Analysis

  • max time kernel
    93s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2024 19:42

General

  • Target

    3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe

  • Size

    368KB

  • MD5

    f258b2b6ffa6756d5f445b1b62685142

  • SHA1

    0c8de6923e6481bd63052539f296dc3b16038a85

  • SHA256

    3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410

  • SHA512

    2a3822658e7a40b5f311066a7d687896eaa4cbea5b5469482bd86201b803bb6008af1a8b09fc50cd178e18b0a6e793540d3afdd0c9ef35e0f4ca2509db254a78

  • SSDEEP

    6144:Ex2oxysMCtUkokSjQhmocTA5QeT4j2tm9o3pXlBVB4wmhA5MKsEB62z:ExPoB0z5Qm4+XlBVB4wmhA5MKsEB62

Malware Config

Extracted

Family

xehook

Version

2.1.5 Stable

C2

https://t.me/+w897k5UK_jIyNDgy

Attributes
  • id

    185

  • token

    xehook185936398232728

Signatures

  • Xehook stealer

    Xehook is an infostealer written in C#.

  • Loads dropped DLL 1 IoCs
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe
    "C:\Users\Admin\AppData\Local\Temp\3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\msvcp110.dll

    Filesize

    440KB

    MD5

    2144bb21dc2b6e249c1675491b460b3a

    SHA1

    44c677eac532eff35258c5891303592168aba822

    SHA256

    a34b2bc8a33eca8bfbb35e62558f2d1cda6cef50dc3e0894b62339d53225d495

    SHA512

    7b8fcc13bfa2ad80954b97b930c61f866ce31b6b90bc0032acb65d42d4124e2bec98791763e6d532fdb281728a8de49d65ddb74b3983a3328848b00b0225c605

  • memory/3068-12-0x0000000074EB0000-0x0000000075660000-memory.dmp

    Filesize

    7.7MB

  • memory/3068-2-0x0000000004F20000-0x0000000004F26000-memory.dmp

    Filesize

    24KB

  • memory/3068-9-0x0000000074EB0000-0x0000000075660000-memory.dmp

    Filesize

    7.7MB

  • memory/3068-1-0x00000000005D0000-0x0000000000634000-memory.dmp

    Filesize

    400KB

  • memory/3068-0-0x0000000074EBE000-0x0000000074EBF000-memory.dmp

    Filesize

    4KB

  • memory/3068-13-0x0000000074EB0000-0x0000000075660000-memory.dmp

    Filesize

    7.7MB

  • memory/4848-10-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/4848-14-0x0000000074EB0000-0x0000000075660000-memory.dmp

    Filesize

    7.7MB

  • memory/4848-15-0x0000000005530000-0x0000000005AD4000-memory.dmp

    Filesize

    5.6MB

  • memory/4848-16-0x0000000074EB0000-0x0000000075660000-memory.dmp

    Filesize

    7.7MB

  • memory/4848-17-0x00000000062A0000-0x0000000006332000-memory.dmp

    Filesize

    584KB

  • memory/4848-18-0x0000000006210000-0x0000000006276000-memory.dmp

    Filesize

    408KB

  • memory/4848-20-0x0000000074EB0000-0x0000000075660000-memory.dmp

    Filesize

    7.7MB