xenarmor | 3df1fb8d7c9c69488443598445e74ad315ad54b026d593d5ec2dec90a0091f17 | Triage

Submit
Reports

Overview

overview

Static

static

3

spot_bin.exe

windows10-2004-x64

Sharing

General

Target

spot_bin.exe
Size

55KB
Sample

231020-s2jl5sed78
MD5

3921d9ae4d5f8c743db4370651cd6d90
SHA1

59afda91a16a5ef66b078a34ccd95b65d2d82d38
SHA256

3df1fb8d7c9c69488443598445e74ad315ad54b026d593d5ec2dec90a0091f17
SHA512

3bd2dd5fcfc36179151934fb36edb05d725665eb60d4f933184509b00468097001c1db7fde0ef9bfbc2dca1eeb21f1b3fbb6636489097ce7dca71f3650d83cc1
SSDEEP

1536:R+k8NqjELGv5+mvcFnj/bOWG7686ab2OMSO:TNSFj/bOWFDOMr

Score

10^/10

xenarmor collection password recovery spyware stealer upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

spot_bin.exe

Resource

win10v2004-20230915-en

xenarmor collection password recovery spyware stealer upx

windows10-2004-x64

19 signatures

1800 seconds

Malware Config

Targets

- Target
  
  spot_bin.exe
- Size
  
  55KB
- MD5
  
  3921d9ae4d5f8c743db4370651cd6d90
- SHA1
  
  59afda91a16a5ef66b078a34ccd95b65d2d82d38
- SHA256
  
  3df1fb8d7c9c69488443598445e74ad315ad54b026d593d5ec2dec90a0091f17
- SHA512
  
  3bd2dd5fcfc36179151934fb36edb05d725665eb60d4f933184509b00468097001c1db7fde0ef9bfbc2dca1eeb21f1b3fbb6636489097ce7dca71f3650d83cc1
- SSDEEP
  
  1536:R+k8NqjELGv5+mvcFnj/bOWG7686ab2OMSO:TNSFj/bOWFDOMr
Score

10^/10

xenarmor collection password recovery spyware stealer upx
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- XenArmor Suite
  XenArmor is as suite of password recovery tools for various application.
  recovery password xenarmor
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses Microsoft Outlook accounts
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xenarmorcollectionpasswordrecoveryspywarestealerupx

© 2018-2025

Terms | Privacy