xehook | 4f179bb1925c0adf5cb44697a3f0986bd17bc65de686084641ef22c0a75b0a28

General

Target

fuck.exe
Size

480KB
MD5

041ab886cac2a8e2b79fc486390d5510
SHA1

30625cd6be8c5c2603cae540034948aa71022d97
SHA256

4f179bb1925c0adf5cb44697a3f0986bd17bc65de686084641ef22c0a75b0a28
SHA512

7aa4a6dc2c168c9b8de6ddc4f14f632f6d42017f46acc6dbb23b12969c03d9d17def89f062b4a37354691e06f227f4f4d95ef0c2f87b3b798bf58836ae10e6e4
SSDEEP

12288:U+En/eRuTRgPZOZUtRJbZTzPk99GstRUvo9PR0KZYEDop5k5q70zlDbjflq54GaT:ejTREtRJb9TT

Score

10^/10

xehook credential_access discovery stealer

Malware Config

Extracted

Family

xehook

Version

2.1.5 Stable

C2

https://t.me/+w897k5UK_jIyNDgy

Attributes

id
301
token
xehook301447049203312

Signatures

Xehook stealer
Xehook is an infostealer written in C#.
stealer xehook
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Loads dropped DLL 1 IoCs

Processes:

fuck.exe

pid process

5060 fuck.exe
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

fuck.exe

description pid process target process

PID 5060 set thread context of 2152 5060 fuck.exe MSBuild.exe

pid	process
5060	fuck.exe

flow	ioc
6	ip-api.com

description	pid	process	target process
PID 5060 set thread context of 2152	5060	fuck.exe	MSBuild.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fuck.exeMSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 2152 MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	2152	MSBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fuck.exe

description	pid	process	target process
PID 5060 wrote to memory of 2152	5060	fuck.exe	MSBuild.exe
PID 5060 wrote to memory of 2152	5060	fuck.exe	MSBuild.exe
PID 5060 wrote to memory of 2152	5060	fuck.exe	MSBuild.exe
PID 5060 wrote to memory of 2152	5060	fuck.exe	MSBuild.exe
PID 5060 wrote to memory of 2152	5060	fuck.exe	MSBuild.exe
PID 5060 wrote to memory of 2152	5060	fuck.exe	MSBuild.exe
PID 5060 wrote to memory of 2152	5060	fuck.exe	MSBuild.exe
PID 5060 wrote to memory of 2152	5060	fuck.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\fuck.exe
"C:\Users\Admin\AppData\Local\Temp\fuck.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
435KB

MD5
6808936803a9eb306c723e9702c27aae

SHA1
0488b94bf33eaf064a0623009052e8c4bf72d256

SHA256
3181c8666b3285c2640f33120931a7235c788a496145ee1b7ed47e80f32b7d87

SHA512
a9bb5faf3a097264a9c817df9b7b1fa57d4a58843f468802c881d5101946769afb4691363846296ef939cc8d00cddfc8448f20829675bf912ba837a44e1178ea

Download Submit
memory/2152-14-0x0000000073530000-0x0000000073C1E000-memory.dmp

Filesize
6.9MB

Download
memory/2152-17-0x0000000005AD0000-0x0000000005B62000-memory.dmp

Filesize
584KB

Download
memory/2152-22-0x0000000073530000-0x0000000073C1E000-memory.dmp

Filesize
6.9MB

Download
memory/2152-9-0x00000000003D0000-0x00000000003FC000-memory.dmp

Filesize
176KB

Download
memory/2152-20-0x0000000073530000-0x0000000073C1E000-memory.dmp

Filesize
6.9MB

Download
memory/2152-19-0x0000000073530000-0x0000000073C1E000-memory.dmp

Filesize
6.9MB

Download
memory/2152-18-0x0000000005960000-0x00000000059C6000-memory.dmp

Filesize
408KB

Download
memory/2152-15-0x0000000004FB0000-0x00000000054AE000-memory.dmp

Filesize
5.0MB

Download
memory/2152-16-0x0000000073530000-0x0000000073C1E000-memory.dmp

Filesize
6.9MB

Download
memory/5060-13-0x0000000073530000-0x0000000073C1E000-memory.dmp

Filesize
6.9MB

Download
memory/5060-0-0x000000007353E000-0x000000007353F000-memory.dmp

Filesize
4KB

Download
memory/5060-5-0x0000000073530000-0x0000000073C1E000-memory.dmp

Filesize
6.9MB

Download
memory/5060-12-0x0000000073530000-0x0000000073C1E000-memory.dmp

Filesize
6.9MB

Download
memory/5060-10-0x0000000073530000-0x0000000073C1E000-memory.dmp

Filesize
6.9MB

Download
memory/5060-1-0x0000000000360000-0x00000000003DE000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing