xehook | 05bfbb0886bf381e6a4b2875e928aedf6abe197884d9a64ad7137f6016ed5c9f

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05bfbb0886bf381e6a4b2875e928aedf6abe197884d9a64ad7137f6016ed5c9f.exe
Size

276KB
MD5

86956574d8364f5e6062a23189458eb2
SHA1

9d0cd1bb0b618ffe9076e7ad5e607ea88abe85b0
SHA256

05bfbb0886bf381e6a4b2875e928aedf6abe197884d9a64ad7137f6016ed5c9f
SHA512

d206d519fe82cd025f0ace27759c6e99559187f7bd84dd61eadf06b0acf6f3ed6b289f650c163debe9afc38ec62cad51479c4b2e3ab3a0ab71132c5557064305
SSDEEP

6144:9g4e6XnYIZxmt5DmvpVYNB/nOCFDfuOTJ6I2vCoCe:a4XnYeuNN5J2OTLoCe

Score

10^/10

xehook stealer

Malware Config

Signatures

Detect Xehook Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2868-0-0x0000000001340000-0x0000000001389000-memory.dmp	family_xehook

Xehook stealer
Xehook is an infostealer written in C#.
stealer xehook

Detect binaries embedding considerable number of MFA browser extension IDs. 1 IoCs

resource	yara_rule
behavioral1/memory/2868-0-0x0000000001340000-0x0000000001389000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs

resource	yara_rule
behavioral1/memory/2868-0-0x0000000001340000-0x0000000001389000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral1/memory/2868-0-0x0000000001340000-0x0000000001389000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1636	2868	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 1636	2868	05bfbb0886bf381e6a4b2875e928aedf6abe197884d9a64ad7137f6016ed5c9f.exe	29
PID 2868 wrote to memory of 1636	2868	05bfbb0886bf381e6a4b2875e928aedf6abe197884d9a64ad7137f6016ed5c9f.exe	29
PID 2868 wrote to memory of 1636	2868	05bfbb0886bf381e6a4b2875e928aedf6abe197884d9a64ad7137f6016ed5c9f.exe	29
PID 2868 wrote to memory of 1636	2868	05bfbb0886bf381e6a4b2875e928aedf6abe197884d9a64ad7137f6016ed5c9f.exe	29

C:\Users\Admin\AppData\Local\Temp\05bfbb0886bf381e6a4b2875e928aedf6abe197884d9a64ad7137f6016ed5c9f.exe
"C:\Users\Admin\AppData\Local\Temp\05bfbb0886bf381e6a4b2875e928aedf6abe197884d9a64ad7137f6016ed5c9f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 48
  2⤵
  - Program crash
  PID:1636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2868-0-0x0000000001340000-0x0000000001389000-memory.dmp

Filesize
292KB

Download