xehook | 98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da

General

Target

98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da.exe
Size

227KB
MD5

a9ac04a4a30fcf7f57fa94e6bff411fe
SHA1

4c44ef0ec8e8a8d74497d4548f07ff86d6d8426d
SHA256

98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da
SHA512

ab757b0698a72403fbf95612ed28aff4df090590f6121d20cc321931d196af4d8602994b6fb2bff876406fb69c917b2bb936d82fa56b1ebbb4a1e253a0bfa523
SSDEEP

6144:5nllcE8uegM8zBQC/KGKAQ4lOjoegzGXgrshUN8:5agl2C/KGK4lNegzGXgrshUN8

Score

10^/10

xehook credential_access discovery stealer

Malware Config

Extracted

Family

xehook

Version

2.1.5 Stable

C2

https://t.me/+w897k5UK_jIyNDgy

Attributes

id
376
token
xehook376672216898165

Signatures

Xehook stealer
Xehook is an infostealer written in C#.
stealer xehook

Loads dropped DLL 1 IoCs

Processes:

98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da.exe

pid	Process
3592	98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
12	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da.exe

description	pid	Process	procid_target
PID 3592 set thread context of 2736	3592	98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da.exe	85

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da.exeMSBuild.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description	pid	Process
Token: SeDebugPrivilege	2736	MSBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da.exe

description	pid	Process	procid_target
PID 3592 wrote to memory of 2736	3592	98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da.exe	85
PID 3592 wrote to memory of 2736	3592	98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da.exe	85
PID 3592 wrote to memory of 2736	3592	98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da.exe	85
PID 3592 wrote to memory of 2736	3592	98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da.exe	85
PID 3592 wrote to memory of 2736	3592	98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da.exe	85
PID 3592 wrote to memory of 2736	3592	98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da.exe	85
PID 3592 wrote to memory of 2736	3592	98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da.exe	85
PID 3592 wrote to memory of 2736	3592	98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da.exe	85

C:\Users\Admin\AppData\Local\Temp\98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da.exe
"C:\Users\Admin\AppData\Local\Temp\98f915073ebb14e0302f0e75c58e884c8a1ff16647105dcc6efc8606bbe214da.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
339KB

MD5
3efb97fac70bdbed1e6e649b51360580

SHA1
4281ba90149793bce4c54ef8d38ef45eaf464e75

SHA256
11f508d1063a35ae22abe9d5f671016e2e81d056738a13af822fe36b3b4d9756

SHA512
751e9c55429fdfb0e8bc18415d323a2d5e074bf7c2b5355701427077a8e98629bea5106db890378749c388715b718eb76b1505dc57ebcb7f6b8c3addf79c39d9

Download Submit
memory/2736-14-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/2736-20-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/2736-18-0x0000000006D90000-0x0000000006E22000-memory.dmp

Filesize
584KB

Download
memory/2736-17-0x00000000067C0000-0x0000000006826000-memory.dmp

Filesize
408KB

Download
memory/2736-10-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2736-16-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/2736-15-0x0000000005DA0000-0x0000000006344000-memory.dmp

Filesize
5.6MB

Download
memory/3592-3-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3592-13-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3592-12-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3592-0-0x00000000749CE000-0x00000000749CF000-memory.dmp

Filesize
4KB

Download
memory/3592-2-0x0000000001520000-0x0000000001526000-memory.dmp

Filesize
24KB

Download
memory/3592-1-0x0000000000C50000-0x0000000000C92000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads