Malware sandboxing report by Hatching Triage

Target

QUOTQTION.zip

Size

424KB

Sample

210924-mc171agfdm

Score

10^/10

MD5

a99b952d10143e1d35d96c6b9cb0d0c8

SHA1

8b93ae5b4a30e11817140014c8519824783657b3

SHA256

c58d4399f56ac84de6e6aead1750f1f533baea7508199955ce74eee2b7ca3eee

SHA512

e6136501128034dc3f242b2d8c339a5694fe14abe51dc2a29240f9050e2b779daaa797ea3e815b491fad6e11627bd223beb1d896a8af438726f839a7aa303f48

Extracted

Family	xloader
Version	2.5
Campaign	c2ue
C2	http://www.heidevelop.xyz/c2ue/ http://www.heidevelop.xyz/c2ue/
Decoy	isportdata.com stellarex.energy hsucollections.com menuhaisan.com joe-tzu.com lumichargemktg.com uae.tires rapidcae.com softwaresystemsolutions.com s-galaxy.website daewon-talks.net northgamesnetwork.com catalogue-bouyguestele.com criativanet.com theseasonalshift.com actionfoto.online openmaildoe.com trashpenguin.com ennopure.net azurermine.com wingkingtong.com innovativepropsolutions.com transportesajusco.online rosenblasts.info ttsports.store servpix.com liveatthebiltmore.com magentautil.com aquolly.com collabsales.com bredaslo.com suddisaddu.com www920011a.com uudh.info bleuexpress.com xivuko.com upstatehvacpros.com acami.art thqahql.com mauzabe.com mydrones.net franciseshun.com nrrpri.com adndpanel.xyz straightcorndinner.xyz locngrip.com wgylab.xyz greenmamba100.com dmglobalconsult.net alissanoume.xyz thecallresources.com spacesuperslot.com goodiste.com mensaheating.xyz blackbait6.com keepkalmm.com kodyhughesracing.com semantikgis.com saffoldstrucking.com ingb.online popcert.com tpsynergylab.com acnefreerx.com why1314.xyz isportdata.com stellarex.energy hsucollections.com menuhaisan.com joe-tzu.com lumichargemktg.com uae.tires rapidcae.com softwaresystemsolutions.com s-galaxy.website daewon-talks.net northgamesnetwork.com catalogue-bouyguestele.com criativanet.com theseasonalshift.com actionfoto.online openmaildoe.com trashpenguin.com ennopure.net azurermine.com wingkingtong.com innovativepropsolutions.com transportesajusco.online rosenblasts.info ttsports.store servpix.com liveatthebiltmore.com magentautil.com aquolly.com collabsales.com bredaslo.com suddisaddu.com www920011a.com uudh.info bleuexpress.com xivuko.com upstatehvacpros.com acami.art thqahql.com mauzabe.com mydrones.net franciseshun.com nrrpri.com adndpanel.xyz straightcorndinner.xyz locngrip.com wgylab.xyz greenmamba100.com dmglobalconsult.net alissanoume.xyz thecallresources.com spacesuperslot.com goodiste.com mensaheating.xyz blackbait6.com keepkalmm.com kodyhughesracing.com semantikgis.com saffoldstrucking.com ingb.online popcert.com tpsynergylab.com acnefreerx.com why1314.xyz

Target

QUOTQTION.exe

MD5

24736913b455be2ed3d1cc67c767afc4

Filesize

866KB

Score

10^/10

SHA1

8026db0f265178cf013ac579c1b7267f4014bf2c

SHA256

a109f0b9407728fef1b41d766e8228085ee04661156d84ef543777bf311f450b

SHA512

49dd3e5ecbf6d4cd310a45d0b52e36a363d701f0a9cc14a1d3c103b613eb5a756fdc9ce8b028d69b56c4c8137d29ea3d57865b4ff75dac44bf982e5c80ee56ee

Signatures

Xloader
Description

Xloader is a rebranded version of Formbook malware.
Tags

loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Description

suricata: ET MALWARE FormBook CnC Checkin (GET)
Tags

suricata
Xloader Payload
Tags

rat
Deletes itself
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

static1

Score

N/A

behavioral1

xloader c2ue loader rat suricata

Score

10^/10

behavioral2

xloader c2ue loader rat suricata

Score

10^/10

Extracted

Tags

Signatures

Xloader

Description

Tags

suricata: ET MALWARE FormBook CnC Checkin (GET)

Description

Tags

Xloader Payload

Tags

Deletes itself

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2