General
-
Target
Xeno.rar
-
Size
2.0MB
-
Sample
241209-jl8fws1lbv
-
MD5
67b103622d5df8fc6d622a8e6fe32f08
-
SHA1
0908ed7e113cac097853aed55090a1c616770d97
-
SHA256
ce6ce51ff5758f51325e85d03f81d60a2c604c117efc8e7f24d70a29b8f5d1ac
-
SHA512
7d61b9238bb4e7e81eb444c1713c61ec96fac58d07441c67d315b94d4b88524d3065793e096358077ce253e8939a19c0d30c2ca1c0153aac4014d755b925619b
-
SSDEEP
49152:rihZv8enXtHTckffeJa+TGU7gJv1T/E7Ov78L3VXUVpS+sIlOs4:UxnXtHhe1TzgJdrY0qSy+sIlOs4
Static task
static1
Behavioral task
behavioral1
Sample
Xeno.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Xeno.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Xeno.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
Xeno.exe
Resource
win11-20241007-en
Malware Config
Extracted
meduza
45.130.145.152
-
anti_dbg
true
-
anti_vm
true
-
build_name
Oxoxox
-
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
-
grabber_max_size
3.145728e+06
-
port
15666
-
self_destruct
true
Targets
-
-
Target
Xeno.exe
-
Size
649.1MB
-
MD5
3b9c084d35bedcfe4cf7b306ecbf78ac
-
SHA1
24ae90b623cddc6666d8fca32d279f75a8c293e3
-
SHA256
d794c2ac1b5a6783f1754e61f9efa20e627e1798319210db326761d7516df88b
-
SHA512
18b610cea4e05502b86b70008c4bd1f8f414e1d6793a1c3136181f5dfffdb2391c0d31f36dc899b393cb4d3a37ef6b9734c7c8020f13440d10b35d19fabb79b6
-
SSDEEP
49152:c57nFOOBDBLH/oDfHqvBeROOUKGoAocLFRNAYnsL1C:c57QOBDBbcfHuSOTKGFLbNn+
-
Meduza Stealer payload
-
Meduza family
-
Xmrig family
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1