Win32/XeyoRat [Threat Name] go to Threat

Win32/XeyoRat.C [Threat Variant Name]

Category trojan
Size 49152 B
Detection created Feb 06, 2018
Detection database version 16860
Aliases Trojan.Win32.Lazar.g (Kaspersky)
  Trojan.DownLoader26.5383 (Dr.Web)
  Trojan:Win32/GoldDragon.A!dha (Microsoft)
Short description

Win32/XeyoRat.C is a trojan which tries to download other malware from the Internet. The trojan collects various sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

The trojan does not create any copies of itself.


The trojan is probably a part of other malware.


The trojan reads file accesed by "hwp.exe" application.


The file contains encrypted executable.


The file name may vary depending on the current settings stored in the malware executable.


After decryption the data is saved in the following files:

  • %startup%\­viso.exe

This way the trojan ensures that the file is executed on every system start.

Information stealing

The trojan collects various sensitive information.


The following information is collected:

  • operating system version
  • CPU information
  • amount of operating memory
  • installed Microsoft Windows patches
  • network adapter information
  • list of recently opened/executed files
  • list of files/folders on a specific drive
  • Registry entries
  • list of running processes
  • list of running services
  • computer name
  • user name

The collected information is stored in the following file:

  • %appdata%\­Microsoft\­HNC\­1.hwp

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan contains a URL address.


It tries to download a file from the address. The HTTP protocol is used in the communication.


The file is stored in the following location:

  • %appdata%\­Microsoft\­HNC\­hupdate.ex

The file contains encrypted executable.


The file is then decrypted and executed.


The following file is deleted:

  • %appdata%\­Microsoft\­HNC\­hupdate.ex

The trojan creates copies of the following files (source, destination):

  • %appdata%\­Microsoft\­Windows\­UserProfiles\­ixeo000.bin, %appdata%\­Microsoft\­HNC\­1.hwp

The trojan executes the following commands:

  • cmd.exe /c dir %desktop% >> %appdata%\­Microsoft\­HNC\­1.hwp
  • cmd.exe /c dir %appdata%\­Microsoft\­Windows\­Recent\­>> %appdata%\­Microsoft\­HNC\­1.hwp
  • cmd.exe /c dir %programfiles% >> %appdata%\­Microsoft\­HNC\­1.hwp
  • cmd.exe /c systeminfo >> %appdata%\­Microsoft\­HNC\­1.hwp
  • cmd.exe /c tasklist >> %appdata%\­Microsoft\­HNC\­1.hwp

The trojan terminates processes with any of the following strings in the name:

  • v3
  • cleaner

Please enable Javascript to ensure correct displaying of this content and refresh this page.