Overview

overview

10

Static

static

1

1dbe4ba8f3...10.exe

windows7-x64

3

1dbe4ba8f3...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-07-2024 00:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1dbe4ba8f382a47c48facfd9360fac10.exe

  • Size

    353KB

  • MD5

    1dbe4ba8f382a47c48facfd9360fac10

  • SHA1

    08b5c20e80e71abfaa842697a1e9ed3ee76feeee

  • SHA256

    b9e5ab4620dc672f82c5d9d32459fd7a6a13960be269d8b13b8b4b6a1a33cf66

  • SHA512

    8920aff361ff91c18a08b16076215c30f4fc7c8ffd0de9fa822698c66165324545a20103d971f5e093c147cd5987d85ad9fb64969eba4ea67fc728641b13e992

  • SSDEEP

    6144:3YidRQfaVJpx3VZiYbEhYPQTEy/gbs4z5OOhChUU3V8i84hx7SJuV5erUuiLEO:3RaaVJpxb0wyKsK5xhdiJScXeLiLEO

Score
10/10
xehookspywarestealer

Malware Config

Extracted

Family

xehook

Version

2.1.5 Stable

C2

https://ussrconnect.ru/

https://c0nnect1ng.ru/

https://vodkaenjoy.ru/
Attributes
  • id

    174

  • token

    xehook174464555

Signatures

  • Detect Xehook Payload 1 IoCs
  • Xehook stealer

    Xehook is an infostealer written in C#.

    stealerxehook
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1dbe4ba8f382a47c48facfd9360fac10.exe
    "C:\Users\Admin\AppData\Local\Temp\1dbe4ba8f382a47c48facfd9360fac10.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3616
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:2608
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
          PID:4252
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          2⤵
            PID:4492
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            2⤵
              PID:2612
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4992

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/3616-0-0x0000000000500000-0x0000000000501000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3616-1-0x0000000000500000-0x0000000000501000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3616-3-0x0000000000500000-0x0000000000501000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4992-2-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/4992-4-0x0000000074C2E000-0x0000000074C2F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4992-5-0x0000000005420000-0x00000000059C4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4992-6-0x0000000074C20000-0x00000000753D0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4992-7-0x00000000060D0000-0x0000000006162000-memory.dmp

            Filesize

            584KB

            Download

          • memory/4992-8-0x0000000005F40000-0x0000000005FA6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4992-10-0x0000000074C20000-0x00000000753D0000-memory.dmp

            Filesize

            7.7MB

            Download