Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    python.exe

  • Size

    45KB

  • Sample

    241117-x6kr8awmay

  • MD5

    df1f1e473daca7aeab35952a9c8b3e0e

  • SHA1

    89ef8d815e328bd1038c92d03de549915d52ee95

  • SHA256

    57173c561934b97d74b3cdb977f625e6425022df70218eecd7c8acde71c79690

  • SHA512

    4a631e7eb7d1af9a60e3c5c79b61b33a56ab517871fb2396737628718a3c8cb22e0a039f63fdcc242644d5a8af64a8b38f3a6557b0659b2cafaf4d5990a7565b

  • SSDEEP

    768:FdhO/poiiUcjlJInnSH9Xqk5nWEZ5SbTDa/uI7CPW51Zvn:bw+jjgnSH9XqcnW85SbTKuItZvn

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

pythons

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    nothingset

Targets

    • Target

      python.exe

    • Size

      45KB

    • MD5

      df1f1e473daca7aeab35952a9c8b3e0e

    • SHA1

      89ef8d815e328bd1038c92d03de549915d52ee95

    • SHA256

      57173c561934b97d74b3cdb977f625e6425022df70218eecd7c8acde71c79690

    • SHA512

      4a631e7eb7d1af9a60e3c5c79b61b33a56ab517871fb2396737628718a3c8cb22e0a039f63fdcc242644d5a8af64a8b38f3a6557b0659b2cafaf4d5990a7565b

    • SSDEEP

      768:FdhO/poiiUcjlJInnSH9Xqk5nWEZ5SbTDa/uI7CPW51Zvn:bw+jjgnSH9XqcnW85SbTKuItZvn

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks