General
-
Target
Xeno.exe
-
Size
649.1MB
-
Sample
241209-jm6cxs1lds
-
MD5
3b9c084d35bedcfe4cf7b306ecbf78ac
-
SHA1
24ae90b623cddc6666d8fca32d279f75a8c293e3
-
SHA256
d794c2ac1b5a6783f1754e61f9efa20e627e1798319210db326761d7516df88b
-
SHA512
18b610cea4e05502b86b70008c4bd1f8f414e1d6793a1c3136181f5dfffdb2391c0d31f36dc899b393cb4d3a37ef6b9734c7c8020f13440d10b35d19fabb79b6
-
SSDEEP
49152:c57nFOOBDBLH/oDfHqvBeROOUKGoAocLFRNAYnsL1C:c57QOBDBbcfHuSOTKGFLbNn+
Static task
static1
Behavioral task
behavioral1
Sample
Xeno.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Xeno.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Xeno.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
Xeno.exe
Resource
win11-20241007-en
Malware Config
Extracted
meduza
45.130.145.152
-
anti_dbg
true
-
anti_vm
true
-
build_name
Oxoxox
-
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
-
grabber_max_size
3.145728e+06
-
port
15666
-
self_destruct
true
Targets
-
-
Target
Xeno.exe
-
Size
649.1MB
-
MD5
3b9c084d35bedcfe4cf7b306ecbf78ac
-
SHA1
24ae90b623cddc6666d8fca32d279f75a8c293e3
-
SHA256
d794c2ac1b5a6783f1754e61f9efa20e627e1798319210db326761d7516df88b
-
SHA512
18b610cea4e05502b86b70008c4bd1f8f414e1d6793a1c3136181f5dfffdb2391c0d31f36dc899b393cb4d3a37ef6b9734c7c8020f13440d10b35d19fabb79b6
-
SSDEEP
49152:c57nFOOBDBLH/oDfHqvBeROOUKGoAocLFRNAYnsL1C:c57QOBDBbcfHuSOTKGFLbNn+
-
Meduza Stealer payload
-
Meduza family
-
Xmrig family
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1