RAT - My Analysis

What is XenoRAT?

XenoRAT is an open-source remote access trojan (RAT) written in C# that provides attackers with comprehensive control over compromised Windows systems. It features capabilities such as remote system management, keystroke logging, real-time audio surveillance via microphone access, webcam capture, file exfiltration, and execution of arbitrary commands.

Overview

This analysis will be mostly about static decompilation and analysis of malware. The sample I have is not obfuscated so it is clear what it does. I will give overall functionality of malware and end it there. Also I will check out if there are some uncommon techniques used in sample and list them too.

About Sample

This sample is Portable Executable 32 .NET Assembly, is not packed, ASLR and NX stack enabled, image also doesn't use SEH (Structed exception handler).

Functionality

First, malware checks if it is executes as admin, if yes, it adds "-admin" to end of mutex_string. Next it checks if Install_path is set to anything or set to "nothingset". (in my case it was set to "nothingset" so it didn't add current file to any path and execute from there). It creates a mutex with mutex_string ("Xeno_rat_nd8912f") ("-admin added if executed as admin).

Next, it tries to create a socket and connect to 77.51.224.225:4444. 1|700

1|1800

Next, it awaits for answer from C2: 1|600

as it is obvious, there are 4 choices: 0. Creates additional subsocket and adds it to nodes

Sends information such as:

Environment.ProcessorCount,                    
Environment.UserName,
Environment.MachineName,
Environment.OSVersion,
DriveInfo(Path.GetPathRoot(Environment.SystemDirectory)).TotalSize
WindowsIdentity.GetCurrent().Name,
Utils.GetWindowsVersion(),
Utils.GetAntivirus(),
Utils.IsAdmin().ToString()

The technique used for finding antivirus is:

1|1800

Using SQL query to find AntivirusProduct.

Kill process immediately
Start new process of this executable and kill this process
Clean and kill this process

removes registry key from: "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

if malware was executed as admin, it would be a little longer such as removing scheduled task from schtasks.exe etc. because if malware executed as admin it sets these at start of malware.

And finally, it uses cmd.exe /C choice /C Y /N /D Y /T 3 & Del "<executable_path>" to remove executable from disk.

IOC

MalwareBazaar