Extracted

• • Target

    XyIex-Executor.bat

  • Size

    244B

  • MD5

    ac122c56306baae12bc1dbc69455249a

  • SHA1

    8f7be0cb0c88260843111257c349f5e2a0fa5b1a

  • SHA256

    702d2a9930bf8d16752c3dbe1d5b5382c592c13e85e54fe0cd59df2ad4f764db

  • SHA512

    a66df3c5a8c21561dad7ffba4eecc132fce6388797dabdd63eaa6d077d8ebf0298a0220331b0a8f28208a80f1b4cf3ec1ce74a76cf61b428bf03f2d2e637951b

  Score

  10^/10

  executionpersistencespywarestealer

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • An obfuscated cmd.exe command-line is typically used to evade detection.

  behavioral1behavioral2