Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    cvghfy.exe

  • Size

    246KB

  • Sample

    241120-j99nvstqcy

  • MD5

    81803959df039efd73a59e513065ea5c

  • SHA1

    22328ae1cbf3c7e21b374bfcff7938d3f11f6459

  • SHA256

    46affe6213f26e1a5446134c994e14d3f3f500e3c88f7867e3102c4b171cead1

  • SHA512

    a01ab581c35a38631e8074d3c6f4412397874b80684374bc5db426de908d84fac98dfd0bfba1c1db5bb8c559fc88f6fac1918ad06b79050b4b5704b973bf53b3

  • SSDEEP

    6144:CnDuwnNVmnw99r8ehzRij+NNirOyZ13QzGI71wI:CnDpnewrrlNIuN54lQzGI71N

Malware Config

Extracted

Family

xenorat

C2

87.120.116.115

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    60000

  • install_path

    temp

  • port

    1391

  • startup_name

    nothingset

Targets

    • Target

      cvghfy.exe

    • Size

      246KB

    • MD5

      81803959df039efd73a59e513065ea5c

    • SHA1

      22328ae1cbf3c7e21b374bfcff7938d3f11f6459

    • SHA256

      46affe6213f26e1a5446134c994e14d3f3f500e3c88f7867e3102c4b171cead1

    • SHA512

      a01ab581c35a38631e8074d3c6f4412397874b80684374bc5db426de908d84fac98dfd0bfba1c1db5bb8c559fc88f6fac1918ad06b79050b4b5704b973bf53b3

    • SSDEEP

      6144:CnDuwnNVmnw99r8ehzRij+NNirOyZ13QzGI71wI:CnDpnewrrlNIuN54lQzGI71N

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.