Extracted

• • Target

    runner.exe

  • Size

    22KB

  • MD5

    9a69ca248eb8201fa463914ad24cf890

  • SHA1

    52833d514ab20ce3bb2d9a37c07bd93ea0f4f82e

  • SHA256

    807f40d1f7f6291184bb95f73a72456aae52a12d665b45b40bf0b664c49ddf06

  • SHA512

    29ceb1dfcfaba2e79cbd7867afc053eb054e5c1d68c77f702472018f979f85de3003c02fda9e39e216569b142bb2b09b76f8eaffb7e9926869a6cbb1c714fe76

  • SSDEEP

    384:oybnj2M7f7i/ww+/frgeI0/GZ0hYkp1KTdmpasWUOS5BEvNWmkZB20qyM9KzXrQT:z6W/GTY9VI3XB

  Score

  10^/10

  xenoratdefense_evasiondiscoveryexecutionrattrojanupx

  • Deletes Windows Defender Definitions

    Uses mpcmdrun utility to delete all AV definitions.

    defense_evasion

  • Detect XenoRat Payload

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat

  • Xenorat family

    xenorat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2