General
-
Target
Xylex-V2.zip
-
Size
6.8MB
-
Sample
240529-akbwvsac8v
-
MD5
eddca779a512f848fbbe6dfbb26b1fb6
-
SHA1
8b630c5f8e9b911539fd01428ccd557cc8fb4c29
-
SHA256
7e004db087cc499ec8c25dc422298a36058329d7387b953a54a2d05bf7dd71e5
-
SHA512
a805d1336cc576cf8d179c3fb0924739c7368d131a145b49fa5d0edf71087a40cb79ee7cd573f62e562747f5fe0a02be13fba9213e398d001becf775c37b4c54
-
SSDEEP
196608:xomwJN3mX5F+5xbOdMsTQRQJHlkS8GNcWo:xsvyu5xiGsERQJHlT/cWo
Malware Config
Targets
-
-
Target
Executor/Xylex-Executor.exe
-
Size
6.9MB
-
MD5
0054c026e2ac7bca40da4faa7a8e8895
-
SHA1
f3171adcade9c6d3dea81875752ae10d0e0aee77
-
SHA256
2c7916ef7a2a481c62de0796aadb412e5168fe2a361afedc501df3673e8a4e58
-
SHA512
53881f492ebb0d4b8e0c3d37a90e6f7c8a58e6ea7df0f911a25523943b9ea90b327d05b84a397eb3497fc7698783ce46265bbb0336029ecc8994ffc8cbb370d8
-
SSDEEP
196608:frdo0GreNTfm/pf+xk4dWRGtrbWOjgWy/:CQy/pWu4kRGtrbvMWy/
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-