Overview

overview

10

Static

static

3

Nursultan ...m).exe

windows10-2004-x64

10

Nursultan ...m).exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Nursultan Alpha (prem).rar

  • Size

    218KB

  • Sample

    241005-3y4s1swgmq

  • MD5

    a7f591003cce59e27502d67c86991785

  • SHA1

    786bf85374b6bca104d319cc063109e816e4f66a

  • SHA256

    b6144ee112320cbcc476232f0b8bd8b12d24d825ea1ad16ee61e4b31f6e0c779

  • SHA512

    70ac4f00277059ae82ebc5024060a7f08706cf7a0e8351a5f7e680debd53a6c78fdd95472e6320c0e8766f4f1b7df2b900a4f4c3ace73ecd89f8782e65bb7a7c

  • SSDEEP

    3072:VqcC9NW8fWodHKci2A7Jl6QG8PO8omsPmOHgPjNaSRe+FwBuSRavrF/WLC9CcLJ7:+ffWkHs2A7J/n+my6ASk+FyT6rZx9/

Score
10/10
xehookcredential_accessdiscoverystealer

Malware Config

Extracted

Family

xehook

Version

2.1.5 Stable

C2

https://t.me/+w897k5UK_jIyNDgy

Attributes
  • id

    334

  • token

    xehook334596636228731

Targets

    • Target

      Nursultan Alpha (prem).exe

    • Size

      1023KB

    • MD5

      97d01412a39f1e1435a6067483a08e45

    • SHA1

      50806062b59e33e52d911232d364539344a3c35f

    • SHA256

      d9219eed125497b9f0bb0d42dd0639a87e45e2693fe387a58ca1945a30a99a21

    • SHA512

      a530da719e599c987f0457b9c7abd555a69c3ca1100f1fab8d46c056f97cc0f91c1ba2741b82851e5c0cd48f88f9d850744f4390f5b80dcfc3a4c8eccaf6dba6

    • SSDEEP

      6144:c6vNJOIxnO5D0j9EuWn2cYpeLjS+rfWcPBIUMn8ww:hNJO90jfWn2cYpeXS+IUAw

    Score
    10/10
    xehookcredential_accessdiscoverystealer

    • Xehook stealer

      Xehook is an infostealer written in C#.

      stealerxehook

    • Loads dropped DLL

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks