Windows Analysis Report
nQBmwBd90o.exe

Overview

General Information

Sample name: nQBmwBd90o.exe
renamed because original name is a hash value
Original sample name: 2bbb433718d061e161f1d0e224451746.exe
Analysis ID: 1520705
MD5: 2bbb433718d061e161f1d0e224451746
SHA1: 94d37443c9d9b71997f4918106533b76c01d8032
SHA256: cb15dc95e0a14080e8c3df816b6d54a101c3b4a307a8db0d71131869602480d9
Tags: exeXenoRATuser-abuse_ch
Infos:

Detection

XenoRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected XenoRAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Found malware configuration
Source: nQBmwBd90o.exe Malware Configuration Extractor: XenoRAT {"C2 url": "82.64.210.112", "Mutex Name": "update_discord_nd8912d", "Install Folder": "appdata"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe ReversingLabs: Detection: 81%
Multi AV Scanner detection for submitted file
Source: nQBmwBd90o.exe ReversingLabs: Detection: 81%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: nQBmwBd90o.exe Joe Sandbox ML: detected
Source: nQBmwBd90o.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 82.64.210.112
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 82.64.210.112:25565
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PROXADFR PROXADFR
Detected potential crypto function
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Code function: 0_2_01640B11 0_2_01640B11
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Code function: 1_2_02E30B13 1_2_02E30B13
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Code function: 1_2_02E32CC8 1_2_02E32CC8
Sample file is different than original file name gathered from version info
Source: nQBmwBd90o.exe, 00000000.00000000.1664507002.0000000000E1E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamediscord.exe> vs nQBmwBd90o.exe
Source: nQBmwBd90o.exe, 00000000.00000002.1668178797.00000000013BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs nQBmwBd90o.exe
Source: nQBmwBd90o.exe, 00000001.00000002.2932477946.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs nQBmwBd90o.exe
Source: nQBmwBd90o.exe Binary or memory string: OriginalFilenamediscord.exe> vs nQBmwBd90o.exe
Source: nQBmwBd90o.exe.0.dr Binary or memory string: OriginalFilenamediscord.exe> vs nQBmwBd90o.exe
Source: nQBmwBd90o.exe, Encryption.cs Cryptographic APIs: 'CreateDecryptor'
Source: nQBmwBd90o.exe.0.dr, Encryption.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/4@0/1
Source: C:\Users\user\Desktop\nQBmwBd90o.exe File created: C:\Users\user\AppData\Roaming\XenoManager Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Mutant created: \Sessions\1\BaseNamedObjects\update_discord_nd8912d-admin
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_03
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe File created: C:\Users\user\AppData\Local\Temp\tmp86AB.tmp Jump to behavior
Source: nQBmwBd90o.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: nQBmwBd90o.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\nQBmwBd90o.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: nQBmwBd90o.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\Desktop\nQBmwBd90o.exe File read: C:\Users\user\Desktop\nQBmwBd90o.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\nQBmwBd90o.exe "C:\Users\user\Desktop\nQBmwBd90o.exe"
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Process created: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe "C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe"
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "update_blender" /XML "C:\Users\user\AppData\Local\Temp\tmp86AB.tmp" /F
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Process created: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe "C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "update_blender" /XML "C:\Users\user\AppData\Local\Temp\tmp86AB.tmp" /F Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: nQBmwBd90o.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: nQBmwBd90o.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: nQBmwBd90o.exe, DllHandler.cs .Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: nQBmwBd90o.exe, DllHandler.cs .Net Code: DllNodeHandler
Source: nQBmwBd90o.exe.0.dr, DllHandler.cs .Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: nQBmwBd90o.exe.0.dr, DllHandler.cs .Net Code: DllNodeHandler
Binary contains a suspicious time stamp
Source: nQBmwBd90o.exe Static PE information: 0xB6F61BA2 [Sat Apr 9 13:44:02 2067 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Code function: 1_2_02E304F8 push ebx; retf 0002h 1_2_02E30502
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Code function: 1_2_02E305EF push edi; retf 0002h 1_2_02E3061A
Drops PE files
Source: C:\Users\user\Desktop\nQBmwBd90o.exe File created: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "update_blender" /XML "C:\Users\user\AppData\Local\Temp\tmp86AB.tmp" /F
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Memory allocated: 1640000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Memory allocated: 30F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Memory allocated: 50F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Memory allocated: 2E30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Memory allocated: 2E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Memory allocated: 4E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Memory allocated: 710000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Memory allocated: 24C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Memory allocated: B20000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Window / User API: threadDelayed 1506 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Window / User API: threadDelayed 8357 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\nQBmwBd90o.exe TID: 6908 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe TID: 7096 Thread sleep time: -27670116110564310s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe TID: 932 Thread sleep count: 1506 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe TID: 932 Thread sleep count: 8357 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe TID: 1068 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: nQBmwBd90o.exe, 00000000.00000002.1668178797.00000000013F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}h
Source: nQBmwBd90o.exe, 00000001.00000002.2932477946.0000000001086000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Process created: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe "C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "update_blender" /XML "C:\Users\user\AppData\Local\Temp\tmp86AB.tmp" /F Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\nQBmwBd90o.exe Queries volume information: C:\Users\user\Desktop\nQBmwBd90o.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Queries volume information: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Queries volume information: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected XenoRAT
Source: Yara match File source: nQBmwBd90o.exe, type: SAMPLE
Source: Yara match File source: 0.0.nQBmwBd90o.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1664494365.0000000000E12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1668178797.00000000013F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nQBmwBd90o.exe PID: 6836, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected XenoRAT
Source: Yara match File source: nQBmwBd90o.exe, type: SAMPLE
Source: Yara match File source: 0.0.nQBmwBd90o.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1664494365.0000000000E12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1668178797.00000000013F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nQBmwBd90o.exe PID: 6836, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1520705 Sample: nQBmwBd90o.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Sigma detected: Scheduled temp file as task from temp location 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 5 other signatures 2->38 8 nQBmwBd90o.exe 5 2->8         started        11 nQBmwBd90o.exe 2 2->11         started        process3 file4 22 C:\Users\user\AppData\...\nQBmwBd90o.exe, PE32 8->22 dropped 24 C:\Users\...\nQBmwBd90o.exe:Zone.Identifier, ASCII 8->24 dropped 26 C:\Users\user\AppData\...\nQBmwBd90o.exe.log, CSV 8->26 dropped 13 nQBmwBd90o.exe 5 8->13         started        process5 dnsIp6 30 82.64.210.112, 25565, 49730, 49735 PROXADFR France 13->30 28 C:\Users\user\AppData\Local\...\tmp86AB.tmp, ASCII 13->28 dropped 40 Multi AV Scanner detection for dropped file 13->40 42 Machine Learning detection for dropped file 13->42 44 Uses schtasks.exe or at.exe to add and modify task schedules 13->44 18 schtasks.exe 1 13->18         started        file7 signatures8 process9 process10 20 conhost.exe 18->20         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
82.64.210.112
 unknown France
12322 PROXADFR true

Contacted URLs

Name Malicious Antivirus Detection Reputation
82.64.210.112 true
    		unknown