Malware sandboxing report by Hatching Triage

General

Target

STATEMENT Oct-Nov 25-11-2021.com
Size

301KB
Sample

211125-va45wabbf4
MD5

02e738dd13974ab64a472f6aa2f065a8
SHA1

6134aee9ceffce4d6ed1777739493def77b62533
SHA256

9acf8fb51cab55a01a74cb84ca9958862b29b8909408e87412700e63a4f578ae
SHA512

90ce5711d1f3abd07398c38706f5dc48da02676a86331115b5c7724fd98b1b41606f3d80763d3c03663c1c1bf7864609d65eae183b73f5df2db8e73a49bccf09

Score

10^/10

Malware Config

Extracted

Family	xloader
Version	2.5
Campaign	unzn
C2	http://www.davanamays.com/unzn/ http://www.davanamays.com/unzn/
Decoy	xiulf.com highcountrymortar.com 523561.com marketingagency.tools ganmovie.net nationaalcontactpunt.com sirrbter.com begizas.xyz missimi-fashion.com munixc.info daas.support spaceworbc.com faithtruthresolve.com gymkub.com thegrayverse.xyz artisanmakefurniture.com 029tryy.com ijuubx.biz iphone13promax.club techuniversus.com samrgov.xyz grownupcurl.com sj0755.net beekeeperkit.com richessesabondantes.com xclgjgjh.net webworkscork.com vedepviet365.com bretabeameven.com cdzsmhw.com clearperspective.biz tigrg5g784sh.biz bbezan011.xyz mycar.store mansooralobeidli.com ascensionmemberszoom.com unlimitedrehab.com wozka.top askylarkgoods.com rj793.com prosvalor.com primetimeexpress.com boixosnoisperu.com mmasportgear.com concertiranian.net hyponymys.info maila.one yti0fyic.xyz shashiprayag.com speedprosmotorsports.com westchestercountyjunkcars.com patienceinmypocket.com rausachbaoloc.com plexregroup.com outsydercs.com foodandflour.com lenacrypto.xyz homeservicetoday.net marthaperry.com vmtcyd4q8.com shamefulguys.com loccssol.store gnarledportra.xyz 042atk.xyz xiulf.com highcountrymortar.com 523561.com marketingagency.tools ganmovie.net nationaalcontactpunt.com sirrbter.com begizas.xyz missimi-fashion.com munixc.info daas.support spaceworbc.com faithtruthresolve.com gymkub.com thegrayverse.xyz artisanmakefurniture.com 029tryy.com ijuubx.biz iphone13promax.club techuniversus.com samrgov.xyz grownupcurl.com sj0755.net beekeeperkit.com richessesabondantes.com xclgjgjh.net webworkscork.com vedepviet365.com bretabeameven.com cdzsmhw.com clearperspective.biz tigrg5g784sh.biz bbezan011.xyz mycar.store mansooralobeidli.com ascensionmemberszoom.com unlimitedrehab.com wozka.top askylarkgoods.com rj793.com prosvalor.com primetimeexpress.com boixosnoisperu.com mmasportgear.com concertiranian.net hyponymys.info maila.one yti0fyic.xyz shashiprayag.com speedprosmotorsports.com westchestercountyjunkcars.com patienceinmypocket.com rausachbaoloc.com plexregroup.com outsydercs.com foodandflour.com lenacrypto.xyz homeservicetoday.net marthaperry.com vmtcyd4q8.com shamefulguys.com loccssol.store gnarledportra.xyz 042atk.xyz

Targets

- Target
  
  STATEMENT Oct-Nov 25-11-2021.com
- Size
  
  301KB
- MD5
  
  02e738dd13974ab64a472f6aa2f065a8
- SHA1
  
  6134aee9ceffce4d6ed1777739493def77b62533
- SHA256
  
  9acf8fb51cab55a01a74cb84ca9958862b29b8909408e87412700e63a4f578ae
- SHA512
  
  90ce5711d1f3abd07398c38706f5dc48da02676a86331115b5c7724fd98b1b41606f3d80763d3c03663c1c1bf7864609d65eae183b73f5df2db8e73a49bccf09
Score

10^/10

xloader unzn loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

Xloader Payload

Deletes itself

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2