Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • submitted
    25/02/2024, 12:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    351KB

  • MD5

    8f81cbad65802a563f4c6828ad59e382

  • SHA1

    732d20205b2c7879a138bf89bae0d272166d8961

  • SHA256

    f3811d1e3adf12256e3d60d5f83b8e4066d42de822cdd6da4c522c19737dcaa9

  • SHA512

    072f837658ec1387cd44f9b4119b0fc52a67f8e5a8334c56fbae88de6564b9f65b313dfb473900e41a6989b33d3f02373aaf40f280b826f3f8bfe9251ecb1166

  • SSDEEP

    3072:yk6yIlOwVEC7i+lv5e4nAFOkrDJmnKNJT3EfqBDTSIJ47faaV0OJrVZO+zuiGFZ4:KM2ECm+lvc+C5VQyWdGAiQmN8R

Score
10/10
xehookcredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Detect Xehook Payload 2 IoCs
  • Xehook family
    xehook
  • Xehook stealer

    Xehook is an infostealer written in C#.

    stealerxehook
  • Deletes itself 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\delete.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1528

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\delete.bat
          Filesize

          140B

          MD5

          9c4b81dc0426ac07d4a9bc02c0aee213

          SHA1

          90a14658ac90e1d45bdf0ac20d3d943e56873eea

          SHA256

          4dc6714f0436b752eadc6dec5b17ecbb2685e56731e5ebc2355755b5b830c594

          SHA512

          4800a31f738ee9293e44367df87de7496e5be0efd645c0dad64640c394cbe37aa16c8d3fa02fb0392fafa4080de0093631bfa99e1ed644c1e4e4716bb9175e12

          Download Submit

        • memory/1952-0-0x0000000000070000-0x000000000009C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/1952-4-0x00000000003D0000-0x00000000003EA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1952-5-0x0000000074540000-0x0000000074C2E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1952-6-0x0000000000470000-0x00000000004B0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1952-19-0x0000000074540000-0x0000000074C2E000-memory.dmp

          Filesize

          6.9MB

          Download