xehook | 48e2f49ef81bcbcf043ee031085b0f6038fa04c0992e69a2f11587cf578b78d0

Resubmissions

13-09-2024 09:50

240913-lt52vawgrl 10

13-09-2024 09:49

240913-ltjtlsxckd 10

13-09-2024 09:48

240913-ls2b9swgmp 10

Analysis

max time kernel
15s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe
Size

151KB
MD5

f635582929e0b0f2f18e1ee1fb7a84e9
SHA1

1d4946ea77a2bcf432f490d0a38429102a51069b
SHA256

583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d
SHA512

0a4ac0362ebf4ce81fb187d93898e3ffdf74e6a0da96913818ebbb59a236a3897ec680cdc4599a9cf8cee8f8b7d527c4fc0abf89016bab48449995d10065d1e7
SSDEEP

3072:mQHKadVFHUg2HiFI9ifi5iLLbyq8QL+wI7BJlwEKctby:BqSF/2HQlLLbyq8QL+wI7BJiEK

Score

10^/10

xehook stealer

Malware Config

Extracted

Family

xehook

Version

2.1.5 Stable

https://t.me/+w897k5UK_jIyNDgy

Attributes

id
208
token
xehook208262680500151

Signatures

Xehook stealer
Xehook is an infostealer written in C#.
stealer xehook

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 1900	2972	583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe	29
PID 2972 wrote to memory of 1900	2972	583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe	29
PID 2972 wrote to memory of 1900	2972	583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe	29

C:\Users\Admin\AppData\Local\Temp\583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe
"C:\Users\Admin\AppData\Local\Temp\583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2972 -s 1060
  2⤵
  PID:1900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2972-0-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

Filesize
4KB

Download
memory/2972-1-0x00000000011D0000-0x00000000011FC000-memory.dmp

Filesize
176KB

Download
memory/2972-2-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/2972-3-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

Filesize
4KB

Download
memory/2972-4-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download