Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    cvghfy.exe

  • Size

    246KB

  • Sample

    241120-j1593symdr

  • MD5

    81803959df039efd73a59e513065ea5c

  • SHA1

    22328ae1cbf3c7e21b374bfcff7938d3f11f6459

  • SHA256

    46affe6213f26e1a5446134c994e14d3f3f500e3c88f7867e3102c4b171cead1

  • SHA512

    a01ab581c35a38631e8074d3c6f4412397874b80684374bc5db426de908d84fac98dfd0bfba1c1db5bb8c559fc88f6fac1918ad06b79050b4b5704b973bf53b3

  • SSDEEP

    6144:CnDuwnNVmnw99r8ehzRij+NNirOyZ13QzGI71wI:CnDpnewrrlNIuN54lQzGI71N

Malware Config

Extracted

Family

xenorat

C2

87.120.116.115

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    60000

  • install_path

    temp

  • port

    1391

  • startup_name

    nothingset

Targets

    • Target

      cvghfy.exe

    • Size

      246KB

    • MD5

      81803959df039efd73a59e513065ea5c

    • SHA1

      22328ae1cbf3c7e21b374bfcff7938d3f11f6459

    • SHA256

      46affe6213f26e1a5446134c994e14d3f3f500e3c88f7867e3102c4b171cead1

    • SHA512

      a01ab581c35a38631e8074d3c6f4412397874b80684374bc5db426de908d84fac98dfd0bfba1c1db5bb8c559fc88f6fac1918ad06b79050b4b5704b973bf53b3

    • SSDEEP

      6144:CnDuwnNVmnw99r8ehzRij+NNirOyZ13QzGI71wI:CnDpnewrrlNIuN54lQzGI71N

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks