Extracted

• • Target

    UnamBinder.exe

  • Size

    9.4MB

  • MD5

    70565dbd654937df2eaefc7c79941169

  • SHA1

    5cb8daf1185704a9772f07dcec2e499149517715

  • SHA256

    a90ba5a56422c0d2a41f28da056affd69cc8929e14dcdab1583ec96b50b8e28d

  • SHA512

    64b89f77d6528c838c0288c59203455ea3318028816d4426f818c6b8c3258d8e5e13242b175d7b3402547cfd5a0acddb212b9f9b5bbf5d259cd4befc2d078a4c

  • SSDEEP

    196608:g81oBGyk1BK5Gf01Up2GRlRaNqg4eS+wDjxx1ohqsIOGvuQdaQ:g46GykqGf5sGRT2qFP+GDAqkG2i

  Score

  10^/10

  xenoratexecutionpersistenceprivilege_escalationratspywarestealertrojanupx

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1