General

  • Target

    xylex.exe

  • Size

    37.6MB

  • Sample

    240603-lsnq6sbg54

  • MD5

    8eacf3f9be7e3735352c4020fc4e05e9

  • SHA1

    0bb6c048d9e683e152de21f7d368a4c151095504

  • SHA256

    4c5b20b4ca8009ab72a76ed7fa6e09bd1b0b78969980f2b49d9a6641439c8d7e

  • SHA512

    2f5c54c4561f14fbf9a58075dffe268247f3af3408084c12a8a7ed0fbb33f01448e85a06ba684b037e0489fbcbb7481a825cf23785c7b7c1d60c28467825e3f0

  • SSDEEP

    786432:R3on1HvSzxAMNjFZArYs4nPv0so7OZJJe:RYn1HvSpNjXm4P5u2e

Malware Config

Targets

    • Target

      xylex.exe

    • Size

      37.6MB

    • MD5

      8eacf3f9be7e3735352c4020fc4e05e9

    • SHA1

      0bb6c048d9e683e152de21f7d368a4c151095504

    • SHA256

      4c5b20b4ca8009ab72a76ed7fa6e09bd1b0b78969980f2b49d9a6641439c8d7e

    • SHA512

      2f5c54c4561f14fbf9a58075dffe268247f3af3408084c12a8a7ed0fbb33f01448e85a06ba684b037e0489fbcbb7481a825cf23785c7b7c1d60c28467825e3f0

    • SSDEEP

      786432:R3on1HvSzxAMNjFZArYs4nPv0so7OZJJe:RYn1HvSpNjXm4P5u2e

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • An obfuscated cmd.exe command-line is typically used to evade detection.

MITRE ATT&CK Enterprise v15

Tasks