xehook | b6144ee112320cbcc476232f0b8bd8b12d24d825ea1ad16ee61e4b31f6e0c779

Analysis

max time kernel
34s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nursultan Alpha (prem).exe
Size

1023KB
MD5

97d01412a39f1e1435a6067483a08e45
SHA1

50806062b59e33e52d911232d364539344a3c35f
SHA256

d9219eed125497b9f0bb0d42dd0639a87e45e2693fe387a58ca1945a30a99a21
SHA512

a530da719e599c987f0457b9c7abd555a69c3ca1100f1fab8d46c056f97cc0f91c1ba2741b82851e5c0cd48f88f9d850744f4390f5b80dcfc3a4c8eccaf6dba6
SSDEEP

6144:c6vNJOIxnO5D0j9EuWn2cYpeLjS+rfWcPBIUMn8ww:hNJO90jfWn2cYpeXS+IUAw

Score

10^/10

xehook credential_access discovery stealer

Malware Config

Extracted

Family

xehook

Version

2.1.5 Stable

https://t.me/+w897k5UK_jIyNDgy

Attributes

id
334
token
xehook334596636228731

Signatures

Xehook stealer
Xehook is an infostealer written in C#.
stealer xehook
Loads dropped DLL 1 IoCs

Processes:

Nursultan Alpha (prem).exe

pid process

1108 Nursultan Alpha (prem).exe
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Nursultan Alpha (prem).exe

description pid process target process

PID 1108 set thread context of 4524 1108 Nursultan Alpha (prem).exe MSBuild.exe

pid	process
1108	Nursultan Alpha (prem).exe

flow	ioc
12	ip-api.com

description	pid	process	target process
PID 1108 set thread context of 4524	1108	Nursultan Alpha (prem).exe	MSBuild.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MSBuild.exeNursultan Alpha (prem).exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nursultan Alpha (prem).exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 4524 MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	4524	MSBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Nursultan Alpha (prem).exe

description	pid	process	target process
PID 1108 wrote to memory of 4524	1108	Nursultan Alpha (prem).exe	MSBuild.exe
PID 1108 wrote to memory of 4524	1108	Nursultan Alpha (prem).exe	MSBuild.exe
PID 1108 wrote to memory of 4524	1108	Nursultan Alpha (prem).exe	MSBuild.exe
PID 1108 wrote to memory of 4524	1108	Nursultan Alpha (prem).exe	MSBuild.exe
PID 1108 wrote to memory of 4524	1108	Nursultan Alpha (prem).exe	MSBuild.exe
PID 1108 wrote to memory of 4524	1108	Nursultan Alpha (prem).exe	MSBuild.exe
PID 1108 wrote to memory of 4524	1108	Nursultan Alpha (prem).exe	MSBuild.exe
PID 1108 wrote to memory of 4524	1108	Nursultan Alpha (prem).exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha (prem).exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha (prem).exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\msvcp110.dll
Filesize
377KB

MD5
15d3b8dcc8955e56d8f9a00948539adb

SHA1
51ea1e8ba589aa622bb65460515bb3bc31940762

SHA256
6496941c2503b95e14f4a38d56ce1ffecaea7a0a0d59594c0868d99e0ccb5686

SHA512
3e8507b87cf0272b2d91f05d56548e5f0344ce2e3c19f39aee9d612de541305f905eb4b18fee76964791cca43a107220712497235b070e3f57aa82ce9c84463c

Download Submit
memory/1108-0-0x00000000746DE000-0x00000000746DF000-memory.dmp

Filesize
4KB

Download
memory/1108-1-0x00000000004A0000-0x00000000005A6000-memory.dmp

Filesize
1.0MB

Download
memory/1108-12-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/1108-8-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/1108-11-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4524-13-0x00000000056F0000-0x0000000005C94000-memory.dmp

Filesize
5.6MB

Download
memory/4524-9-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4524-14-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4524-15-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4524-16-0x0000000006350000-0x00000000063E2000-memory.dmp

Filesize
584KB

Download
memory/4524-17-0x00000000061E0000-0x0000000006246000-memory.dmp

Filesize
408KB

Download
memory/4524-18-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4524-19-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4524-21-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download