Extracted

• • Target

    loader_fix.exe

  • Size

    7.4MB

  • MD5

    0a1f9a5e3d317e06d7d442254c4b1c59

  • SHA1

    f28e500a0149a6293e3ef1b2fdfbf7f8c45d6635

  • SHA256

    8a2dd17fafb82d2fb8674bfc8a137c6c955612088a0ac8f74e414ee3f7763b4e

  • SHA512

    fd072999814d92f9f93b651c40c1639cfb17613e359b7cf57dcdecdb5eaf2cb97065e6cfb754510802df7d16c84ab61f4ce4db19fce51d419124dc9705de9a9c

  • SSDEEP

    196608:uM0GdqOUunfuLvSJ2BDXdZARCqQJxzOhF4HNGgj4ubO:jndfnuLKJoXMRCqQJxyhF4lxC

  Score

  10^/10

  xenoratexecutionpersistenceprivilege_escalationratspywarestealertrojanupx

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1