General

  • Target

    GX_Builder.exe

  • Size

    12.9MB

  • Sample

    240705-v37fpsscrp

  • MD5

    de6416915830c63685b6771684689d36

  • SHA1

    f3516b1816295056c870e3c15a52aafbf4e9aab3

  • SHA256

    965e26ab119bb1fe78e0f2e9f3a4b85de6b308100faa6c12dd6aa60ee52f42ef

  • SHA512

    7efb6ba401dad084f2e7aa0af834171724168f2bd28da2d28fd3c1083b6286b262f352fe6dac703eacb5624f8b810918293d563353dafd85ac96532da61f25a7

  • SSDEEP

    393216:oNOnxeqv5yEgPDflLNVga2D3o5Doo7Mm:0OnxD56DtLzGD3ohoo7Mm

Malware Config

Extracted

Family

xenorat

C2

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8913d

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    45010

  • startup_name

    WindowsErrorHandler

Extracted

Family

growtopia

C2

https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj

Targets

    • Target

      GX_Builder.exe

    • Size

      12.9MB

    • MD5

      de6416915830c63685b6771684689d36

    • SHA1

      f3516b1816295056c870e3c15a52aafbf4e9aab3

    • SHA256

      965e26ab119bb1fe78e0f2e9f3a4b85de6b308100faa6c12dd6aa60ee52f42ef

    • SHA512

      7efb6ba401dad084f2e7aa0af834171724168f2bd28da2d28fd3c1083b6286b262f352fe6dac703eacb5624f8b810918293d563353dafd85ac96532da61f25a7

    • SSDEEP

      393216:oNOnxeqv5yEgPDflLNVga2D3o5Doo7Mm:0OnxD56DtLzGD3ohoo7Mm

    • Growtopia

      Growtopa is an opensource modular stealer written in C#.

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Creates new service(s)

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks