Extracted

• • Target

    Estado de cuenta.xls

  • Size

    192KB

  • MD5

    4b5efde48442f60d1563164c1e728061

  • SHA1

    f371b6ea0311f9175c78102e3a087ab5fc7fe687

  • SHA256

    8464e28250faf8cc3d316329b9b39cbc029659d93db9da3086ce9fc5e37bbcd1

  • SHA512

    cc18300b59ad15c59fd3dd96a88df4cb4526da5b7bb92dffd0c4fe6c616268d0de0197a59b2b403ae6f35d7e027137d7db6baa713e74c3401abd58b1d101cbd8

  • SSDEEP

    3072:PrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAq3OLFyhxTchWwaZYwP+1oVET5K8lsq/:zxEtjPOtioVjDGUU1qfDlavx+W2QnAqE

  Score

  10^/10

  discoveryxenoratmacromacro_on_actionrattrojan

  • Detect XenoRat Payload

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat

  • Xenorat family

    xenorat

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Office macro that triggers on suspicious action

    Office document macro which triggers in special circumstances - often malicious.

    macromacro_on_action

  • Suspicious Office macro

    Office document equipped with macros.

    macro

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2