growtopia | 965e26ab119bb1fe78e0f2e9f3a4b85de6b308100faa6c12dd6aa60ee52f42ef | Triage

Sharing

General

Target

GXBuilder.exe
Size

12.9MB
Sample

240704-vq2ppascmb
MD5

de6416915830c63685b6771684689d36
SHA1

f3516b1816295056c870e3c15a52aafbf4e9aab3
SHA256

965e26ab119bb1fe78e0f2e9f3a4b85de6b308100faa6c12dd6aa60ee52f42ef
SHA512

7efb6ba401dad084f2e7aa0af834171724168f2bd28da2d28fd3c1083b6286b262f352fe6dac703eacb5624f8b810918293d563353dafd85ac96532da61f25a7
SSDEEP

393216:oNOnxeqv5yEgPDflLNVga2D3o5Doo7Mm:0OnxD56DtLzGD3ohoo7Mm

Score

10^/10

growtopia xenorat evasion execution persistence pyinstaller rat stealer trojan

Malware Config

Extracted

Family

xenorat

C2

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8913d

Attributes

delay
5000
install_path
temp
port
45010
startup_name
WindowsErrorHandler

Extracted

Family

growtopia

C2

https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj

Targets

- Target
  
  GXBuilder.exe
- Size
  
  12.9MB
- MD5
  
  de6416915830c63685b6771684689d36
- SHA1
  
  f3516b1816295056c870e3c15a52aafbf4e9aab3
- SHA256
  
  965e26ab119bb1fe78e0f2e9f3a4b85de6b308100faa6c12dd6aa60ee52f42ef
- SHA512
  
  7efb6ba401dad084f2e7aa0af834171724168f2bd28da2d28fd3c1083b6286b262f352fe6dac703eacb5624f8b810918293d563353dafd85ac96532da61f25a7
- SSDEEP
  
  393216:oNOnxeqv5yEgPDflLNVga2D3o5Doo7Mm:0OnxD56DtLzGD3ohoo7Mm
Score

10^/10

growtopia xenorat evasion execution persistence pyinstaller rat stealer trojan
- Growtopia
  Growtopa is an opensource modular stealer written in C#.
  stealer growtopia
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Power Settings

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

growtopiaxenoratevasionexecutionpersistencepyinstallerratstealertrojan

behavioral2

growtopiaxenoratevasionexecutionpersistencepyinstallerratstealertrojan