xehook | 600694fa52aa0bd711a6d564728931380bd29891fdf62c26b1f95224589b78d8

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81740342d64bc105d369f39bcf23e93f.exe
Size

149KB
MD5

81740342d64bc105d369f39bcf23e93f
SHA1

4d5d266bc24ed969108c68f794883957a22ae939
SHA256

600694fa52aa0bd711a6d564728931380bd29891fdf62c26b1f95224589b78d8
SHA512

3be9e90c67ef641b94f81c86344082b63c690e906a1fed7825bb6a0321cd4c8289d8e64e9583897ce832cad137f475e66053ace4d43f2b6a741d33b3709ead91
SSDEEP

3072:HemwkmgMXfbtdBE2a/duEx5cLbfu3/XcW5DC2kgZ8YfHcvOgbg8vW/f:HfmgMXfbtdK2a/dh5cLeC2kgZ8YfHcv/

Score

10^/10

xehook spyware stealer

Malware Config

Signatures

Detect Xehook Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2336-1-0x0000000001180000-0x00000000011AC000-memory.dmp	family_xehook

Xehook stealer
Xehook is an infostealer written in C#.
stealer xehook
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2000 cmd.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2640 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

81740342d64bc105d369f39bcf23e93f.exe

description pid process

Token: SeDebugPrivilege 2336 81740342d64bc105d369f39bcf23e93f.exe

pid	process
2000	cmd.exe

flow	ioc
4	ip-api.com

pid	process
2640	PING.EXE

description	pid	process
Token: SeDebugPrivilege	2336	81740342d64bc105d369f39bcf23e93f.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

81740342d64bc105d369f39bcf23e93f.execmd.exe

description	pid	process	target process
PID 2336 wrote to memory of 2000	2336	81740342d64bc105d369f39bcf23e93f.exe	cmd.exe
PID 2336 wrote to memory of 2000	2336	81740342d64bc105d369f39bcf23e93f.exe	cmd.exe
PID 2336 wrote to memory of 2000	2336	81740342d64bc105d369f39bcf23e93f.exe	cmd.exe
PID 2000 wrote to memory of 2640	2000	cmd.exe	PING.EXE
PID 2000 wrote to memory of 2640	2000	cmd.exe	PING.EXE
PID 2000 wrote to memory of 2640	2000	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\81740342d64bc105d369f39bcf23e93f.exe
"C:\Users\Admin\AppData\Local\Temp\81740342d64bc105d369f39bcf23e93f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\delete.bat" "
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delete.bat

Filesize
168B

MD5
88a285eceb06abcbf9901fd2a00e6678

SHA1
6ffd6a31729e4c8438df5301bf3c14b58dcd906a

SHA256
2630206feb1bb9f813a3bfc3ceea7164639d73e787c3130271adfce64308e205

SHA512
dcdb33f70a752d3be8e05b9c57e7b64d68bea8f853be630b76d5e8b000c6ca207ce058af78b91dfce2858b80b582fa0cba0cb3b027ed813d57f1e2c297f4ff13

Download Submit
memory/2336-0-0x000007FEF58B3000-0x000007FEF58B4000-memory.dmp

Filesize
4KB

Download
memory/2336-1-0x0000000001180000-0x00000000011AC000-memory.dmp

Filesize
176KB

Download
memory/2336-2-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/2336-3-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-12-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download