Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Y0uLilkjPz.exe

Overview

General Information

Sample name:Y0uLilkjPz.exe
renamed because original name is a hash value
Original sample name:8d84fc99073709f0c6049b80fa088c9af03c5525148e61b2d258cc3f1d4c7d8e.exe
Analysis ID:1469004
MD5:899d4c38a9edf64f8513eaaf6f5aa8e4
SHA1:8dc9f2cf26ef7778031d4a02345cbbc982ab8aac
SHA256:8d84fc99073709f0c6049b80fa088c9af03c5525148e61b2d258cc3f1d4c7d8e
Tags:82-9-14-4exe
Infos:

Detection

XenoRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected XenoRAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder

Classification

  • System is w10x64
  • Y0uLilkjPz.exe (PID: 7664 cmdline: "C:\Users\user\Desktop\Y0uLilkjPz.exe" MD5: 899D4C38A9EDF64F8513EAAF6F5AA8E4)
    • Y0uLilkjPz.exe (PID: 7756 cmdline: "C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe" MD5: 899D4C38A9EDF64F8513EAAF6F5AA8E4)
      • schtasks.exe (PID: 7844 cmdline: "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Y0uLilkjPz.exe (PID: 7900 cmdline: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe MD5: 899D4C38A9EDF64F8513EAAF6F5AA8E4)
  • cleanup
{"C2 url": "82.9.14.4", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "appdata"}
SourceRuleDescriptionAuthorStrings
Y0uLilkjPz.exeJoeSecurity_XenoRATYara detected XenoRATJoe Security
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exeJoeSecurity_XenoRATYara detected XenoRATJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1371780059.0000000000B12000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XenoRATYara detected XenoRATJoe Security
        Process Memory Space: Y0uLilkjPz.exe PID: 7664JoeSecurity_XenoRATYara detected XenoRATJoe Security
          SourceRuleDescriptionAuthorStrings
          0.0.Y0uLilkjPz.exe.b10000.0.unpackJoeSecurity_XenoRATYara detected XenoRATJoe Security
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe" , ParentImage: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe, ParentProcessId: 7756, ParentProcessName: Y0uLilkjPz.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F, ProcessId: 7844, ProcessName: schtasks.exe
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe" , ParentImage: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe, ParentProcessId: 7756, ParentProcessName: Y0uLilkjPz.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F, ProcessId: 7844, ProcessName: schtasks.exe

            Persistence and Installation Behavior

            barindex
            Source: Process startedAuthor: Joe Security: Data: Command: "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe" , ParentImage: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe, ParentProcessId: 7756, ParentProcessName: Y0uLilkjPz.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F, ProcessId: 7844, ProcessName: schtasks.exe
            No Snort rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: Y0uLilkjPz.exeAvira: detected
            Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exeAvira: detection malicious, Label: TR/Agent.cpjpa
            Source: Y0uLilkjPz.exeMalware Configuration Extractor: XenoRAT {"C2 url": "82.9.14.4", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "appdata"}
            Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exeReversingLabs: Detection: 76%
            Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exeVirustotal: Detection: 81%Perma Link
            Source: Y0uLilkjPz.exeReversingLabs: Detection: 76%
            Source: Y0uLilkjPz.exeVirustotal: Detection: 81%Perma Link
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exeJoe Sandbox ML: detected
            Source: Y0uLilkjPz.exeJoe Sandbox ML: detected
            Source: Y0uLilkjPz.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Source: Malware configuration extractorURLs: 82.9.14.4
            Source: global trafficTCP traffic: 192.168.2.8:49705 -> 82.9.14.4:4545
            Source: Joe Sandbox ViewIP Address: 82.9.14.4 82.9.14.4
            Source: Joe Sandbox ViewASN Name: NTLGB NTLGB
            Source: unknownTCP traffic detected without corresponding DNS query: 82.9.14.4
            Source: unknownTCP traffic detected witho