Extracted

• • Target

    runner.exe

  • Size

    22KB

  • MD5

    c533e3ad230b1c417521ed6111b69b3c

  • SHA1

    160dc70868284b689f80c0dead9d14e3e84a61e9

  • SHA256

    1822da18bcafb93dc416122a3e4c9d61098c6fd9fc1e3474a971c4044f48caae

  • SHA512

    8957c47380cec1f9eaa816c19d3d305d13f76f76e8f0357bc92d4b3e31b9a3dd36edf1281f61f30a1992ec1fbc41d083faf2c1777abf7921e8e4e4fca3778bf6

  • SSDEEP

    384:2i/Luk7Hzq/bYmPPbQuYEPGJERoUplajWuSwSsOsGKAJ8HFeuMx5+0qCMtKj8Tb3:07KuULcbNI3Xj

  Score

  10^/10

  xenoratdefense_evasiondiscoveryexecutionrattrojanupx

  • Deletes Windows Defender Definitions

    Uses mpcmdrun utility to delete all AV definitions.

    defense_evasion

  • Detect XenoRat Payload

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat

  • Xenorat family

    xenorat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2