xehook | bulkdownload[.]rl[.]zip

General

Target

bulkdownload.rl.zip
Size

119KB
MD5

06410427f6646ca85b63af8a45def7a7
SHA1

2b309bafd7846015d34f561546aca5e7a669f595
SHA256

676498f292b3a47c39fadd65d8400735c92d0453aa627b1013cb4fe5a100be2d
SHA512

6ba130d386146af99c928adc3e44e50a4f1ff7a6329b3e4395a7981842484601ceaf9e9fecc556d8b10a8397ac93f569d8a6d131343aad7a0f61bdd9905ee795
SSDEEP

3072:O/Jxq80jdCZBlX1pktW6yMFANtwGn0sxZVmmKyklk:wajsZlpkgtXVzjQFyek

Score

10^/10

xehook

Malware Config

Extracted

Family

xehook

Version

2.1.5 Stable

C2

https://t.me/+w897k5UK_jIyNDgy

Attributes

id
208
token
xehook208262680500151

Signatures

Xehook family
xehook

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/1d4946ea77a2bcf432f490d0a38429102a51069b
unpack001/d1f0f17e91e91cc4e1647c2aa8a7f39af2793125

Files

bulkdownload.rl.zip
.zip

Password: infected
1d4946ea77a2bcf432f490d0a38429102a51069b
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 148KB - Virtual size: 148KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
d1f0f17e91e91cc4e1647c2aa8a7f39af2793125
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 148KB - Virtual size: 148KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 148KB - Virtual size: 148KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 148KB - Virtual size: 148KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 12B - Virtual size: 12B

.text
Size: 148KB - Virtual size: 148KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 148KB - Virtual size: 148KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 12B - Virtual size: 12B