Extracted

• • Target

    ad58a779119b226a8f322acfc28bb19997def17a0c4a3f17ab4c57d83269650a

  • Size

    192KB

  • MD5

    6917e598649923e5cf22957e24caffa4

  • SHA1

    6365e7abd6413cec0f51ff997cdba24e263ccbe4

  • SHA256

    ad58a779119b226a8f322acfc28bb19997def17a0c4a3f17ab4c57d83269650a

  • SHA512

    d5c3b9b7ab59a0ac8d94205a7748a06b194d6bd2921ee6fd799306d4802fd5b785aaf31cf422c9dfa4d671571729d10bbfdcea4cba37088cfc7cc88e0671552d

  • SSDEEP

    3072:DrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAq3OLFyhxTchWwaZYwP+1oVET5K8lsq/:nxEtjPOtioVjDGUU1qfDlavx+W2QnAqE

  Score

  10^/10

  discoveryxenoratmacromacro_on_actionrattrojan

  • Detect XenoRat Payload

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat

  • Xenorat family

    xenorat

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Office macro that triggers on suspicious action

    Office document macro which triggers in special circumstances - often malicious.

    macromacro_on_action

  • Suspicious Office macro

    Office document equipped with macros.

    macro

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2