Edit tour

Windows Analysis Report
8q8C8bQJRZ.exe

Overview

General Information

Sample name:	8q8C8bQJRZ.exe renamed because original name is a hash value
Original sample name:	8b41a4fe26ea38b13ea25ac063f72855e170449f20ec8153a5d1d9068089392b.exe
Analysis ID:	1617090
MD5:	11b40b4a6a1c3da4854eb344056ab5ba
SHA1:	a644f5bd41ea350d37754f3f01e81313e89d2551
SHA256:	8b41a4fe26ea38b13ea25ac063f72855e170449f20ec8153a5d1d9068089392b
Tags:	176-65-139-51exeuser-JAMESWT_MHT
Infos:

Detection

XenoRAT

Score:	84
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected XenoRAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Joe Sandbox ML detected suspicious sample

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential time zone aware malware

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

8q8C8bQJRZ.exe (PID: 3868 cmdline: "C:\Users\user\Desktop\8q8C8bQJRZ.exe" MD5: 11B40B4A6A1C3DA4854EB344056AB5BA)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XenoRAT		No Attribution	https://axmahr.github.io/posts/xenorat-detection/ https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/ https://github.com/moom825/xeno-rat https://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github https://hunt.io/blog/xenorat-excel-xll-confuserex-as-access-method	https://malpedia.caad.fkie.fraunhofer.de/details/win.xenorat

Malware Configuration

Threatname: XenoRAT

{"C2 url": "176.65.139.51", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "nothingset"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
8q8C8bQJRZ.exe	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
8q8C8bQJRZ.exe	rat_win_xeno_rat	Xeno RAT is an open-source RAT, used by Kimsuky in January 2024	Sekoia.io	0xb14c:$: Xeno-manager 0x250:$: moom825

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1804936159.0000000000782000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Process Memory Space: 8q8C8bQJRZ.exe PID: 3868	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.8q8C8bQJRZ.exe.780000.0.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
0.0.8q8C8bQJRZ.exe.780000.0.unpack	rat_win_xeno_rat	Xeno RAT is an open-source RAT, used by Kimsuky in January 2024	Sekoia.io	0xb14c:$: Xeno-manager 0x250:$: moom825

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 8q8C8bQJRZ.exe

Malware Configuration Extractor: XenoRAT {"C2 url": "176.65.139.51", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "nothingset"}

Multi AV Scanner detection for submitted file

Source: 8q8C8bQJRZ.exe	Virustotal: Detection: 70%			Perma Link
Source: 8q8C8bQJRZ.exe	ReversingLabs: Detection: 75%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: 8q8C8bQJRZ.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 176.65.139.51

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 176.65.139.51:6969

Source: Joe Sandbox View

ASN Name: PALTEL-ASPALTELAutonomousSystemPS PALTEL-ASPALTELAutonomousSystemPS

Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.139.51
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.139.51
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.139.51
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.139.51
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.139.51
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.139.51
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.139.51
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.139.51
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.139.51
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.139.51
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.139.51
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.139.51

System Summary

Malicious sample detected (through community Yara rule)

Source: 8q8C8bQJRZ.exe, type: SAMPLE	Matched rule: Xeno RAT is an open-source RAT, used by Kimsuky in January 2024 Author: Sekoia.io
Source: 0.0.8q8C8bQJRZ.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: Xeno RAT is an open-source RAT, used by Kimsuky in January 2024 Author: Sekoia.io

Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Code function: 0_2_00E02327		0_2_00E02327
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Code function: 0_2_00E00B11		0_2_00E00B11

Source: 8q8C8bQJRZ.exe, 00000000.00000000.1804953226.000000000078E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesys64.exe: vs 8q8C8bQJRZ.exe
Source: 8q8C8bQJRZ.exe, 00000000.00000002.3052855401.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 8q8C8bQJRZ.exe
Source: 8q8C8bQJRZ.exe	Binary or memory string: OriginalFilenamesys64.exe: vs 8q8C8bQJRZ.exe

Source: 8q8C8bQJRZ.exe, type: SAMPLE	Matched rule: rat_win_xeno_rat author = Sekoia.io, description = Xeno RAT is an open-source RAT, used by Kimsuky in January 2024, creation_date = 2024-02-09, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/moom825/xeno-rat/tree/main/xeno%20rat%20client, id = 4be1ff07-8180-42a8-9f51-b5e17bf23442
Source: 0.0.8q8C8bQJRZ.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xeno_rat author = Sekoia.io, description = Xeno RAT is an open-source RAT, used by Kimsuky in January 2024, creation_date = 2024-02-09, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/moom825/xeno-rat/tree/main/xeno%20rat%20client, id = 4be1ff07-8180-42a8-9f51-b5e17bf23442

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Mutant created: \Sessions\1\BaseNamedObjects\Xeno_rat_nd8912d-admin

Source: 8q8C8bQJRZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 8q8C8bQJRZ.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8q8C8bQJRZ.exe	Virustotal: Detection: 70%
Source: 8q8C8bQJRZ.exe	ReversingLabs: Detection: 75%

Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Section loaded: mswsock.dll	Jump to behavior

Source: 8q8C8bQJRZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 8q8C8bQJRZ.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 8q8C8bQJRZ.exe, DllHandler.cs	.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: 8q8C8bQJRZ.exe, DllHandler.cs	.Net Code: DllNodeHandler

Source: 8q8C8bQJRZ.exe

Static PE information: 0xB6F61BA2 [Sat Apr 9 13:44:02 2067 UTC]

Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe

Code function: 0_2_00E036D7 push ebx; iretd

0_2_00E036DA

Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Memory allocated: E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Memory allocated: 2A60000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Window / User API: threadDelayed 2433			Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe	Window / User API: threadDelayed 7419			Jump to behavior

Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe TID: 6440	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe TID: 4296	Thread sleep count: 2433 > 30	Jump to behavior
Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe TID: 1020	Thread sleep count: 7419 > 30	Jump to behavior

Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 8q8C8bQJRZ.exe, 00000000.00000002.3052855401.0000000000F33000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe

Queries volume information: C:\Users\user\Desktop\8q8C8bQJRZ.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\8q8C8bQJRZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected XenoRAT

Source: Yara match	File source: 8q8C8bQJRZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.8q8C8bQJRZ.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1804936159.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8q8C8bQJRZ.exe PID: 3868, type: MEMORYSTR

Remote Access Functionality

Yara detected XenoRAT

Source: Yara match	File source: 8q8C8bQJRZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.8q8C8bQJRZ.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1804936159.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8q8C8bQJRZ.exe PID: 3868, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
8q8C8bQJRZ.exe	70%	Virustotal		Browse
8q8C8bQJRZ.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.XenoRAT

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
176.65.139.51	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
176.65.139.51	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
176.65.139.51	unknown	Germany		12975	PALTEL-ASPALTELAutonomousSystemPS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1617090
Start date and time:	2025-02-17 14:00:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8q8C8bQJRZ.exe renamed because original name is a hash value
Original Sample Name:	8b41a4fe26ea38b13ea25ac063f72855e170449f20ec8153a5d1d9068089392b.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
08:01:41	API Interceptor	171x Sleep call for process: 8q8C8bQJRZ.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PALTEL-ASPALTELAutonomousSystemPS	ShippingdocumentsAwbBLInv0000000pdf.vbs	Get hash	malicious	Unknown	Browse	176.65.138.184
	Hesap Hareketleri 17-02-2025.exe	Get hash	malicious	CryptOne, Remcos	Browse	176.65.144.154
	uYtea.x86.elf	Get hash	malicious	Unknown	Browse	176.65.137.13
	uYtea.arm7.elf	Get hash	malicious	Mirai	Browse	176.65.137.13
	uYtea.arm.elf	Get hash	malicious	Unknown	Browse	176.65.137.13
	res.spc.elf	Get hash	malicious	Unknown	Browse	213.244.67.102
	Client.exe	Get hash	malicious	KeyLogger, StormKitty, VenomRAT	Browse	176.65.137.182
	Client.exe	Get hash	malicious	KeyLogger, StormKitty, VenomRAT	Browse	176.65.137.182
	7BU8LCQLmc.ps1	Get hash	malicious	KeyLogger, StormKitty, VenomRAT	Browse	176.65.137.182
	7BU8LCQLmc.ps1	Get hash	malicious	KeyLogger, StormKitty, VenomRAT	Browse	176.65.137.182

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.643250727908704
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	8q8C8bQJRZ.exe
File size:	46'592 bytes
MD5:	11b40b4a6a1c3da4854eb344056ab5ba
SHA1:	a644f5bd41ea350d37754f3f01e81313e89d2551
SHA256:	8b41a4fe26ea38b13ea25ac063f72855e170449f20ec8153a5d1d9068089392b
SHA512:	75c4a08b268391c7e1e2748be7f0dda25c93e088f255386764c3c07e07421ed8143ef428408362b8575312ead0a1ccfda354766ba9bdafbc0619e7e0282687b2
SSDEEP:	768:EdhO/poiiUcjlJInCFH9Xqk5nWEZ5SbTDaYWI7CPW5K:ew+jjgnyH9XqcnW85SbTxWIC
TLSH:	6B23E74C57AC8923E6AF5ABD98324263C7B3E3669532E38F08CCD4E9379338555053A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................... ............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40cb0e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB6F61BA2 [Sat Apr 9 13:44:02 2067 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcab4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x5c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xab14	0xac00	a07ced22202afd312f072d56b4ab900a	False	0.44953670058139533	data	5.72558660548345	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x5c0	0x600	2ac195bea41bf9e2b3f0a8469c7762cf	False	0.4537760416666667	data	4.443358122135941	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	01acd2af66a5901a5067e09bcf43dbb2	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x334	data			0.4609756097560976
RT_MANIFEST	0xe3d4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName	Xeno
FileDescription	Client
FileVersion	3.2.1.0
InternalName	xeno rat client.exe
LegalCopyright	Copyright 2023
LegalTrademarks	Xeno
OriginalFilename	sys64.exe
ProductName	Xeno-manager
ProductVersion	1.2.3.0
Assembly Version	1.2.3.0

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 17, 2025 14:01:21.416716099 CET	49731	6969	192.168.2.4	176.65.139.51
Feb 17, 2025 14:01:21.421788931 CET	6969	49731	176.65.139.51	192.168.2.4
Feb 17, 2025 14:01:21.421919107 CET	49731	6969	192.168.2.4	176.65.139.51
Feb 17, 2025 14:01:42.804905891 CET	6969	49731	176.65.139.51	192.168.2.4
Feb 17, 2025 14:01:42.805016041 CET	49731	6969	192.168.2.4	176.65.139.51
Feb 17, 2025 14:01:52.815555096 CET	49738	6969	192.168.2.4	176.65.139.51
Feb 17, 2025 14:01:52.820415020 CET	6969	49738	176.65.139.51	192.168.2.4
Feb 17, 2025 14:01:52.820503950 CET	49738	6969	192.168.2.4	176.65.139.51
Feb 17, 2025 14:02:14.176474094 CET	6969	49738	176.65.139.51	192.168.2.4
Feb 17, 2025 14:02:14.176563978 CET	49738	6969	192.168.2.4	176.65.139.51
Feb 17, 2025 14:02:24.194700956 CET	49887	6969	192.168.2.4	176.65.139.51
Feb 17, 2025 14:02:24.199573040 CET	6969	49887	176.65.139.51	192.168.2.4
Feb 17, 2025 14:02:24.199696064 CET	49887	6969	192.168.2.4	176.65.139.51
Feb 17, 2025 14:02:45.573882103 CET	6969	49887	176.65.139.51	192.168.2.4
Feb 17, 2025 14:02:45.574037075 CET	49887	6969	192.168.2.4	176.65.139.51
Feb 17, 2025 14:02:55.580845118 CET	50006	6969	192.168.2.4	176.65.139.51
Feb 17, 2025 14:02:55.588046074 CET	6969	50006	176.65.139.51	192.168.2.4
Feb 17, 2025 14:02:55.588174105 CET	50006	6969	192.168.2.4	176.65.139.51
Feb 17, 2025 14:03:16.976684093 CET	6969	50006	176.65.139.51	192.168.2.4
Feb 17, 2025 14:03:16.976825953 CET	50006	6969	192.168.2.4	176.65.139.51

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: 8q8C8bQJRZ.exePID: 3868, Parent PID: 2580

General

Target ID:	0
Start time:	08:01:14
Start date:	17/02/2025
Path:	C:\Users\user\Desktop\8q8C8bQJRZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8q8C8bQJRZ.exe"
Imagebase:	0x780000
File size:	46'592 bytes
MD5 hash:	11B40B4A6A1C3DA4854EB344056AB5BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000000.00000000.1804936159.0000000000782000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 8q8C8bQJRZ.exePID: 3868, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	19.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	9.7%
Total number of Nodes:	31
Total number of Limit Nodes:	1

Executed Functions

Function 00E00B11 Relevance: 1.8, Strings: 1, Instructions: 576
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

dhq, xrefs: 00E00CA2

Memory Dump Source

Source File: 00000000.00000002.3052715042.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_8q8C8bQJRZ.jbxd

Similarity

API ID:
String ID: dhq
API String ID: 0-2324836203
Opcode ID: 18be32fad2aa5936c9ebd83773abee66f67044de4b5e15f02168fe2a6245cccb
Instruction ID: 43ff989423db8f8daed74a920210de645d180f9c9d09ae1d04978bd345d95056
Opcode Fuzzy Hash: 18be32fad2aa5936c9ebd83773abee66f67044de4b5e15f02168fe2a6245cccb
Instruction Fuzzy Hash: B6420974A002498FCB05DFA8D584A9DBBF2BF49314F1585A9E409EF3A9DB30AD85CF50

Function 00E02327 Relevance: 1.6, Strings: 1, Instructions: 379
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P x, xrefs: 00E02373

Memory Dump Source

Source File: 00000000.00000002.3052715042.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_8q8C8bQJRZ.jbxd

Similarity

API ID:
String ID: P x
API String ID: 0-1487350286
Opcode ID: 86f6e3a14c69e71066e50f47129fec9d3f9e8af033832790a440d3cee7d370d0
Instruction ID: 827108730eadc3b80366fbce8922c92664935465f4a31415add10996645f9d9d
Opcode Fuzzy Hash: 86f6e3a14c69e71066e50f47129fec9d3f9e8af033832790a440d3cee7d370d0
Instruction Fuzzy Hash: C0F1D474A012459FDB05CF68D488A9DBBF2BF49324F1581A9E509EB3A6D730EC85CF60

Function 00E03DC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E03E0D

Strings

., xrefs: 00E03DC8

Memory Dump Source

Source File: 00000000.00000002.3052715042.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_8q8C8bQJRZ.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID: .
API String ID: 6842923-362474954
Opcode ID: b5eff56af7048f5f7f498f050b7c7ef53011b0131636d7d0e36a8f6446bb0377
Instruction ID: 6386be6855f5d4e20c656db5234b74de44954185143c8026e5d7caed7f770fed
Opcode Fuzzy Hash: b5eff56af7048f5f7f498f050b7c7ef53011b0131636d7d0e36a8f6446bb0377
Instruction Fuzzy Hash: 43F02472E102099BCF15D774C4559EFBFB24F84300F01893AC802F7280EEB0290B96C2

Function 00D6D041 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3052529810.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6d000_8q8C8bQJRZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c6456a96cb1a2716427479441f09ec23868f89b9418982f71d47fa0ef30047
Instruction ID: 37a22f8fc5291495836ef35b7845b71ff50e7dddb8729dc09609ce06641b0ab1
Opcode Fuzzy Hash: d6c6456a96cb1a2716427479441f09ec23868f89b9418982f71d47fa0ef30047
Instruction Fuzzy Hash: 0801F771A083449BE7208B29DC84B26FFE9DF61321F1CC51AEC490E282C2359841C6B1

Function 00D6D040 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3052529810.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6d000_8q8C8bQJRZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162362725b3347b2815733554c7143a32e70955b3edd3ed369dd4b779ec3a415
Instruction ID: a4de089d13c2be6442bfae6df4c23623ec3837d9ad6b5a39d78623b7ca527700
Opcode Fuzzy Hash: 162362725b3347b2815733554c7143a32e70955b3edd3ed369dd4b779ec3a415
Instruction Fuzzy Hash: 9BF062715043449FE7108B1ADD84B62FFD8EB91734F18C45AED094E287C2799845CAB1

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8q8C8bQJRZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: XenoRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
8q8C8bQJRZ.exe

Function 00E00B11 Relevance: 1.8, Strings: 1, Instructions: 576
COMMON

Function 00E02327 Relevance: 1.6, Strings: 1, Instructions: 379
COMMON

Function 00E03DC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
COMMON