Extracted

• • Target

    9890dcfe9719d9c483c69362c7e20213ceabb1886c53d853fe0b1882a771bdc2.exe

  • Size

    161KB

  • MD5

    f1939312d11bf52d72f776cf84410d74

  • SHA1

    09905b3d2ae2dc755584bf0f405e829acff60299

  • SHA256

    9890dcfe9719d9c483c69362c7e20213ceabb1886c53d853fe0b1882a771bdc2

  • SHA512

    5b3f03e35f0468ea2e50f447d012713c97a3b11b094fdd92156b71a3f0135a686e64843afe23e02f54210852762d04bf5896eeaa0e1055f7bccb4bb980ced3d8

  • SSDEEP

    3072:ad3SoRYw/VXW80KeQoBWIJ0xKAG50NlQvh+5v4Tb2b1Nm:aZSo75WCvoBL/AGF0nb1N

  Score

  10^/10

  discoveryxenoratevasionratthemidatrojan

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat

  • Xenorat family

    xenorat

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2