Overview

overview

10

Static

static

1

Xylex.bat

windows11-21h2-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    Xylex.bat

  • Size

    255B

  • Sample

    240603-m1lgfsdd25

  • MD5

    aa385e3b4104f4529680f554cdc39b40

  • SHA1

    00ab4c02495c60b0fce2ec3e6967b864e1156cae

  • SHA256

    e0cf8ed28a7efbcb910b6e7d78641179e39a81fae787308eb6112745e59f1076

  • SHA512

    ad06ece28950fa050775f899d0574c44ccf86912f465bd5e7c041b972173ef16a34a6857be8dfb1bd13163099d710b9fcf3c09a110f406e3a8608e71df16c66e

Score
10/10
executionpersistencespywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/xylexV5/xylexz/releases/download/vypix/xylex.exe

Targets

    • Target

      Xylex.bat

    • Size

      255B

    • MD5

      aa385e3b4104f4529680f554cdc39b40

    • SHA1

      00ab4c02495c60b0fce2ec3e6967b864e1156cae

    • SHA256

      e0cf8ed28a7efbcb910b6e7d78641179e39a81fae787308eb6112745e59f1076

    • SHA512

      ad06ece28950fa050775f899d0574c44ccf86912f465bd5e7c041b972173ef16a34a6857be8dfb1bd13163099d710b9fcf3c09a110f406e3a8608e71df16c66e

    Score
    10/10
    executionpersistencespywarestealer

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks