Extracted

• • Target

    ac8c49cef98c9ba6667891694a81169222cb53feed5c22fbeac0afbf7c31208c

  • Size

    192KB

  • MD5

    84d6b509972268981bab9932386c549c

  • SHA1

    dfa0dba8ae581f80e94dd5d69625e1b8b50ebfa9

  • SHA256

    ac8c49cef98c9ba6667891694a81169222cb53feed5c22fbeac0afbf7c31208c

  • SHA512

    d2a3c06bc33f6c0ac2f26c68b33a486d5ceb01e1e1f58cf8f72d63632e78e4f692bb0f10dc9680d36a14c212f6915d9ecc5927b601e1ddc7ea13babf10617c6d

  • SSDEEP

    6144:BxEtjPOtioVjDGUU1qfDlavx+W2QnAu+Ly9ckwDwPq5XlsqhwxNNipu:s+VkGUqLsqyi

  Score

  10^/10

  discoveryxenoratmacromacro_on_actionrattrojan

  • Detect XenoRat Payload

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat

  • Xenorat family

    xenorat

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Office macro that triggers on suspicious action

    Office document macro which triggers in special circumstances - often malicious.

    macromacro_on_action

  • Suspicious Office macro

    Office document equipped with macros.

    macro

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2