Malware sandboxing report by Hatching Triage

General

Target

Sun038db98f99bf9a.exe
Size

172KB
Sample

211031-y4wblsgdc5
MD5

7c3cf9ce3ffb1e5dd48896fdc9080bab
SHA1

34b4976f8f83c1e0a9d277d2a103a61616178728
SHA256

b3049882301853eed2aa8c5ac99010dd84292d7e092eb6f4311fa535716f5d83
SHA512

52ec2ec50a2d4ca4f29e6b611176e37fee8693a7c34ec2197ec2ad250d525f607c3d4d70534520d1f5c16fd3f9231d261b00f8c3746d033eab1ed36cdde07473

Score

10^/10

Malware Config

Extracted

Family	xloader
Version	2.5
Campaign	s0iw
C2	http://www.kyiejenner.com/s0iw/ http://www.kyiejenner.com/s0iw/
Decoy	ortopediamodelo.com orimshirts.store universecatholicweekly.info yvettechan.com sersaudavelsempre.online face-booking.net europeanretailgroup.com umofan.com roemahbajumuslim.online joyrosecuisine.net 3dmaker.house megdb.xyz stereoshopie.info gv5rm.com tdc-trust.com mcglobal.club choral.works onlineconsultantgroup.com friscopaintandbody.com midwestii.com weespiel.com babyshell.be gwynora.com talkthered.com f-punk.com frankmatlock.com clique-solicite.net clientloyaltysystem.com worldbyduco.com kampfsport-erfurt.com adndpanel.xyz rocknfamily.net ambr-creative.com wwwks8829.com thuexegiarehcmgoviet.com brentmurrell.art wolf-yachts.com tenpobiz.com binnamall.com crestamarti.quest terry-hitchcock.com ocreverseteam.com taxwarehouse2.xyz megawholesalesystem.com epstein-advisory.com enewlaunches.com iphone13.community pianostands.com newspaper.clinic alamdave.com costalitaestepona2d.com arbacan.com horikoshi-online-tutoring.net missingthered.com ecmcenterprises.com giaohangtietkiemhcm.com universidademackenzie.com kveupcsmimli.mobi ibellex.com ikigaiofficial.store jerseyboysnorfolk.com xiamensaikang.com lmnsky.com bra866.com ortopediamodelo.com orimshirts.store universecatholicweekly.info yvettechan.com sersaudavelsempre.online face-booking.net europeanretailgroup.com umofan.com roemahbajumuslim.online joyrosecuisine.net 3dmaker.house megdb.xyz stereoshopie.info gv5rm.com tdc-trust.com mcglobal.club choral.works onlineconsultantgroup.com friscopaintandbody.com midwestii.com weespiel.com babyshell.be gwynora.com talkthered.com f-punk.com frankmatlock.com clique-solicite.net clientloyaltysystem.com worldbyduco.com kampfsport-erfurt.com adndpanel.xyz rocknfamily.net ambr-creative.com wwwks8829.com thuexegiarehcmgoviet.com brentmurrell.art wolf-yachts.com tenpobiz.com binnamall.com crestamarti.quest terry-hitchcock.com ocreverseteam.com taxwarehouse2.xyz megawholesalesystem.com epstein-advisory.com enewlaunches.com iphone13.community pianostands.com newspaper.clinic alamdave.com costalitaestepona2d.com arbacan.com horikoshi-online-tutoring.net missingthered.com ecmcenterprises.com giaohangtietkiemhcm.com universidademackenzie.com kveupcsmimli.mobi ibellex.com ikigaiofficial.store jerseyboysnorfolk.com xiamensaikang.com lmnsky.com bra866.com

Extracted

Family	raccoon
Botnet	8dec62c1db2959619dca43e02fa46ad7bd606400
Attributes	url4cnc http://telegin.top/capibar http://ttmirror.top/capibar http://teletele.top/capibar http://telegalive.top/capibar http://toptelete.top/capibar http://telegraf.top/capibar https://t.me/capibar
rc4.plain
rc4.plain

Extracted

Family	vidar
Version	41.6
Botnet	937
C2	https://mas.to/@lilocc https://mas.to/@lilocc
Attributes	profile_id 937

Extracted

Family	smokeloader
Version	2020
C2	http://brandyjaggers.com/upload/ http://andbal.com/upload/ http://alotofquotes.com/upload/ http://szpnc.cn/upload/ http://uggeboots.com/upload/ http://100klv.com/upload/ http://rapmusic.at/upload/ http://brandyjaggers.com/upload/ http://andbal.com/upload/ http://alotofquotes.com/upload/ http://szpnc.cn/upload/ http://uggeboots.com/upload/ http://100klv.com/upload/ http://rapmusic.at/upload/
rc4.i32
rc4.i32

Targets

- Target
  
  Sun038db98f99bf9a.exe
- Size
  
  172KB
- MD5
  
  7c3cf9ce3ffb1e5dd48896fdc9080bab
- SHA1
  
  34b4976f8f83c1e0a9d277d2a103a61616178728
- SHA256
  
  b3049882301853eed2aa8c5ac99010dd84292d7e092eb6f4311fa535716f5d83
- SHA512
  
  52ec2ec50a2d4ca4f29e6b611176e37fee8693a7c34ec2197ec2ad250d525f607c3d4d70534520d1f5c16fd3f9231d261b00f8c3746d033eab1ed36cdde07473
Score

10^/10

evasion spyware stealer trojan raccoon smokeloader socelars vidar xloader 8dec62c1db2959619dca43e02fa46ad7bd606400 937 s0iw backdoor discovery loader persistence rat themida
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- Xloader Payload
  rat
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

Raccoon

SmokeLoader

Socelars

Socelars Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Vidar

Xloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

Xloader Payload

Downloads MZ/PE file

Drops file in Drivers directory

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2