MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90154c1c837aa0a9238df3b5c8bc9b258bf9304998c51ecf4a40c8644f0fe06a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XehookStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90154c1c837aa0a9238df3b5c8bc9b258bf9304998c51ecf4a40c8644f0fe06a
SHA3-384 hash: 66b3300b5ffd7a59aa788dda6af1973eaa3c07112429dadd70b1b7c6dba942112354201cc3a3037304f8ec6b5ccd3ebf
SHA1 hash: 6c78b28b5ff80db6ebeb377bb9c713cd36311a85
MD5 hash: c94936917d8d5e9f8a829d794ce4631f
humanhash: charlie-carpet-may-juliet
File name:1729664819a07c9dedd4caab03ed0a24e1dd2393a8b2b728b08524aec68823e8ed04253612830.dat-decoded
Download: download sample
Signature XehookStealer
Create hunting rule
File size:161'242 bytes
First seen:2024-10-23 06:27:02 UTC
Last seen:2024-10-23 09:14:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:4l7NVDmlpQ+Ljrok7dupSLL+9fu3/XEn5EwQLDFZD1fIKyKk5VR6G5TzIN9/g:4l7bDmlpQ+Ljrok7d1LL+cwQLDFZD1ft
TLSH T126F3EE88730171EFC867C5728DA8EC60E7E8B5BF830BD283905745A99A5D8D6EF540F2
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:base64-decoded exe XehookStealer


Avatar
abuse_ch
Malware dropped as base64 encoded payload

Intelligence

File Origin
# of uploads :
2
# of downloads :
403
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671899215a02f8393c73362b
Tags:
Exploit Packed Remo
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex packed
Link:
https://www.filescan.io/uploads/671897994217e205e6ab2bd3/reports/93f9b844-f432-4842-9645-09a1697106e3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/90154c1c837aa0a9238df3b5c8bc9b258bf9304998c51ecf4a40c8644f0fe06a
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/74a19c16-546a-4526-b74d-fa8b2341dfa6
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1539867
Signature
AI detected suspicious sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/90154c1c837aa0a9238df3b5c8bc9b258bf9304998c51ecf4a40c8644f0fe06a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90154c1c837aa0a9238df3b5c8bc9b258bf9304998c51ecf4a40c8644f0fe06a/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sakuyhedpkqksi4n6o24rpe3ewf7smcjtdcr5t2kidegityp4bva._file
Result
Malware family:
xehook
Create hunting rule
Score:
  10/10
Tags:
family:xehook
Link:
https://tria.ge/reports/241023-g76s3sxejr/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e4e6909c-a9ef-490e-97f9-817a16250388
Unpacked files
SH256 hash:
90154c1c837aa0a9238df3b5c8bc9b258bf9304998c51ecf4a40c8644f0fe06a
MD5 hash:
c94936917d8d5e9f8a829d794ce4631f
SHA1 hash:
6c78b28b5ff80db6ebeb377bb9c713cd36311a85
Link:
https://www.unpac.me/results/6d92b27c-cde6-49a9-b3be-dba283afad77/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90154c1c837aa0a9238df3b5c8bc9b258bf9304998c51ecf4a40c8644f0fe06a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDIC208_NOCEX_NOREACTOR
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:XehookStealer
Create hunting rule
Author:NDA0E
Description:Detects Xehook Stealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

a07c9dedd4caab03ed0a24e1dd2393a8b2b728b08524aec68823e8ed04253612

XehookStealer

Executable exe 90154c1c837aa0a9238df3b5c8bc9b258bf9304998c51ecf4a40c8644f0fe06a

(this sample)

  
Dropped by
SHA256 a07c9dedd4caab03ed0a24e1dd2393a8b2b728b08524aec68823e8ed04253612
  
Dropped by
MD5 b514dade565d15ab0f1c25f2ea725d57
  
URLhaus
https://urlhaus.abuse.ch/url/3249592/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments