Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

xeno cheat.exe

windows7-x64

10

xeno cheat.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08/02/2025, 03:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xeno cheat.exe

  • Size

    45KB

  • MD5

    724a1a11d4fe58feafde5ea5d5cb0ee7

  • SHA1

    4c6a67d87338ff6060ad83d84e78c4e4e4ed044d

  • SHA256

    4b464a4f2349980f053288514e7e25b20319cf7655576f702def8bbf1a6e49af

  • SHA512

    0b486edf69b4715a92eb887086a9161fb98ab06c5aabd7a33fa4bc42077f70d5ce7e1cc8f38ee8de734541309fbf1c5d15204566b62e6279fa9b7ed7b41a82fd

  • SSDEEP

    768:+dhO/poiiUcjlJInUkiH9Xqk5nWEZ5SbTDamWI7CPW5X:Iw+jjgngH9XqcnW85SbTfWIf

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

xeno_cheat

Attributes
  • delay

    5000

  • install_path

    nothingset

  • port

    4444

  • startup_name

    nothingset

Signatures

  • Detect XenoRat Payload 1 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\xeno cheat.exe
    "C:\Users\Admin\AppData\Local\Temp\xeno cheat.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "XenoUpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE447.tmp" /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2500

Network

    No results found
  • 127.0.0.1:4444
    xeno cheat.exe
  • 127.0.0.1:4444
    xeno cheat.exe
  • 127.0.0.1:4444
    xeno cheat.exe
  • 127.0.0.1:4444
    xeno cheat.exe
  • 127.0.0.1:4444
    xeno cheat.exe
  • 127.0.0.1:4444
    xeno cheat.exe
  • 127.0.0.1:4444
    xeno cheat.exe
  • 127.0.0.1:4444
    xeno cheat.exe
  • 127.0.0.1:4444
    xeno cheat.exe
  • 127.0.0.1:4444
    xeno cheat.exe
  • 127.0.0.1:4444
    xeno cheat.exe
  • 127.0.0.1:4444
    xeno cheat.exe
  • 127.0.0.1:4444
    xeno cheat.exe
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpE447.tmp
    Filesize

    1KB

    MD5

    2b0036a4e98783edb6ce787ea303230b

    SHA1

    d15cbbe5d8fa46fe81826fd29baf1359d3f5bf99

    SHA256

    d5c94ef52af094f435620583487e70461ef6c41c45bf7b42287f4a93e246bb3f

    SHA512

    b0f5dc630e335b5aff0fd0d81273cc1585fdccdee4faf7fb509ca67ab4229845f5eaf0797861d031bbdb3041b869e78d7b593544091309c49b25f17ace575560

    Download Submit

  • memory/2568-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2568-1-0x00000000003B0000-0x00000000003C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2568-4-0x00000000749F0000-0x00000000750DE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2568-5-0x00000000749F0000-0x00000000750DE000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.