Win32/XeyoRat [Threat Name] go to Threat

Win32/XeyoRat.A [Threat Variant Name]

Category trojan
Size 102912 B
Detection created Feb 05, 2018
Detection database version 16855
Aliases Trojan.Win32.Zapchast.ajuz (Kaspersky)
  Trojan.Dragonrat (Symantec)
  Trojan.PWS.Spy.20796 (Dr.Web)
  Trojan:Win32/Tiggre!rfn (Microsoft)
Short description

Win32/XeyoRat.A is a trojan which tries to download other malware from the Internet.


The trojan does not create any copies of itself.

The trojan creates the following file:

  • %temp%\­a.bat

The trojan writes the following entries to the file:

  • dir C:\­Users\­%user%\­AppData\­Roaming\­Microsoft\­Windows\­Recent\­>> %appdata%\­Microsoft\­Network\­ixeo584.bin
  • dir /s %programfiles% >> %appdata%\­Microsoft\­Network\­ixeo584.bin
  • systeminfo >> %appdata%\­Microsoft\­Network\­ixeo584.bin
  • tasklist >> %appdata%\­Microsoft\­Network\­ixeo584.bin
  • tasklist /M >> %appdata%\­Microsoft\­Network\­ixeo584.bin
  • del %temp%\­a.bat

The file is then executed.

Information stealing

Win32/XeyoRat.A is a trojan that steals sensitive information.

The following information is collected:

  • operating system version
  • CPU information
  • amount of operating memory
  • installed Microsoft Windows patches
  • network adapter information
  • list of recently opened/executed files
  • list of files/folders on a specific drive
  • list of running processes
  • list of running services

The collected information is stored in the following file:

  • %appdata%\­Microsoft\­Network\­ixeo584.bin

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan contains a URL address.

It tries to download a file from the address. The HTTP protocol is used.

The file is stored in the following location:

  • %appdata%\­Microsoft\­Network\­netState.dll

The file is then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.