Windows Analysis Report
sbuvJk8Zn8.exe

Overview

General Information

Sample name: sbuvJk8Zn8.exe
renamed because original name is a hash value
Original sample name: BD2152F40DC99EC6DAE3BC14B6929BDB.exe
Analysis ID: 1502164
MD5: bd2152f40dc99ec6dae3bc14b6929bdb
SHA1: 32f787e0c931fa31dae7de1ad21edbca57d31866
SHA256: 034fe3881efdcf850d43cfe8e2013c303db4b0a3729f61acce608cbeefa3b1d1
Tags: exeXenoRAT
Infos:

Detection

XenoRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XenoRAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
XenoRAT No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xenorat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: sbuvJk8Zn8.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Avira: detection malicious, Label: TR/Agent.clsgj
Found malware configuration
Source: sbuvJk8Zn8.exe Malware Configuration Extractor: XenoRAT {"C2 url": "2.58.85.196", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "appdata"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Virustotal: Detection: 70% Perma Link
Multi AV Scanner detection for submitted file
Source: sbuvJk8Zn8.exe ReversingLabs: Detection: 78%
Source: sbuvJk8Zn8.exe Virustotal: Detection: 70% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: sbuvJk8Zn8.exe Joe Sandbox ML: detected
Source: sbuvJk8Zn8.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\moom825\Desktop\xeno-rat\xeno-rat\Plugins\KeyLoggerOffline\obj\Release\KeyLoggerOffline.pdbYpsp ep_CorDllMainmscoree.dll source: sbuvJk8Zn8.exe, 00000001.00000002.4160898372.0000000005780000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: $^q&costura.xeno rat client.pdb.compressed4'^q source: sbuvJk8Zn8.exe, 00000001.00000002.4159148683.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.costura.pdb.compressed source: sbuvJk8Zn8.exe, 00000001.00000002.4159148683.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\moom825\Desktop\xeno-rat\xeno-rat\Plugins\KeyLoggerOffline\obj\Release\KeyLoggerOffline.pdb source: sbuvJk8Zn8.exe, 00000001.00000002.4160898372.0000000005780000.00000004.08000000.00040000.00000000.sdmp

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2050111 - Severity 1 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive : 192.168.2.4:49731 -> 2.58.85.196:2323
Source: Network traffic Suricata IDS: 2050110 - Severity 1 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In : 2.58.85.196:2323 -> 192.168.2.4:49733
Source: Network traffic Suricata IDS: 2050110 - Severity 1 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In : 2.58.85.196:2323 -> 192.168.2.4:49731
Source: Network traffic Suricata IDS: 2050111 - Severity 1 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive : 192.168.2.4:49740 -> 2.58.85.196:2323
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 2.58.85.196
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 2.58.85.196:2323
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HUGESERVER-NETWORKSUS HUGESERVER-NETWORKSUS
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: unknown TCP traffic detected without corresponding DNS query: 2.58.85.196
Source: global traffic DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: sbuvJk8Zn8.exe, 00000001.00000002.4159148683.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: xvu3kzsi.rmq.1.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: xvu3kzsi.rmq.1.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: xvu3kzsi.rmq.1.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: xvu3kzsi.rmq.1.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: xvu3kzsi.rmq.1.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: xvu3kzsi.rmq.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: xvu3kzsi.rmq.1.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 2kpofmcl.euu.1.dr, znhngz5e.cyk.1.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: sbuvJk8Zn8.exe, 00000001.00000002.4160550193.0000000003F0A000.00000004.00000800.00020000.00000000.sdmp, 2kpofmcl.euu.1.dr, znhngz5e.cyk.1.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: 2kpofmcl.euu.1.dr, znhngz5e.cyk.1.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: sbuvJk8Zn8.exe, 00000001.00000002.4160550193.0000000003F0A000.00000004.00000800.00020000.00000000.sdmp, 2kpofmcl.euu.1.dr, znhngz5e.cyk.1.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: xvu3kzsi.rmq.1.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: xvu3kzsi.rmq.1.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.sbuvJk8Zn8.exe.62f0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000002.4161603732.00000000062F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Code function: 0_2_025C0B12 0_2_025C0B12
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_02CE0B11 1_2_02CE0B11
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_02CE2321 1_2_02CE2321
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_02CE9048 1_2_02CE9048
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_02CEF1E8 1_2_02CEF1E8
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_02CE9918 1_2_02CE9918
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_02CEDF49 1_2_02CEDF49
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_02CE8D00 1_2_02CE8D00
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_0641C33A 1_2_0641C33A
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_06412D18 1_2_06412D18
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_06410830 1_2_06410830
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_06411FC8 1_2_06411FC8
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_0641CDA7 1_2_0641CDA7
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_065EF670 1_2_065EF670
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_065E56D8 1_2_065E56D8
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_065E8D38 1_2_065E8D38
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_065E6AA8 1_2_065E6AA8
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_065EB128 1_2_065EB128
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_065ECC20 1_2_065ECC20
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_065EA060 1_2_065EA060
Sample file is different than original file name gathered from version info
Source: sbuvJk8Zn8.exe, 00000000.00000000.1708723110.000000000043E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameXeno_manager.exe: vs sbuvJk8Zn8.exe
Source: sbuvJk8Zn8.exe, 00000000.00000002.1711909983.00000000008DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs sbuvJk8Zn8.exe
Source: sbuvJk8Zn8.exe, 00000001.00000002.4158499318.00000000010EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs sbuvJk8Zn8.exe
Source: sbuvJk8Zn8.exe, 00000001.00000002.4163755149.0000000007818000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs sbuvJk8Zn8.exe
Source: sbuvJk8Zn8.exe, 00000001.00000002.4162856979.0000000007220000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameBouncyCastle.Crypto.dllP vs sbuvJk8Zn8.exe
Source: sbuvJk8Zn8.exe, 00000001.00000002.4160898372.0000000005780000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameKeyLoggerOffline.dllB vs sbuvJk8Zn8.exe
Source: sbuvJk8Zn8.exe Binary or memory string: OriginalFilenameXeno_manager.exe: vs sbuvJk8Zn8.exe
Source: sbuvJk8Zn8.exe.0.dr Binary or memory string: OriginalFilenameXeno_manager.exe: vs sbuvJk8Zn8.exe
Yara signature match
Source: 1.2.sbuvJk8Zn8.exe.62f0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.4161603732.00000000062F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: sbuvJk8Zn8.exe, Encryption.cs Cryptographic APIs: 'CreateDecryptor'
Source: sbuvJk8Zn8.exe.0.dr, Encryption.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/12@1/1
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe File created: C:\Users\user\AppData\Roaming\XenoManager Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Mutant created: \Sessions\1\BaseNamedObjects\Xeno_rat_nd8912d-admin
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe File created: C:\Users\user\AppData\Local\Temp\ght5z2pd.jfv Jump to behavior
Source: sbuvJk8Zn8.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: sbuvJk8Zn8.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: sbuvJk8Zn8.exe, 00000001.00000002.4161451527.0000000006013000.00000004.00000020.00020000.00000000.sdmp, ght5z2pd.jfv.1.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: sbuvJk8Zn8.exe ReversingLabs: Detection: 78%
Source: sbuvJk8Zn8.exe Virustotal: Detection: 70%
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe File read: C:\Users\user\Desktop\sbuvJk8Zn8.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\sbuvJk8Zn8.exe "C:\Users\user\Desktop\sbuvJk8Zn8.exe"
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Process created: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe "C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe"
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Process created: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe "C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe" Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: sbuvJk8Zn8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: sbuvJk8Zn8.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\moom825\Desktop\xeno-rat\xeno-rat\Plugins\KeyLoggerOffline\obj\Release\KeyLoggerOffline.pdbYpsp ep_CorDllMainmscoree.dll source: sbuvJk8Zn8.exe, 00000001.00000002.4160898372.0000000005780000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: $^q&costura.xeno rat client.pdb.compressed4'^q source: sbuvJk8Zn8.exe, 00000001.00000002.4159148683.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.costura.pdb.compressed source: sbuvJk8Zn8.exe, 00000001.00000002.4159148683.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\moom825\Desktop\xeno-rat\xeno-rat\Plugins\KeyLoggerOffline\obj\Release\KeyLoggerOffline.pdb source: sbuvJk8Zn8.exe, 00000001.00000002.4160898372.0000000005780000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: sbuvJk8Zn8.exe, DllHandler.cs .Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: sbuvJk8Zn8.exe, DllHandler.cs .Net Code: DllNodeHandler
Source: sbuvJk8Zn8.exe.0.dr, DllHandler.cs .Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: sbuvJk8Zn8.exe.0.dr, DllHandler.cs .Net Code: DllNodeHandler
Source: 1.2.sbuvJk8Zn8.exe.62f0000.1.raw.unpack, AssemblyLoader.cs .Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Yara detected Costura Assembly Loader
Source: Yara match File source: 1.2.sbuvJk8Zn8.exe.62f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.sbuvJk8Zn8.exe.62f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.4161603732.00000000062F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.4159148683.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sbuvJk8Zn8.exe PID: 2412, type: MEMORYSTR
Binary contains a suspicious time stamp
Source: sbuvJk8Zn8.exe Static PE information: 0xB6F61BA2 [Sat Apr 9 13:44:02 2067 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_0641ADC8 pushad ; ret 1_2_0641ADC9
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_0641ADF8 pushad ; ret 1_2_0641ADC9
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_0641CB93 push 8B03EA5Ch; iretd 1_2_0641CB9D
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Code function: 1_2_065E3721 push es; ret 1_2_065E3730
Drops PE files
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe File created: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Jump to dropped file
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Memory allocated: 2580000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Memory allocated: 2730000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Memory allocated: 4730000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Memory allocated: 1350000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Memory allocated: 2EA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Memory allocated: 1350000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Window / User API: threadDelayed 4424 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Window / User API: threadDelayed 5448 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe TID: 3696 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe TID: 4192 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe TID: 4908 Thread sleep count: 4424 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe TID: 5600 Thread sleep count: 5448 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: sbuvJk8Zn8.exe, 00000001.00000002.4158499318.0000000001161000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Process created: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe "C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe" Jump to behavior
Source: sbuvJk8Zn8.exe, 00000001.00000002.4159148683.0000000003116000.00000004.00000800.00020000.00000000.sdmp, sbuvJk8Zn8.exe, 00000001.00000002.4159148683.0000000003067000.00000004.00000800.00020000.00000000.sdmp, sbuvJk8Zn8.exe, 00000001.00000002.4159148683.00000000030AE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: sbuvJk8Zn8.exe, 00000001.00000002.4159148683.0000000003116000.00000004.00000800.00020000.00000000.sdmp, sbuvJk8Zn8.exe, 00000001.00000002.4159148683.0000000003067000.00000004.00000800.00020000.00000000.sdmp, sbuvJk8Zn8.exe, 00000001.00000002.4159148683.0000000003059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: explorer - Prog@\^q explorer - Program Manager
Source: sbuvJk8Zn8.exe, 00000001.00000002.4159148683.0000000003067000.00000004.00000800.00020000.00000000.sdmp, sbuvJk8Zn8.exe, 00000001.00000002.4159148683.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, sbuvJk8Zn8.exe, 00000001.00000002.4159148683.0000000003262000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managerx&
Source: sbuvJk8Zn8.exe, 00000001.00000002.4159148683.0000000003116000.00000004.00000800.00020000.00000000.sdmp, sbuvJk8Zn8.exe, 00000001.00000002.4159148683.0000000003067000.00000004.00000800.00020000.00000000.sdmp, sbuvJk8Zn8.exe, 00000001.00000002.4159148683.0000000003059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: explorer - Program Manager
Source: sbuvJk8Zn8.exe, 00000001.00000002.4159148683.0000000003116000.00000004.00000800.00020000.00000000.sdmp, sbuvJk8Zn8.exe, 00000001.00000002.4159148683.0000000003067000.00000004.00000800.00020000.00000000.sdmp, sbuvJk8Zn8.exe, 00000001.00000002.4159148683.00000000030AE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerlB^q
Source: sbuvJk8Zn8.exe, 00000001.00000002.4159148683.0000000002F40000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager@
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\sbuvJk8Zn8.exe Queries volume information: C:\Users\user\Desktop\sbuvJk8Zn8.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Queries volume information: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected XenoRAT
Source: Yara match File source: sbuvJk8Zn8.exe, type: SAMPLE
Source: Yara match File source: 0.0.sbuvJk8Zn8.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1708708112.0000000000432000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sbuvJk8Zn8.exe PID: 3632, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior

Remote Access Functionality
barindex
Yara detected XenoRAT
Source: Yara match File source: sbuvJk8Zn8.exe, type: SAMPLE
Source: Yara match File source: 0.0.sbuvJk8Zn8.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1708708112.0000000000432000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sbuvJk8Zn8.exe PID: 3632, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\XenoManager\sbuvJk8Zn8.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502164 Sample: sbuvJk8Zn8.exe Startdate: 31/08/2024 Architecture: WINDOWS Score: 100 20 171.39.242.20.in-addr.arpa 2->20 24 Suricata IDS alerts for network traffic 2->24 26 Found malware configuration 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 8 other signatures 2->30 7 sbuvJk8Zn8.exe 5 2->7         started        signatures3 process4 file5 14 C:\Users\user\AppData\...\sbuvJk8Zn8.exe, PE32 7->14 dropped 16 C:\Users\...\sbuvJk8Zn8.exe:Zone.Identifier, ASCII 7->16 dropped 18 C:\Users\user\AppData\...\sbuvJk8Zn8.exe.log, CSV 7->18 dropped 10 sbuvJk8Zn8.exe 13 7->10         started        process6 dnsIp7 22 2.58.85.196, 2323, 49730, 49731 HUGESERVER-NETWORKSUS Lithuania 10->22 32 Antivirus detection for dropped file 10->32 34 Multi AV Scanner detection for dropped file 10->34 36 Machine Learning detection for dropped file 10->36 38 2 other signatures 10->38 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
2.58.85.196
 unknown Lithuania
25780 HUGESERVER-NETWORKSUS true

Contacted Domains

Name IP Active
171.39.242.20.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
2.58.85.196 true
  • Avira URL Cloud: safe
 unknown