Extracted

• • Target

    b1881827f723ef2c8935689a421936ad.exe

  • Size

    45KB

  • MD5

    b1881827f723ef2c8935689a421936ad

  • SHA1

    a6fa2abdc15590c147f22b051e47fd0e9ea47375

  • SHA256

    bf11a0220b7cbe0f09af2e354d3858f9c50aacfd982260128fdf85f37f48ffb2

  • SHA512

    51da6d469bf34e69ef6eb76794615890b14e4bfa5be4e3d1615d6efef13b72a72e954bce2b87591d549e9e5e9f17a5e64689796370487393fad50b9a18e5d544

  • SSDEEP

    768:FdhO/poiiUcjlJIn9hYH9Xqk5nWEZ5SbTDa6uI7CPW5H:bw+jjgn9SH9XqcnW85SbT/uI/

  Score

  10^/10

  xenoratdiscoveryratspywarestealertrojanadwarepersistenceprivilege_escalation

  • Detect XenoRat Payload

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat

  • Xenorat family

    xenorat

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Drops file in System32 directory

  behavioral1behavioral2