General
-
Target
ArenaWars.rar
-
Size
75.3MB
-
Sample
241120-tp3d6atnen
-
MD5
be7136cfb142fd125b3cd7b1cf3741e0
-
SHA1
786998e075835d42e8e58093c6dcaff2ca25c1d6
-
SHA256
98bcb8091e5b61c603a18ddf7ef585eb17482c0dc790a620921eaa0e86e835c2
-
SHA512
f6fe892d87281ed0bdb238ef5db2afaf06e3e043e96f130cb26465fff9093e3438e3c425cbf0e52c3f0a83e501873dc33d9685c369d6e1559fe5c4218f806bcc
-
SSDEEP
1572864:qDcObhsGaUIavfWgvERDz+h0Fje0muQl9+jvGzsK0qtm:qDbbhsm3PMN5de0mUjvEsmm
Malware Config
Targets
-
-
Target
ArenaWars.rar
-
Size
75.3MB
-
MD5
be7136cfb142fd125b3cd7b1cf3741e0
-
SHA1
786998e075835d42e8e58093c6dcaff2ca25c1d6
-
SHA256
98bcb8091e5b61c603a18ddf7ef585eb17482c0dc790a620921eaa0e86e835c2
-
SHA512
f6fe892d87281ed0bdb238ef5db2afaf06e3e043e96f130cb26465fff9093e3438e3c425cbf0e52c3f0a83e501873dc33d9685c369d6e1559fe5c4218f806bcc
-
SSDEEP
1572864:qDcObhsGaUIavfWgvERDz+h0Fje0muQl9+jvGzsK0qtm:qDbbhsm3PMN5de0mUjvEsmm
Score10/10-
Hexon family
-
Hexon stealer
Hexon is a stealer written in Electron NodeJS.
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1