Win32/XeyoRat [Threat Name] go to Threat
Win32/XeyoRat.A [Threat Variant Name]
| Category | trojan |
| Size | 102912 B |
| Detection created | Feb 05, 2018 |
| Detection database version | 16855 |
| Aliases | Trojan.Win32.Zapchast.ajuz (Kaspersky) |
| Trojan.Dragonrat (Symantec) | |
| Trojan.PWS.Spy.20796 (Dr.Web) | |
| Trojan:Win32/Tiggre!rfn (Microsoft) |
Short description
Win32/XeyoRat.A is a trojan which tries to download other malware from the Internet.
Installation
The trojan does not create any copies of itself.
The trojan creates the following file:
- %temp%\a.bat
The trojan writes the following entries to the file:
- dir C:\Users\%user%\AppData\Roaming\Microsoft\Windows\Recent\>> %appdata%\Microsoft\Network\ixeo584.bin
- dir /s %programfiles% >> %appdata%\Microsoft\Network\ixeo584.bin
- systeminfo >> %appdata%\Microsoft\Network\ixeo584.bin
- tasklist >> %appdata%\Microsoft\Network\ixeo584.bin
- tasklist /M >> %appdata%\Microsoft\Network\ixeo584.bin
- del %temp%\a.bat
The file is then executed.
Information stealing
Win32/XeyoRat.A is a trojan that steals sensitive information.
The following information is collected:
- operating system version
- CPU information
- amount of operating memory
- installed Microsoft Windows patches
- network adapter information
- list of recently opened/executed files
- list of files/folders on a specific drive
- list of running processes
- list of running services
The collected information is stored in the following file:
- %appdata%\Microsoft\Network\ixeo584.bin
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan contains a URL address.
It tries to download a file from the address. The HTTP protocol is used.
The file is stored in the following location:
- %appdata%\Microsoft\Network\netState.dll
The file is then executed.