Extracted

• • Target

    9107e292b3c9eb3349173d71e44352fd032ec73946a4467b309b87315aa6395bN

  • Size

    244KB

  • MD5

    87be7fdfcec0bda925b60f54b845e5e0

  • SHA1

    fe5beca234d9810dd8e2b089f61dc5830e9f8670

  • SHA256

    9107e292b3c9eb3349173d71e44352fd032ec73946a4467b309b87315aa6395b

  • SHA512

    ceb6dd49672ae9a10484e2a67733c170afa3f44c99c72bba4d56a37d20f589c7de5692fecebeaf60e19b3ab7e6f54fb805eef464ebc64ad59e8f365dc27c9081

  • SSDEEP

    6144:1thabErbo/5bTgVziHzZnSKrCbYMm6bm8qq:1oEI/5/gVziHlBrCbYP8j

  Score

  10^/10

  xenoratrattrojanbootkitdefense_evasionpersistence

  • Detect XenoRat Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat

  • Xenorat family

    xenorat

  • Sets service image path in registry

    persistence

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Indicator Removal: Clear Windows Event Logs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion

  • Loads dropped DLL

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  behavioral1behavioral2