Edit tour
Windows
Analysis Report
1d0000.MSBuild.exe
Overview
General Information
Detection
Xehook Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Suricata IDS alerts for network traffic
Yara detected Xehook Stealer
AI detected suspicious sample
Creates HTML files with .exe extension (expired dropper behavior)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Classification
- System is w10x64
- 1d0000.MSBuild.exe (PID: 7416 cmdline:
"C:\Users\ user\Deskt op\1d0000. MSBuild.ex e" MD5: 41CF033D05AE0E2C5238A7932CF2DC77) - powershell.exe (PID: 7660 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Command " Start-Proc ess 'C:\Us ers\user\A ppData\Roa ming\X9ZLA QA9VR.exe' " MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7668 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_xehookStealer_1 | Yara detected Xehook Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_xehookStealer_1 | Yara detected Xehook Stealer | Joe Security | ||
JoeSecurity_xehookStealer_1 | Yara detected Xehook Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_xehookStealer_1 | Yara detected Xehook Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_xehookStealer_1 | Yara detected Xehook Stealer | Joe Security |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-05T14:29:13.959077+0200 | 2051457 | 1 | A Network Trojan was detected | 192.168.2.8 | 49706 | 65.109.218.88 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-05T14:29:14.649122+0200 | 2051458 | 1 | A Network Trojan was detected | 65.109.218.88 | 80 | 192.168.2.8 | 49706 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-05T14:29:13.959077+0200 | 2803305 | 3 | Unknown Traffic | 192.168.2.8 | 49706 | 65.109.218.88 | 80 | TCP |
2024-09-05T14:29:20.601787+0200 | 2803305 | 3 | Unknown Traffic | 192.168.2.8 | 49710 | 87.250.250.50 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-05T14:29:17.912548+0200 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.8 | 49708 | 65.109.218.88 | 80 | TCP |
2024-09-05T14:29:18.305457+0200 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.8 | 49708 | 65.109.218.88 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-05T14:29:16.248275+0200 | 2843856 | 1 | A Network Trojan was detected | 192.168.2.8 | 49708 | 65.109.218.88 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 0_2_00007FFB4AE25D62 |
Source: | HTTPS traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|