Overview

overview

10

Static

static

10

ee3b16d718...34.exe

windows7-x64

10

ee3b16d718...34.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 14:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee3b16d7188ad9b08cb1cbe52708b134.exe

  • Size

    149KB

  • MD5

    ee3b16d7188ad9b08cb1cbe52708b134

  • SHA1

    946ec3b88c7eb1442512cd1ba450b05132e48dc6

  • SHA256

    b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e

  • SHA512

    2c1272dd493ff6361dcadfbbffc39aaa8c84a3a7b925597de0fa12381c045307943e7bb3827b5c22709c2be010c2d0e1036c79c5f933c58ee05acabb672ab542

  • SSDEEP

    3072:vOWXtBuFND5H/QUszPu4bk5GB2fu3/X9e5FuZl1yotj3ZzQ2pw22sIq/L:vh9BuFND5H/QUszPrFBeuZl1yotj3Zzw

Score
10/10
xehookspywarestealer

Malware Config

Signatures

  • Detect Xehook Payload 1 IoCs
  • Xehook stealer

    Xehook is an infostealer written in C#.

    stealerxehook
  • Deletes itself 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee3b16d7188ad9b08cb1cbe52708b134.exe
    "C:\Users\Admin\AppData\Local\Temp\ee3b16d7188ad9b08cb1cbe52708b134.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\delete.bat" "
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:2556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\delete.bat
    Filesize

    168B

    MD5

    3ba3a28d8a35f4a787c9b407eff6b94d

    SHA1

    e10180c69d12dde9dde40b73a00ff885f4b107e9

    SHA256

    62d46388f556d0d8eb7ef7f88d13da878f2007ac4c0ccc94c8fc05983f99325e

    SHA512

    e40eaa3947f3b1bbe8d740784a9816a3b3c816e606ca33e3908a0d277329ab51d259f1b75727efb2d6ff08de794efba31340c0408357169c70aed6feb5fd23b1

    Download Submit

  • memory/2016-0-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2016-1-0x0000000000050000-0x000000000007C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2016-2-0x0000000000310000-0x000000000032A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2016-3-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2016-13-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

    Filesize

    9.9MB

    Download