Malware Analysis Report

2025-06-16 07:06

Sample ID 240531-tbbdhsdb5w
Target 2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba
SHA256 79a0ea8711cd6bb5be07a0bc3630a4c58177501267ffa02492988e073e8c0251
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

79a0ea8711cd6bb5be07a0bc3630a4c58177501267ffa02492988e073e8c0251

Threat Level: Shows suspicious behavior

The file 2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Unsigned PE

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-31 15:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 15:52

Reported

2024-05-31 15:55

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7623b6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe"

C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7623b6.exe

C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7623b6.exe 259400646

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 580

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ip138.com udp
GB 163.171.146.42:80 www.ip138.com tcp
GB 163.171.146.42:443 www.ip138.com tcp

Files

memory/2932-1-0x0000000000400000-0x00000000007A5000-memory.dmp

memory/2932-0-0x0000000000400000-0x00000000007A5000-memory.dmp

\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7623b6.exe

MD5 55cc7683717d69be9952c55b111cabc5
SHA1 a930700beac12a19bfa97462dd6ff508e0675e1c
SHA256 df70c36f2ab8a332417564da35ff6ce62c1dae060b9f0d3969d536a88d4fdf8c
SHA512 a62a2066658cfb92892f2bf7c1f9791ff772567940aee24e58b602b4fcd5b703603050fe9676ffbade55a28986a5539d23b8f001c00076dd0446e401a0246c99

memory/2452-11-0x0000000000400000-0x00000000007A5000-memory.dmp

memory/2452-13-0x000000007699D000-0x000000007699E000-memory.dmp

memory/2932-12-0x0000000002A60000-0x0000000002E05000-memory.dmp

memory/2932-32-0x0000000000400000-0x00000000007A5000-memory.dmp

memory/2452-43-0x0000000000400000-0x00000000007A5000-memory.dmp

memory/2452-44-0x000000007699D000-0x000000007699E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 15:52

Reported

2024-05-31 15:55

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe"

C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57f760.exe

C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57f760.exe 240646000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 100 -ip 100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 2052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 www.ip138.com udp
GB 163.171.129.134:80 www.ip138.com tcp
GB 163.171.129.134:443 www.ip138.com tcp
US 8.8.8.8:53 134.129.171.163.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 89.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.180.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 48.192.11.51.in-addr.arpa udp

Files

memory/3604-0-0x0000000000400000-0x00000000007A5000-memory.dmp

memory/3604-1-0x0000000000400000-0x00000000007A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57f760.exe

MD5 7c9bd7c4f0728d414eda5b336ada4f08
SHA1 d4f7692fd2d5324a02dd112c3fb91219d9763db2
SHA256 2be76055be03f5c487a47cd999957678687732daad50bfbae1a3ddc1b5f2f2f5
SHA512 7e34d0126fa1050dad56619abea51631470ed043928c741b322934f65b9ac35b375038277443418af9c095a72c87143430c1866e3332693e399780b673df0011

memory/3604-7-0x0000000000400000-0x00000000007A5000-memory.dmp

memory/100-17-0x000000007589A000-0x000000007589B000-memory.dmp

memory/100-21-0x0000000000400000-0x00000000007A5000-memory.dmp