Unpacking the unpleasant FIN7 gift: PackXOR

NetmanageIT OpenCTI - opencti.netmanageit.com

Unpacking the unpleasant FIN7 gift: PackXOR



SUMMARY :

This analysis delves into PackXOR, a private packer associated with FIN7's AvNeutralizer tool. PackXOR employs a two-section structure with XOR encryption and LZNT1 compression. The packer utilizes Run-Time Dynamic Linking and encrypts API function names. Notably, PackXOR has been observed packing various payloads beyond AvNeutralizer, including XMRig cryptominer and data exfiltration tools. This suggests its usage extends beyond FIN7 operations. The article provides a detailed breakdown of the packer's logic, string encryption methods, and usage patterns. Additionally, an unpacker tool is introduced to assist the cybersecurity community in analyzing PackXOR-packed malware.

OPENCTI LABELS :

avneutralizer,packxor,r77 rootkit


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Unpacking the unpleasant FIN7 gift: PackXOR