An Excel file discovered that purports to be a tax calculator from the Indian “Income Tax Department” but installs an xRAT Trojan. Once the Excel file is opened, if macros are enabled, base64-encoded data is downloaded, which will ultimately become an executable file that in turn downloads xRAT and other files. Once active, xRAT commences encrypted communications with its C&C server using TCP port 63989. The Portmap service is utilized to hide the actual C&C server address.
Malware Hash (MD5/SHA1/SH256)