Extracted

• • Target

    9df32d691dc6483d47b40e6154aeff36f0acdc009c07b4af48618c4fb6b21b9f.exe

  • Size

    499KB

  • MD5

    7289b991c37d058b2e69b3983f75d122

  • SHA1

    b89acc7669c5e84c1e5e9bcf0822df8803f10e43

  • SHA256

    9df32d691dc6483d47b40e6154aeff36f0acdc009c07b4af48618c4fb6b21b9f

  • SHA512

    958e5ba3326d01653d5218f578c909012d4a26d0bad7a467569395a080d5531103c92cd55cf049daa491826ea371dc3cc665560dcab127b6e38c9e399359a60c

  • SSDEEP

    12288:d7Wnj4mpB/33bxyy0vyJ2qiJSUINUpqag73a3Bkl:tyjVn/3LxavmzsINUpvg7

  Score

  10^/10

  xenoratdiscoveryrattrojanadwarepersistenceprivilege_escalationstealer

  • Detect XenoRat Payload

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat

  • Xenorat family

    xenorat

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Downloads MZ/PE file

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2