xehook | 1988e57588055c5e70ba3acc057888a03d33520ae86f74f95e6c2a9bcbf128aa | Triage

Submit
Reports

Overview

overview

Static

static

3

winprofile

windows7-x64

winprofile

windows10-1703-x64

Sharing

General

Target

1988e57588055c5e70ba3acc057888a03d33520ae86f74f95e6c2a9bcbf128aa
Size

273KB
Sample

240422-fhspgsga5w
MD5

09b7c724534548986bb2110cf0902d76
SHA1

b94ad55a4b7c4c2c9d5a85c3426bbd8a54bfbcc8
SHA256

1988e57588055c5e70ba3acc057888a03d33520ae86f74f95e6c2a9bcbf128aa
SHA512

42ff115546983093708a43909f1bf962741ab7ceca55b86892f4e85bd3b6071ef2bddadd8f0a51a4684c11f2fca988e58a26ad6567820990a3c243670182ea5f
SSDEEP

6144:VtwlK8rGFkFokzeQanr/6pNLCI8cQGz0nUMtY/uqqaO0:B8rGFkFP2upVC+zqUMtY/uq/O0

Score

10^/10

xehook spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1988e57588055c5e70ba3acc057888a03d33520ae86f74f95e6c2a9bcbf128aa.exe

Resource

win7-20240221-en

windows7-x64

4 signatures

300 seconds

Behavioral task

behavioral2

Sample

1988e57588055c5e70ba3acc057888a03d33520ae86f74f95e6c2a9bcbf128aa.exe

Resource

win10-20240404-en

xehook spyware stealer

windows10-1703-x64

8 signatures

300 seconds

Malware Config

Extracted

Family

xehook

C2

https://unotree.ru/

https://aiwhcpoaw.ru/

Targets

- Target
  
  1988e57588055c5e70ba3acc057888a03d33520ae86f74f95e6c2a9bcbf128aa
- Size
  
  273KB
- MD5
  
  09b7c724534548986bb2110cf0902d76
- SHA1
  
  b94ad55a4b7c4c2c9d5a85c3426bbd8a54bfbcc8
- SHA256
  
  1988e57588055c5e70ba3acc057888a03d33520ae86f74f95e6c2a9bcbf128aa
- SHA512
  
  42ff115546983093708a43909f1bf962741ab7ceca55b86892f4e85bd3b6071ef2bddadd8f0a51a4684c11f2fca988e58a26ad6567820990a3c243670182ea5f
- SSDEEP
  
  6144:VtwlK8rGFkFokzeQanr/6pNLCI8cQGz0nUMtY/uqqaO0:B8rGFkFP2upVC+zqUMtY/uq/O0
Score

10^/10

xehook stealer spyware
- Detect Xehook Payload
- Xehook stealer
  Xehook is an infostealer written in C#.
  stealer xehook
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

xehookspywarestealer

© 2018-2024

Terms | Privacy