Edit tour
Windows
Analysis Report
Y0uLilkjPz.exe
Overview
General Information
Sample name: | Y0uLilkjPz.exerenamed because original name is a hash value |
Original sample name: | 8d84fc99073709f0c6049b80fa088c9af03c5525148e61b2d258cc3f1d4c7d8e.exe |
Analysis ID: | 1469004 |
MD5: | 899d4c38a9edf64f8513eaaf6f5aa8e4 |
SHA1: | 8dc9f2cf26ef7778031d4a02345cbbc982ab8aac |
SHA256: | 8d84fc99073709f0c6049b80fa088c9af03c5525148e61b2d258cc3f1d4c7d8e |
Tags: | 82-9-14-4exe |
Infos: | |
Detection
XenoRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected XenoRAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Classification
- System is w10x64
- Y0uLilkjPz.exe (PID: 7664 cmdline:
"C:\Users\ user\Deskt op\Y0uLilk jPz.exe" MD5: 899D4C38A9EDF64F8513EAAF6F5AA8E4) - Y0uLilkjPz.exe (PID: 7756 cmdline:
"C:\Users\ user\AppDa ta\Roaming \XenoManag er\Y0uLilk jPz.exe" MD5: 899D4C38A9EDF64F8513EAAF6F5AA8E4) - schtasks.exe (PID: 7844 cmdline:
"schtasks. exe" /Crea te /TN "wi ndows" /XM L "C:\User s\user\App Data\Local \Temp\tmp9 9AA.tmp" / F MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7856 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- Y0uLilkjPz.exe (PID: 7900 cmdline:
C:\Users\u ser\AppDat a\Roaming\ XenoManage r\Y0uLilkj Pz.exe MD5: 899D4C38A9EDF64F8513EAAF6F5AA8E4)
- cleanup
{"C2 url": "82.9.14.4", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "appdata"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XenoRAT | Yara detected XenoRAT | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XenoRAT | Yara detected XenoRAT | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XenoRAT | Yara detected XenoRAT | Joe Security | ||
JoeSecurity_XenoRAT | Yara detected XenoRAT | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XenoRAT | Yara detected XenoRAT | Joe Security |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Persistence and Installation Behavior |
---|
Source: | Author: Joe Security: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Networking |
---|
Source: | URLs: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected witho |