xehook | 73fc5919066a87f1310c3449d02dcce2249cdccede4a51f899cd7d43944d8159

General

Target

Aura (123).rar
Size

373KB
MD5

07548c2a5847ad0029f1e7562940e00b
SHA1

ecb87973af3fc481595169bd577a08bd22ef2f32
SHA256

73fc5919066a87f1310c3449d02dcce2249cdccede4a51f899cd7d43944d8159
SHA512

fc527e8c3f3a41ecbbd29a7babe9db2e8d065310213d93b1d36561c69c9dc1045983ebe5c4a5bce2cfbe8c95f16658d3e291e46d5bc491ea2ed67599b5803a36
SSDEEP

6144:YmnllS0FJv76N/MbPTfiYC7VNxYxAwJHbcVSlhFu2gpvzdzpBJI52BpiztRbhAFc:YUlFJv7WkbbiYtxAwygebdzXDB0ztRbr

Score

10^/10

xehook credential_access discovery stealer

Malware Config

Extracted

Family

xehook

Version

2.1.5 Stable

C2

https://t.me/+w897k5UK_jIyNDgy

Attributes

id
204
token
xehook204410372691867

Signatures

Xehook family
xehook
Xehook stealer
Xehook is an infostealer written in C#.
stealer xehook

Executes dropped EXE 1 IoCs

Processes:

Aura.exe

pid	Process
1576	Aura.exe

Loads dropped DLL 1 IoCs

Processes:

Aura.exe

pid	Process
1576	Aura.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
34	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

Aura.exe

description	pid	Process	procid_target
PID 1576 set thread context of 4680	1576	Aura.exe	100

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Aura.exeMSBuild.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aura.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
2276	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zFM.exeMSBuild.exe

description	pid	Process
Token: SeRestorePrivilege	2276	7zFM.exe
Token: 35	2276	7zFM.exe
Token: SeSecurityPrivilege	2276	7zFM.exe
Token: SeDebugPrivilege	4680	MSBuild.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid	Process
2276	7zFM.exe
2276	7zFM.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Aura.exe

description	pid	Process	procid_target
PID 1576 wrote to memory of 4680	1576	Aura.exe	100
PID 1576 wrote to memory of 4680	1576	Aura.exe	100
PID 1576 wrote to memory of 4680	1576	Aura.exe	100
PID 1576 wrote to memory of 4680	1576	Aura.exe	100
PID 1576 wrote to memory of 4680	1576	Aura.exe	100
PID 1576 wrote to memory of 4680	1576	Aura.exe	100
PID 1576 wrote to memory of 4680	1576	Aura.exe	100
PID 1576 wrote to memory of 4680	1576	Aura.exe	100

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Aura (123).rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2084

C:\Users\Admin\Desktop\Aura\Aura.exe
"C:\Users\Admin\Desktop\Aura\Aura.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
349KB

MD5
d27a4224373fa5013dd7358bb78e70e2

SHA1
d0da59e2178463dc7cee27cc2317ad2b99f6735e

SHA256
e72bfcdb739c219cee2c1b2a194affa6682b164a76a7f76226fe8383c6f840b6

SHA512
8ed917cd25837ed45e7e1ab3e243e6a6ced61d8590e3dc7d950ff3db24880f44115dcdf34fcfb1a0e6e9e3733a7064a5deb431a3741395d75927470423e215b9

Download Submit
C:\Users\Admin\Desktop\Aura\Aura.exe

Filesize
230KB

MD5
e810c13bbf182db3d7142633f7566bd3

SHA1
328cf4a91f04937fe6473f6bb0660eeaf2befd84

SHA256
fdeb6db5ecf7184705ed59d10aabd0c1fea31265a68fd19a1c47ff03cc51f658

SHA512
ce0631d6f9a01da7bd020622345038ab5f0b89a994dca279585623bfea3b17012480c7fa241701eadd9dbe31fa73611728b4edd5cb820d58872f7889fad7bccd

Download Submit
memory/1576-8-0x0000000074EFE000-0x0000000074EFF000-memory.dmp

Filesize
4KB

Download
memory/1576-9-0x00000000007A0000-0x00000000007E4000-memory.dmp

Filesize
272KB

Download
memory/1576-10-0x0000000002CC0000-0x0000000002CC6000-memory.dmp

Filesize
24KB

Download
memory/1576-19-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/1576-20-0x0000000077991000-0x0000000077AB1000-memory.dmp

Filesize
1.1MB

Download
memory/1576-24-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/4680-17-0x0000000000730000-0x000000000075C000-memory.dmp

Filesize
176KB

Download
memory/4680-21-0x0000000005100000-0x00000000056A4000-memory.dmp

Filesize
5.6MB

Download
memory/4680-22-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/4680-23-0x0000000006030000-0x00000000060C2000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads