:04:09 13:44:02+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 44032
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0xcb0e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.2.1.0
ProductVersionNumber: 1.2.3.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Windows
FileDescription: Host Process for windows Server
FileVersion: 3.2.1.0
InternalName: xeno rat client.exe
LegalCopyright: Copyright © 2023
LegalTrademarks: Windows
OriginalFileName: Microsoft
ProductName: Svchost.exe
ProductVersion: 1.2.3.0
AssemblyVersion: 1.2.3.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XENORAT svchosts.exe #XENORAT svchosts.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4600"C:\Users\admin\AppData\Roaming\XenoManager\Svchosts.exe" C:\Users\admin\AppData\Roaming\XenoManager\Svchosts.exe
Svchosts.exe
User:
admin
Company:
Windows
Integrity Level:
MEDIUM
Description:
Host Process for windows Server
Version:
3.2.1.0
Modules
Images
c:\users\admin\appdata\roaming\xenomanager\svchosts.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6644"C:\Users\admin\Desktop\Svchosts.exe" C:\Users\admin\Desktop\Svchosts.exe
explorer.exe
User:
admin
Company:
Windows
Integrity Level:
MEDIUM
Description:
Host Process for windows Server
Exit code:
0
Version:
3.2.1.0
Modules
Images
c:\users\admin\desktop\svchosts.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
719
Read events
719
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6644Svchosts.exeC:\Users\admin\AppData\Roaming\XenoManager\Svchosts.exeexecutable
MD5:283C2F66CCEF3A27A10E74FE8F063918
SHA256:F770B7E25D959F700C9119CB1D9A5EF444634A335EA9F230F06B51FDAA487AD1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
19
DNS requests
5
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5172
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5172
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6880
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.42.65.85:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2.23.209.188:443
Akamai International B.V.
GB
unknown
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5172
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.142
whitelisted
zenofs.zapto.org
  • 0.0.0.0
unknown
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.zapto .org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Svchosts.exe