xehook | 8b9f71d06784f768fc00982967c0e1b441b0290fb1081e9fcdd32740903f9ccd

General

Target

RevoUninstallerPro5.rar
Size

17.0MB
Sample

240615-l6qgxswgnf
MD5

dbdea4371499d0f80fdb9b28754d3bfa
SHA1

ccd393bdf67a159a39853bb5719fae82d1dcd134
SHA256

8b9f71d06784f768fc00982967c0e1b441b0290fb1081e9fcdd32740903f9ccd
SHA512

71b2a1ec63f9d88a29fa15bf80f321a431269cd7676cdf7df32997e8c4638f6ef138df70247109ff990b4f77d25afc00237e872db3dd95860ba340b588bea6f8
SSDEEP

393216:dI1RAyYMaG/ThnJD9fltg5Y+wel5RWmA/M611cmF1ec/lRQ:dfyYMaGlJdg5Y+pRB61iw1LTQ

Score

10^/10

Malware Config

Targets

- Target
  
  RevoUninstallerPro5.rar
- Size
  
  17.0MB
- MD5
  
  dbdea4371499d0f80fdb9b28754d3bfa
- SHA1
  
  ccd393bdf67a159a39853bb5719fae82d1dcd134
- SHA256
  
  8b9f71d06784f768fc00982967c0e1b441b0290fb1081e9fcdd32740903f9ccd
- SHA512
  
  71b2a1ec63f9d88a29fa15bf80f321a431269cd7676cdf7df32997e8c4638f6ef138df70247109ff990b4f77d25afc00237e872db3dd95860ba340b588bea6f8
- SSDEEP
  
  393216:dI1RAyYMaG/ThnJD9fltg5Y+wel5RWmA/M611cmF1ec/lRQ:dfyYMaGlJdg5Y+pRB61iw1LTQ
Score

10^/10

xehook discovery persistence spyware stealer
- Detect Xehook Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Xehook stealer
  Xehook is an infostealer written in C#.
  stealer xehook
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1
- Target
  
  Full Program İndir Club - Full Oyun İndir.url
- Size
  
  56B
- MD5
  
  37933eee3cafc84e3622108043d9968e
- SHA1
  
  ff48aeb702f805516a2d5bdb227846be649c223a
- SHA256
  
  927c1e82559c10568a3a09f250cbba5313c8916555ed50084625a242ffb1b26d
- SHA512
  
  99afa399ccc031f20c2cb0e8567d203f51651ebf3b3f30c9c6570a3615e5f819e5eb8fa95648e00d3f735fa70304a9e9f941231ddba3a7f68768d74064904d1a
Score

1^/10
behavioral2
- Target
  
  Fullprogramlarindir Menzil (1).url
- Size
  
  62B
- MD5
  
  3ba004e0a58fb1fa92962abd32789711
- SHA1
  
  ae7ba9291de96f80bdb5bb8477f8b05c89f342a9
- SHA256
  
  b2823b511435ee9f346242337699b781ef997cfeb9f131dfb99e50f147c1819b
- SHA512
  
  b47ae715b09d59499856b83d958f791cdb2b2d508e377e5e2e6820db7dd9f81b92e0cce093d62125d77342dddf22df66c88a24a8b8e9e1758771a070a430d921
Score

1^/10
behavioral3
- Target
  
  Oyun indir Vip.url
- Size
  
  52B
- MD5
  
  7745d1ad2d781d93608e33280de443de
- SHA1
  
  fef8e3347e094a17fd5b84bf6a40d4ad52452f47
- SHA256
  
  f2509c1980ce573d45aa69368267d4c0c80e5c3b6ea8b1cd926f14516bd90dbd
- SHA512
  
  a6105f599203e1d1299b298cc0559bb3094edef8efe308869a194703a4b86ec074c4ccf3ca73b6797c40649c9dd275105f5f598ebfb7b603a52cf21e74d560c4
Score

1^/10
behavioral4
- Target
  
  RevoUninProSetup.exe
- Size
  
  16.9MB
- MD5
  
  dd8fa302db072a5260c7964baa18337b
- SHA1
  
  6fe1ab556642138bc0b24819f31a974ec3c29e28
- SHA256
  
  4f26003b13581a017f037d2946a3efc232ec48530426838460b4bf04c2c4de61
- SHA512
  
  2ab0cd5192d7f7e2efac4db9da96ba4ae5968b9b3dac4f8deb2ca84e67f2118c2a59d71b1fa61d27f877063b855da7ad807c1a7af43e805d2a9d4dca51f137d1
- SSDEEP
  
  393216:Q1RAyYMaG/ThnJD9fltg5Y+wel5RWmA/M611cmF1ec/lRm:XyYMaGlJdg5Y+pRB61iw1LTm
Score

7^/10
- Executes dropped EXE
behavioral5
- Target
  
  lic-pawel97.rar
- Size
  
  64KB
- MD5
  
  cabbd19a901185f2db051e18cbf59305
- SHA1
  
  cd95d2d969c39e8cdf56c5e910aa0f18bf6ba1c8
- SHA256
  
  8608b2785f408a8ae29dd45b5881a1e93661f19e62e56dfe52176b379b60f9fa
- SHA512
  
  6316900bed4dc875e568539abbb5ab7c32ce7fb8a83af12fca5cc5fbce67c0b7f58909fd2ed56f9b9c643d53fcc728e6867e36a81a444059767f4126798bd39b
- SSDEEP
  
  1536:Yg8dvQaFp4zqjLCzkCYlnXMEbnxbiHgsWtXTiKE6AXutI0a:idvPFHLCzYlnXBUg3TibT+I
Score

3^/10
behavioral6
- Target
  
  readme.txt
- Size
  
  68B
- MD5
  
  46884c6375451ba1ffdbd499c0ce5875
- SHA1
  
  48360ae9ed35f33be8b90a756301109abd814b08
- SHA256
  
  c17797f50fb9f5d10f950b442e6567864fb5be95ff1ca819dd23e75a0de54b85
- SHA512
  
  3cf0e2e7f0f86f928ac71575202df8b2aee9772cb2118f5d8b57c7be392f97affb4bac8843874ef7392c56a8856cbd04b9664dfd6e21162a9fd90a83e265f51f
Score

1^/10
behavioral7
- Target
  
  revouninstallerpro5.lic
- Size
  
  64KB
- MD5
  
  8462a9b69c76a9603a4143d51fbc201e
- SHA1
  
  4473590f93f94f22c340a354516191c3c0ba6532
- SHA256
  
  fe4bcb4251f77375119a936c80fb36221af0c5105e840e2e115d47f96cb437c8
- SHA512
  
  2f02ecdb06760a093f4d8e6f04c97138695b064db8cb2dcc4af9b47c829852f38b77be9425eb2f3e3e36f85da181c116c829921fa35ae68afc57c728d5393570
- SSDEEP
  
  1536:wg8dvQaFp4zqjLCzkCYlnXMEbnxbiHgsWtXTiKE6AXutI0b:6dvPFHLCzYlnXBUg3TibT+5
Score

3^/10
behavioral8

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Targets

Detect Xehook Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Xehook stealer

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Registers COM server for autorun

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Executes dropped EXE

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8