Unpacking the unpleasant FIN7 gift: PackXOR

Sept. 17, 2024, 11:28 a.m.

Tags
avneutralizer
2024-09-17
r77 rootkit
packxor
External References
Description

This analysis delves into PackXOR, a private packer associated with FIN7's AvNeutralizer tool. PackXOR employs a two-section structure with XOR encryption and LZNT1 compression. The packer utilizes Run-Time Dynamic Linking and encrypts API function names. Notably, PackXOR has been observed packing various payloads beyond AvNeutralizer, including XMRig cryptominer and data exfiltration tools. This suggests its usage extends beyond FIN7 operations. The article provides a detailed breakdown of the packer's logic, string encryption methods, and usage patterns. Additionally, an unpacker tool is introduced to assist the cybersecurity community in analyzing PackXOR-packed malware.

Date

Published: Sept. 17, 2024, 11:19 a.m.

Created: Sept. 17, 2024, 11:19 a.m.

Modified: Sept. 17, 2024, 11:28 a.m.

Indicators

f15e6ff7f1ba8f7aad1adb88300a5ea367d6b5388f41d602f978d2885aa2ed38

e3505901fd44c8f6597ca9c512375b6ecbf3dc21dbae3d373318c99929d62091

dcc7fd38fced82cc04cb6fa0d189d2924163494e542f6c516e6588c110ab7554

cf1d985a33b39d332d4bac33d971a004dcd18cea82ff1b291c6a5046e073414d

b86612a6d62a1789031248bdb732b8bff51acaeaa687c3559f0980560a8abf2f

632b068e1b8fbc54eb0b30f01455c73396deb5f8e3bbd3b171fb69b6936a6019

56af567979acaec20bab9a36064ee5f31b96fceaa5487f6ba2db9ff6360d9a51

42ca0d62a9516cbf4a1ffcd9097d2f2c3b135f82b1c07adf586ef5b23ce96197

40a8ffc5bbcb3befc90f269e32ab96b3ff32768f1fc0317a00f86f9b1161cdeb

146c68ca89b8b0378c2c6fb978892aace0235c7038879e85b3764556b0dbf2a5

1428e14c9c86e8f068e37efc11190ee16f2cdb9bc808308c5450389ee2893c10

0506372e2c2b6646c539ac5a08265dd66d0da58a25545e444c25b9a02f8d9a44

Download all indicators here!

Attack Patterns

R77 rootkit

AvNeutralizer

XMRig

FIN7

T1027.002

T1497

T1129

T1106

T1055

T1140

T1027