Derin Analiz — XenoRAT | Tehdit: YUKSEK

파일 Kimligi

SHA256a87cf0954145c8c8d0188af89ce197df0621f34e85ab7f7d78da808b124c8a07
크기378,880 byte (.NET PE32)
IsimUpdateWindowns.exe (Windows typo luresi)
TimestampFuture time (anti-analiz)

xeno rat client: String Tespiti

ONAY: xeno rat client stringi binary icinde x3 bulunuyor!
xeno rat client        (x3 referans)\nxeno rat client.exe    (x2 referans)\n\n-- XenoRAT: acik kaynak C# RAT (GitHub: moom825/xeno-rat)\n-- Costura ile DLL embed: SharpDX.Direct3D11, SharpDX.DXGI\n-- AddToStartupNonAdmin: admin olmadan startup kaydi\n-- Global\{7B2A1-9D2E-4F3C-8A11-B2C3D4E5F6G7} mutex

SharpDX DirectX Ekran Yakalama

SharpDX.Direct3D11.dll.compressed (283,136 byte)\nSharpDX.DXGI.dll.compressed (148,480 byte)\nSharpDX.dll.compressed (274,944 byte)\n\n-- DirectX 11 ile GPU-hizlandirmali ekran yakalama\n-- Standart GDI BitBlt yerine: daha hizli, AV tespiti daha zor\n-- SharpDX = .NET DirectX sarici\n-- DXGI: swap chain ile ekran icerigi al\n-- Kullanim: canli ekran izleme, uzaktan goruntuleme

localto.net: Tunel Relay

localto.net\n\n-- Localto.net: HTTP/TCP reverse tunnel servisi (ngrok benzeri)\n-- Operator kendi C2 IP adresini saklamak icin kullanir\n-- Kurban gelen baglanti: localto.net subdomain\n-- Subdomain arkasinda operator makinesi\n-- AV/Firewall: mesgul domain (localto.net) gorunce whitelist gecebilir\n-- XenoRAT operatoru konfigurasyona kendi localto.net subdomain giriyor

UpdateWindowns Lur Adi

"UpdateWindowns.exe"\n-- "Windowns" = Windows typo (Windows degil)\n-- Sahte Windows Update gibi gosterilmis\n-- Sosyal muhendislik: IT personeline veya kullaniciya "Windows guncelleme" diye sunulmus\n-- Future timestamp: zaman damgasi sahte (anti-analiz)

IOC

SHA256a87cf0954145c8c8d0188af89ce197df0621f34e85ab7f7d78da808b124c8a07
패밀리XenoRAT (xeno rat client
MutexGlobal\{7B2A1-9D2E-4F3C-8A11-B2C3D4E5F6G7}
Relaylocalto.net
Lur AdiUpdateWindowns.exe

XenoRAT — 악성코드 프로필

Open-source C# RAT (GitHub: moom825/xeno-rat). SharpDX DirectX screen capture. Costura embedded DLLs. AddToStartupNonAdmin persistence. Reverse tunnel via localto.net. Future timestamp anti-analysis. UpdateWindowns.exe typo lure.

악성코드 유형
RAT
프로그래밍 언어
C#/.NET
C2 프로토콜
TCP/TLS
대상 시스템
Küresel

기능 및 동작

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC 목록 (1 개 지표)

IOC — XenoRAT
# SHA256 a87cf0954145c8c8d0188af89ce197df0621f34e85ab7f7d78da808b124c8a07
유형메모
sha256 a87cf0954145c8c8d0188af89ce197df0621f34e85ab7f7d78da808b124c8a07

C2 서버 (이 패밀리에 대해 1개의 서버 기록)

주소 유형 포트 프로토콜 상태 국가
localto.net domain 443 HTTPS active —

C2 주소는 KEYDAL 팀이 수동으로 검증한 악성코드 샘플에서만 제공됩니다. 상업적 사용은 금지됩니다.

태그
xenoratxeno-ratxeno-rat-client-string-confirmed-identificationsharpdx-direct3d11-dxgi-directx-screen-captureglobal-7b2a1-9d2e-4f3c-8a11-b2c3d4e5f6g7-mutex-anti-reinfectionaddtostartupnonadmin-registry-persistencelocalto-net-tunnel-relay-c2-channelcostura-embedded-dll-assembly-loaderroot-securitycenter2-av-evasionupdatewindowns-typo-lure-fake-windows-updatefuture-timestamp-anti-analysis