Win32/XeyoRat [Threat Name] go to Threat

Win32/XeyoRat.B [Threat Variant Name]

Category trojan
Size 89088 B
Aliases Trojan-GameThief.Win32.Magania.ujlf (Kaspersky)
  Trojan.MulDrop7.55265 (Dr.Web)
  Trojan:Win32/Redosdru.C (Microsoft)
Short description

Win32/XeyoRat.B serves as a backdoor. It can be controlled remotely.


The trojan is probably a part of other malware.

When executed, the trojan copies itself into the following location:

  • %appdata%\­Microsoft\­SystemRat.dll

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SysRat" = "rundll32.exe "%appdata%\­Microsoft\­SystemRat.dll" RunningRat"
Information stealing

Win32/XeyoRat.B is a trojan that steals sensitive information.

The following information is collected:

  • operating system version
  • CPU information
  • amount of operating memory
  • list of running processes
  • list of running services
  • list of disk devices and their type
  • malware version
  • data from the clipboard

The trojan is able to log keystrokes.

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (1) IP addresses. The TCP protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes
  • various Registry operations
  • various file system operations
  • start/stop services
  • open a specific URL address
  • execute shell commands
  • capture webcam picture
  • capture screenshots
  • shut down/restart the computer
  • turn the display off
  • block keyboard and mouse input
  • simulate user's input (clicks, taps)
  • set clipboard data
  • upload files to a remote computer
  • show/hide application windows
  • send gathered information

The trojan creates the following file:

  • %temp%\­dx.bat

The trojan writes the following entries to the file:

  • taskkill /f /im daumcleaner.exe
  • del %temp%\­dx.bat

The file is then executed.

The trojan keeps various information in the following files:

  • %system%\­syslog.dat

Please enable Javascript to ensure correct displaying of this content and refresh this page.