General

  • Target

    Xylex-Executor.zip

  • Size

    6.8MB

  • Sample

    240527-e5q9hahc29

  • MD5

    144315c7723748eebe6a90023d9ffb2f

  • SHA1

    18734814e96c4d48056ac515b5b242d226ad3dfd

  • SHA256

    07be971329ef709cbf33bb03c6d98ddce6acea116877469f883af72706ac18d3

  • SHA512

    02e5bea27c85b025b4e3069b5e64d98c262b8dfb3944132c638ce29a5619b6a4295562a820ebecb6069e0070c8825d54d29be80b918f5a6e9358a31753f6fd0a

  • SSDEEP

    196608:J0xm3QMMDXgZ79KJtEboNs7LXKgwf1Aui:xSUZ78TEUNs7LXDw9Aui

Malware Config

Targets

    • Target

      Executor/Xylex-ExecutorV2.exe

    • Size

      6.9MB

    • MD5

      20d8ae67143710a585884b9fe368a5d7

    • SHA1

      c8cef7f07490294bffad57630165cec7229232ed

    • SHA256

      09d433977110c5115cde8f3236dd9717d0e5d923cbd5f3041d6a45afabd47bb2

    • SHA512

      24ab172bb32e12ce2106e7d7bd060acc533ef54cf4fbab84c26d3cb333ac2d78a60dd7d0fc01d88fa7ec5bfea92f7896e60b6ba097872e3fea7f77cc611f1a92

    • SSDEEP

      196608:drtP0QKeNTfm/pf+xk4dWRGtrbWOjgWy6:jFy/pWu4kRGtrbvMWy6

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks