xehook | a88dee703baa477bbcc709563c9f6f260f4210387dde7d83ea263035b364c378

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 01:13

Target

4e68c5a537320cbe88842a53e5691b7f1a590b9c0b491a12baaeeda111dcaa4d.exe
Size

210KB
MD5

51b0ed6b4908a21e5cc1d9ec7c046040
SHA1

d874f6da7327b2f1b3ace5e66bc763c557ac382e
SHA256

4e68c5a537320cbe88842a53e5691b7f1a590b9c0b491a12baaeeda111dcaa4d
SHA512

48ec96b209d7061a1276496feb250cf183891b950465d3a916c999aa1efc1c8831b068ce0fce4ce21d09677f945b3d816ed4040146462a0ce0845318041586a2
SSDEEP

6144:gQtdqzqv7rArb/LoEyavuW6uqQqNW14pv:gQtdqWk/LDmQqQqK4pv

Score

10^/10

xehook stealer

Detect Xehook Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1540-0-0x0000000000FB0000-0x0000000000FE6000-memory.dmp	family_xehook

Xehook stealer
Xehook is an infostealer written in C#.
stealer xehook
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2356 1540 WerFault.exe 4e68c5a537320cbe88842a53e5691b7f1a590b9c0b491a12baaeeda111dcaa4d.exe

pid	pid_target	process	target process
2356	1540	WerFault.exe	4e68c5a537320cbe88842a53e5691b7f1a590b9c0b491a12baaeeda111dcaa4d.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4e68c5a537320cbe88842a53e5691b7f1a590b9c0b491a12baaeeda111dcaa4d.exe

description	pid	process	target process
PID 1540 wrote to memory of 2356	1540	4e68c5a537320cbe88842a53e5691b7f1a590b9c0b491a12baaeeda111dcaa4d.exe	WerFault.exe
PID 1540 wrote to memory of 2356	1540	4e68c5a537320cbe88842a53e5691b7f1a590b9c0b491a12baaeeda111dcaa4d.exe	WerFault.exe
PID 1540 wrote to memory of 2356	1540	4e68c5a537320cbe88842a53e5691b7f1a590b9c0b491a12baaeeda111dcaa4d.exe	WerFault.exe
PID 1540 wrote to memory of 2356	1540	4e68c5a537320cbe88842a53e5691b7f1a590b9c0b491a12baaeeda111dcaa4d.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4e68c5a537320cbe88842a53e5691b7f1a590b9c0b491a12baaeeda111dcaa4d.exe
"C:\Users\Admin\AppData\Local\Temp\4e68c5a537320cbe88842a53e5691b7f1a590b9c0b491a12baaeeda111dcaa4d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 92
2⤵
- Program crash
PID:2356

memory/1540-0-0x0000000000FB0000-0x0000000000FE6000-memory.dmp

Filesize
216KB

Download