Unpacking the unpleasant FIN7 gift: PackXOR
Essential information
- Published
- 17/09/2024 11:19
- Modified
- 17/09/2024 11:28
- Tags
- 2024-09-17 avneutralizer packxor r77 rootkit
- Related entities
- 12 observables, 1 intrusion sets (apt), 7 techniques (mitre), 3 malware
Description
This analysis delves into PackXOR, a private packer associated with FIN7's AvNeutralizer tool. PackXOR employs a two-section structure with XOR encryption and LZNT1 compression. The packer utilizes Run-Time Dynamic Linking and encrypts API function names. Notably, PackXOR has been observed packing various payloads beyond AvNeutralizer, including XMRig cryptominer and data exfiltration tools. This suggests its usage extends beyond FIN7 operations. The article provides a detailed breakdown of the packer's logic, string encryption methods, and usage patterns. Additionally, an unpacker tool is introduced to assist the cybersecurity community in analyzing PackXOR-packed malware.