Derin Analiz — XenoRAT | Tehdit: YUKSEK

Dosya Kimligi

SHA256a87cf0954145c8c8d0188af89ce197df0621f34e85ab7f7d78da808b124c8a07
Boyut378,880 byte (.NET PE32)
IsimUpdateWindowns.exe (Windows typo luresi)
TimestampFuture time (anti-analiz)

xeno rat client: String Tespiti

ONAY: xeno rat client stringi binary icinde x3 bulunuyor!
xeno rat client        (x3 referans)\nxeno rat client.exe    (x2 referans)\n\n-- XenoRAT: acik kaynak C# RAT (GitHub: moom825/xeno-rat)\n-- Costura ile DLL embed: SharpDX.Direct3D11, SharpDX.DXGI\n-- AddToStartupNonAdmin: admin olmadan startup kaydi\n-- Global\{7B2A1-9D2E-4F3C-8A11-B2C3D4E5F6G7} mutex

SharpDX DirectX Ekran Yakalama

SharpDX.Direct3D11.dll.compressed (283,136 byte)\nSharpDX.DXGI.dll.compressed (148,480 byte)\nSharpDX.dll.compressed (274,944 byte)\n\n-- DirectX 11 ile GPU-hizlandirmali ekran yakalama\n-- Standart GDI BitBlt yerine: daha hizli, AV tespiti daha zor\n-- SharpDX = .NET DirectX sarici\n-- DXGI: swap chain ile ekran icerigi al\n-- Kullanim: canli ekran izleme, uzaktan goruntuleme

localto.net: Tunel Relay

localto.net\n\n-- Localto.net: HTTP/TCP reverse tunnel servisi (ngrok benzeri)\n-- Operator kendi C2 IP adresini saklamak icin kullanir\n-- Kurban gelen baglanti: localto.net subdomain\n-- Subdomain arkasinda operator makinesi\n-- AV/Firewall: mesgul domain (localto.net) gorunce whitelist gecebilir\n-- XenoRAT operatoru konfigurasyona kendi localto.net subdomain giriyor

UpdateWindowns Lur Adi

"UpdateWindowns.exe"\n-- "Windowns" = Windows typo (Windows degil)\n-- Sahte Windows Update gibi gosterilmis\n-- Sosyal muhendislik: IT personeline veya kullaniciya "Windows guncelleme" diye sunulmus\n-- Future timestamp: zaman damgasi sahte (anti-analiz)

IOC

SHA256a87cf0954145c8c8d0188af89ce197df0621f34e85ab7f7d78da808b124c8a07
AileXenoRAT (xeno rat client
MutexGlobal\{7B2A1-9D2E-4F3C-8A11-B2C3D4E5F6G7}
Relaylocalto.net
Lur AdiUpdateWindowns.exe

XenoRAT — Malware Profile

Open-source C# RAT (GitHub: moom825/xeno-rat). SharpDX DirectX screen capture. Costura embedded DLLs. AddToStartupNonAdmin persistence. Reverse tunnel via localto.net. Future timestamp anti-analysis. UpdateWindowns.exe typo lure.

Malware Type
RAT
Programming Language
C#/.NET
C2 Protocol
TCP/TLS
Target Systems
Küresel

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (1 indicators)

IOC — XenoRAT
# SHA256 a87cf0954145c8c8d0188af89ce197df0621f34e85ab7f7d78da808b124c8a07
TypeValueNote
sha256 a87cf0954145c8c8d0188af89ce197df0621f34e85ab7f7d78da808b124c8a07

C2 Servers (1 recorded servers for this family)

Address Type Port Protocol Status Country
localto.net domain 443 HTTPS active —

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
xenoratxeno-ratxeno-rat-client-string-confirmed-identificationsharpdx-direct3d11-dxgi-directx-screen-captureglobal-7b2a1-9d2e-4f3c-8a11-b2c3d4e5f6g7-mutex-anti-reinfectionaddtostartupnonadmin-registry-persistencelocalto-net-tunnel-relay-c2-channelcostura-embedded-dll-assembly-loaderroot-securitycenter2-av-evasionupdatewindowns-typo-lure-fake-windows-updatefuture-timestamp-anti-analysis