Overview

overview

10

Static

static

10

1d4946ea77...9b.exe

windows7-x64

10

1d4946ea77...9b.exe

windows10-2004-x64

10

d1f0f17e91...25.exe

windows7-x64

1

d1f0f17e91...25.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bulkdownload.rl.zip

  • Size

    119KB

  • Sample

    240914-x7st8asanb

  • MD5

    06410427f6646ca85b63af8a45def7a7

  • SHA1

    2b309bafd7846015d34f561546aca5e7a669f595

  • SHA256

    676498f292b3a47c39fadd65d8400735c92d0453aa627b1013cb4fe5a100be2d

  • SHA512

    6ba130d386146af99c928adc3e44e50a4f1ff7a6329b3e4395a7981842484601ceaf9e9fecc556d8b10a8397ac93f569d8a6d131343aad7a0f61bdd9905ee795

  • SSDEEP

    3072:O/Jxq80jdCZBlX1pktW6yMFANtwGn0sxZVmmKyklk:wajsZlpkgtXVzjQFyek

Score
10/10
xehookcredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

xehook

Version

2.1.5 Stable

C2

https://t.me/+w897k5UK_jIyNDgy

Attributes
  • id

    208

  • token

    xehook208262680500151

Targets

    • Target

      1d4946ea77a2bcf432f490d0a38429102a51069b

    • Size

      151KB

    • MD5

      f635582929e0b0f2f18e1ee1fb7a84e9

    • SHA1

      1d4946ea77a2bcf432f490d0a38429102a51069b

    • SHA256

      583c1eb6360379032d7cf7e6a60e09cfe74c7ecd36174016f293b060537fa52d

    • SHA512

      0a4ac0362ebf4ce81fb187d93898e3ffdf74e6a0da96913818ebbb59a236a3897ec680cdc4599a9cf8cee8f8b7d527c4fc0abf89016bab48449995d10065d1e7

    • SSDEEP

      3072:mQHKadVFHUg2HiFI9ifi5iLLbyq8QL+wI7BJlwEKctby:BqSF/2HQlLLbyq8QL+wI7BJiEK

    Score
    10/10
    xehookstealercredential_accessspyware

    • Xehook stealer

      Xehook is an infostealer written in C#.

      stealerxehook

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      d1f0f17e91e91cc4e1647c2aa8a7f39af2793125

    • Size

      168KB

    • MD5

      8df48db76679f51e832e0b48a89c509d

    • SHA1

      d1f0f17e91e91cc4e1647c2aa8a7f39af2793125

    • SHA256

      771fb65b9e55db17bca18ea3594e8e8b4d5ef060919844c0641a02d9c3326b1e

    • SHA512

      0e387586091b5455feb19fdfd45cea73f425cf1b8cc8fdc11e68d78826e30f3d148731713c796c0106aee1e756c514fa8ecade656261edc517333245170596c8

    • SSDEEP

      3072:ELUbqjhjDUyx4HCIRoL57WpTlbYsb+L5QgDgZFHdrLTc5wEKctIZ:h4jJ4ORWpTlbYsb+L5QgDgZFHdrLTcml

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks