Extracted

• • Target

    f5f70713548d8a397fd0ecbba97df9d494687e0cd76da215698b209c4217e144.exe

  • Size

    120KB

  • MD5

    3ef51203bdf504ca54a0956fed3bdd3f

  • SHA1

    1567cd51f39345c00ea529db2952bd2805d14d56

  • SHA256

    f5f70713548d8a397fd0ecbba97df9d494687e0cd76da215698b209c4217e144

  • SHA512

    1098a6b9905f15d5bdca647dacc8dc953c9d538b0847a04761f84aada5a14c14997aa5cddfd8b228f2f3b722562f94e6b4527526decfc96a34e9fe0b814b6f94

  • SSDEEP

    3072:XnOsAdSDjd9ahEnYuDpejh9wPqn5BzBDuMLaO6:3PnDkLjhxDBDuMm

  Score

  10^/10

  xenoratdiscoveryexecutionpersistencerattrojan

  • Detect XenoRat Payload

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat

  • Xenorat family

    xenorat

  • .NET Reactor proctector

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Adds Run key to start application

    persistence

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Suspicious use of SetThreadContext

  behavioral1behavioral2