xehook | 48e2f49ef81bcbcf043ee031085b0f6038fa04c0992e69a2f11587cf578b78d0

General

Target

583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe
Size

151KB
MD5

f635582929e0b0f2f18e1ee1fb7a84e9
SHA1

1d4946ea77a2bcf432f490d0a38429102a51069b
SHA256

583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d
SHA512

0a4ac0362ebf4ce81fb187d93898e3ffdf74e6a0da96913818ebbb59a236a3897ec680cdc4599a9cf8cee8f8b7d527c4fc0abf89016bab48449995d10065d1e7
SSDEEP

3072:mQHKadVFHUg2HiFI9ifi5iLLbyq8QL+wI7BJlwEKctby:BqSF/2HQlLLbyq8QL+wI7BJiEK

Score

10^/10

xehook stealer

Malware Config

Extracted

Family

xehook

Version

2.1.5 Stable

C2

https://t.me/+w897k5UK_jIyNDgy

Attributes

id
208
token
xehook208262680500151

Signatures

Xehook stealer
Xehook is an infostealer written in C#.
stealer xehook

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B19F54C5E64A6045EBBE0F449DCDA5D8722A2C75\Blob = 040000000100000010000000fab29336b502815600d87821541f74f40f0000000100000020000000318ffe03882d820c399f9c197c51c7cc88686d4a59c5600fb494c21f70870757030000000100000014000000b19f54c5e64a6045ebbe0f449dcda5d8722a2c75140000000100000014000000eebd41eb6b62189c954309180061ee29632616ee2000000001000000f9020000308202f5308201dda0030201020210263ebfc27c123116bb2c2e91e5734c1c300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303930393133303030305a170d3239303930393133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b5b1260e538643cf20a477976aeb6ab01492a3a03e1679a56d3c8870f925ae51f54d318d871939ebbf41d5890aae0159ae47d2ed7212a8ef924f0e7242325eebb5673ce0babb55232e02b49f4bb91ac69d91a1e478b25a46114c57efcb83b903508a18afc0a98f968ceb845db33442adc38277fb2878f0a7d20ce6187d352c4b79c41c6935a36968530d82bf6ff60d63cfd8f1ca228698202d94b737c13becd2a75ab91a48aa64232c7aa5844c342e6bf199711302d62dcb17690c7d3196017876223c0d837398eb74b37e3c352c5fd124128b6edc1dd56cf0ffcbccc9ead7677fde54259cd7f2a08a2206c620b3c41de3527dd7c007f50a0d1a6e9c20747cd30203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414eebd41eb6b62189c954309180061ee29632616ee300d06092a864886f70d01010b0500038201010099bcddcf4ff60ad066858f705bbd16a6a6e4785143f4053e4db04e48c61df89f27251236c529c888d94c6f81509f51529ec7e9226b8b03b5fe54c3c4cf3b93c19b5d13f99c1fb35fd6b13f8625b64958c4e4bb922be0d7c4ca6194360966d21ccea8dd2946921d9ff38f070a71b206c3790ec366bd4679f2cfc1db6201120534a51f359312464ac447651797500b09d692f4086f2a9603d78230d1e141868e829446626c71d4bb91ba156039d98c74fcc8091578b268a166c4c836a157aae7e9a577d2d6764732156aaaccb0767aa3df064602371b180e9a39b2294499f273a95ba8a5d041acb3caf52c87feacd9883abf500e558bd09677d9219e5e63ab29d4	583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B19F54C5E64A6045EBBE0F449DCDA5D8722A2C75\Blob = 1900000001000000100000006223bb30e7d29ea250be41b12eef3c2e140000000100000014000000eebd41eb6b62189c954309180061ee29632616ee030000000100000014000000b19f54c5e64a6045ebbe0f449dcda5d8722a2c750f0000000100000020000000318ffe03882d820c399f9c197c51c7cc88686d4a59c5600fb494c21f70870757040000000100000010000000fab29336b502815600d87821541f74f42000000001000000f9020000308202f5308201dda0030201020210263ebfc27c123116bb2c2e91e5734c1c300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303930393133303030305a170d3239303930393133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b5b1260e538643cf20a477976aeb6ab01492a3a03e1679a56d3c8870f925ae51f54d318d871939ebbf41d5890aae0159ae47d2ed7212a8ef924f0e7242325eebb5673ce0babb55232e02b49f4bb91ac69d91a1e478b25a46114c57efcb83b903508a18afc0a98f968ceb845db33442adc38277fb2878f0a7d20ce6187d352c4b79c41c6935a36968530d82bf6ff60d63cfd8f1ca228698202d94b737c13becd2a75ab91a48aa64232c7aa5844c342e6bf199711302d62dcb17690c7d3196017876223c0d837398eb74b37e3c352c5fd124128b6edc1dd56cf0ffcbccc9ead7677fde54259cd7f2a08a2206c620b3c41de3527dd7c007f50a0d1a6e9c20747cd30203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414eebd41eb6b62189c954309180061ee29632616ee300d06092a864886f70d01010b0500038201010099bcddcf4ff60ad066858f705bbd16a6a6e4785143f4053e4db04e48c61df89f27251236c529c888d94c6f81509f51529ec7e9226b8b03b5fe54c3c4cf3b93c19b5d13f99c1fb35fd6b13f8625b64958c4e4bb922be0d7c4ca6194360966d21ccea8dd2946921d9ff38f070a71b206c3790ec366bd4679f2cfc1db6201120534a51f359312464ac447651797500b09d692f4086f2a9603d78230d1e141868e829446626c71d4bb91ba156039d98c74fcc8091578b268a166c4c836a157aae7e9a577d2d6764732156aaaccb0767aa3df064602371b180e9a39b2294499f273a95ba8a5d041acb3caf52c87feacd9883abf500e558bd09677d9219e5e63ab29d4	583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B19F54C5E64A6045EBBE0F449DCDA5D8722A2C75	583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B19F54C5E64A6045EBBE0F449DCDA5D8722A2C75\Blob = 0f0000000100000020000000318ffe03882d820c399f9c197c51c7cc88686d4a59c5600fb494c21f70870757030000000100000014000000b19f54c5e64a6045ebbe0f449dcda5d8722a2c752000000001000000f9020000308202f5308201dda0030201020210263ebfc27c123116bb2c2e91e5734c1c300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303930393133303030305a170d3239303930393133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b5b1260e538643cf20a477976aeb6ab01492a3a03e1679a56d3c8870f925ae51f54d318d871939ebbf41d5890aae0159ae47d2ed7212a8ef924f0e7242325eebb5673ce0babb55232e02b49f4bb91ac69d91a1e478b25a46114c57efcb83b903508a18afc0a98f968ceb845db33442adc38277fb2878f0a7d20ce6187d352c4b79c41c6935a36968530d82bf6ff60d63cfd8f1ca228698202d94b737c13becd2a75ab91a48aa64232c7aa5844c342e6bf199711302d62dcb17690c7d3196017876223c0d837398eb74b37e3c352c5fd124128b6edc1dd56cf0ffcbccc9ead7677fde54259cd7f2a08a2206c620b3c41de3527dd7c007f50a0d1a6e9c20747cd30203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414eebd41eb6b62189c954309180061ee29632616ee300d06092a864886f70d01010b0500038201010099bcddcf4ff60ad066858f705bbd16a6a6e4785143f4053e4db04e48c61df89f27251236c529c888d94c6f81509f51529ec7e9226b8b03b5fe54c3c4cf3b93c19b5d13f99c1fb35fd6b13f8625b64958c4e4bb922be0d7c4ca6194360966d21ccea8dd2946921d9ff38f070a71b206c3790ec366bd4679f2cfc1db6201120534a51f359312464ac447651797500b09d692f4086f2a9603d78230d1e141868e829446626c71d4bb91ba156039d98c74fcc8091578b268a166c4c836a157aae7e9a577d2d6764732156aaaccb0767aa3df064602371b180e9a39b2294499f273a95ba8a5d041acb3caf52c87feacd9883abf500e558bd09677d9219e5e63ab29d4	583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B19F54C5E64A6045EBBE0F449DCDA5D8722A2C75\Blob = 140000000100000014000000eebd41eb6b62189c954309180061ee29632616ee030000000100000014000000b19f54c5e64a6045ebbe0f449dcda5d8722a2c750f0000000100000020000000318ffe03882d820c399f9c197c51c7cc88686d4a59c5600fb494c21f708707572000000001000000f9020000308202f5308201dda0030201020210263ebfc27c123116bb2c2e91e5734c1c300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303930393133303030305a170d3239303930393133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b5b1260e538643cf20a477976aeb6ab01492a3a03e1679a56d3c8870f925ae51f54d318d871939ebbf41d5890aae0159ae47d2ed7212a8ef924f0e7242325eebb5673ce0babb55232e02b49f4bb91ac69d91a1e478b25a46114c57efcb83b903508a18afc0a98f968ceb845db33442adc38277fb2878f0a7d20ce6187d352c4b79c41c6935a36968530d82bf6ff60d63cfd8f1ca228698202d94b737c13becd2a75ab91a48aa64232c7aa5844c342e6bf199711302d62dcb17690c7d3196017876223c0d837398eb74b37e3c352c5fd124128b6edc1dd56cf0ffcbccc9ead7677fde54259cd7f2a08a2206c620b3c41de3527dd7c007f50a0d1a6e9c20747cd30203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414eebd41eb6b62189c954309180061ee29632616ee300d06092a864886f70d01010b0500038201010099bcddcf4ff60ad066858f705bbd16a6a6e4785143f4053e4db04e48c61df89f27251236c529c888d94c6f81509f51529ec7e9226b8b03b5fe54c3c4cf3b93c19b5d13f99c1fb35fd6b13f8625b64958c4e4bb922be0d7c4ca6194360966d21ccea8dd2946921d9ff38f070a71b206c3790ec366bd4679f2cfc1db6201120534a51f359312464ac447651797500b09d692f4086f2a9603d78230d1e141868e829446626c71d4bb91ba156039d98c74fcc8091578b268a166c4c836a157aae7e9a577d2d6764732156aaaccb0767aa3df064602371b180e9a39b2294499f273a95ba8a5d041acb3caf52c87feacd9883abf500e558bd09677d9219e5e63ab29d4	583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe

description	pid	Process
Token: SeDebugPrivilege	1980	583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe

description	pid	Process	procid_target
PID 1980 wrote to memory of 2756	1980	583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe	29
PID 1980 wrote to memory of 2756	1980	583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe	29
PID 1980 wrote to memory of 2756	1980	583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe	29

C:\Users\Admin\AppData\Local\Temp\583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe
"C:\Users\Admin\AppData\Local\Temp\583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1980 -s 1460
  2⤵
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1980-0-0x000007FEF6363000-0x000007FEF6364000-memory.dmp

Filesize
4KB

Download
memory/1980-1-0x0000000000030000-0x000000000005C000-memory.dmp

Filesize
176KB

Download
memory/1980-2-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

Filesize
9.9MB

Download
memory/1980-3-0x000007FEF6363000-0x000007FEF6364000-memory.dmp

Filesize
4KB

Download
memory/1980-4-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads