blankgrabber | cafe6236c0d13a491e8622b8b1cd7c6ba2b1fa23b315caed016e4fdcc5d92325

Sharing

General

Target

Xeno.exe
Size

5.9MB
Sample

250127-gvk1vawldj
MD5

6419b6a0c20d3e4d375cd9ef2b0fa263
SHA1

2246ea72640ef84a4b7df293008191c0962d1ee0
SHA256

cafe6236c0d13a491e8622b8b1cd7c6ba2b1fa23b315caed016e4fdcc5d92325
SHA512

03eb01b3dcb98436e0829116ae8091a478737bab0d9aa7b6d30abb766bec22240ff23b058670fcccd494903181b08d1c186638405633c4f175fffa445a0267b9
SSDEEP

98304:Dl+WCS8i65sn6Wfz7pnxCjJaWlpx1dstaNoSwKHf1c3z5MOueAeFP9hZkrn0InVt:D4m6DOYjJlpZstQoS9Hf12VKXQbZCBVt

Score

10^/10

Malware Config

Targets

- Target
  
  Xeno.exe
- Size
  
  5.9MB
- MD5
  
  6419b6a0c20d3e4d375cd9ef2b0fa263
- SHA1
  
  2246ea72640ef84a4b7df293008191c0962d1ee0
- SHA256
  
  cafe6236c0d13a491e8622b8b1cd7c6ba2b1fa23b315caed016e4fdcc5d92325
- SHA512
  
  03eb01b3dcb98436e0829116ae8091a478737bab0d9aa7b6d30abb766bec22240ff23b058670fcccd494903181b08d1c186638405633c4f175fffa445a0267b9
- SSDEEP
  
  98304:Dl+WCS8i65sn6Wfz7pnxCjJaWlpx1dstaNoSwKHf1c3z5MOueAeFP9hZkrn0InVt:D4m6DOYjJlpZstQoS9Hf12VKXQbZCBVt
Score

10^/10

upx collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  defense_evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in Drivers directory
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2 behavioral3 behavioral4
- Target
  
  � >�_s.pyc
- Size
  
  857B
- MD5
  
  89d29166436ad0bd343ffa905c13a090
- SHA1
  
  ad5cb5664d8a97519a608d5be077c2dcace8563a
- SHA256
  
  779e0c92c295910c5b0722d6ef71683f26b95370f51abeec5a62832ab410fa68
- SHA512
  
  f9901a2b88de55d2b89f29322da964a2b3676dd53c47cad8f88d8d74a3835032c519b1f5157cf4e6fedab9ad5e2d82eea902dd4c15ad3ddb0ac497acf521d020
Score

1^/10
behavioral5 behavioral6 behavioral7 behavioral8