General

  • Target

    Ref Swift Transfer.xlsx

  • Size

    186KB

  • Sample

    211103-yej72sefe9

  • MD5

    99433830e4ab9d54a431a440f57e1ab9

  • SHA1

    e997077f8cec8e3055dc5064e4b75db4ea4b4645

  • SHA256

    cd8e870fce0c84649d1cbddfaae7d5c983a6165475f6d9b2f845c48a678dff8d

  • SHA512

    d90f47ad8a95f72aa7bb522ef80bd4fc91cc6ccd198b1a801083bb7a25c8bf625af3842e41dff0e5f17674de65d2576482f8f80d908fcfce0cba2568987540dd

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

qw2c

C2

http://www.qhatu-peru.com/qw2c/

Decoy

tripleincome.trade

theorigins.xyz

codzpays.com

tacocoparker.com

athensbyozanfirat.com

aero-charger.com

mobiushs.com

wealthpatternsllc.net

oneuplord.net

19kaldenbergplace.com

dxalt.com

pageants.xyz

mengyaoke.xyz

xn--80aaudhcmg4b.online

kpmg-grab.com

unsiontv.com

builderclubvn.com

shafara.com

bmwrepairnashville.com

gelgist.com

Targets

    • Target

      Ref Swift Transfer.xlsx

    • Size

      186KB

    • MD5

      99433830e4ab9d54a431a440f57e1ab9

    • SHA1

      e997077f8cec8e3055dc5064e4b75db4ea4b4645

    • SHA256

      cd8e870fce0c84649d1cbddfaae7d5c983a6165475f6d9b2f845c48a678dff8d

    • SHA512

      d90f47ad8a95f72aa7bb522ef80bd4fc91cc6ccd198b1a801083bb7a25c8bf625af3842e41dff0e5f17674de65d2576482f8f80d908fcfce0cba2568987540dd

    • Detect Neshta Payload

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks