General

  • Target

    Inquiry docs_00345.xlsx

  • Size

    185KB

  • Sample

    211103-yemceaeff2

  • MD5

    8601e9fbd0710b734aaa95ba56ebf397

  • SHA1

    d5fefeba0606f92a7223bbe51091132404670daa

  • SHA256

    b224f2409381b02e0f465d688fba51a84efc05092c484fc5521b6b2ac8698aa9

  • SHA512

    2f85167f109a1cbe77dcbe5bebbcd00f83abc72f34f491657f3e25319aaed07ee68e529287e500ca6220fb88f2b171f4b7cb0040de34c488d3d8b72c70abc95d

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ga6b

C2

http://www.egyptian-museum.com/ga6b/

Decoy

diasporacospices.com

sd-shenghe.com

onlinewritingjobs.net

greenstreamgroup.store

garageair.agency

idh-bf.com

middenhavendambreskens.com

szkoleniawcag.online

wiremefeelings.com

ottosperformance.com

brothermush.com

weiserpath.com

baohiemtv24h.com

glassgalaxynft.com

spiritualmind.space

18130072012.com

3v0.space

smartgadgetscompare.com

corvusexpeditii.xyz

egcontabilidade.website

Targets

    • Target

      Inquiry docs_00345.xlsx

    • Size

      185KB

    • MD5

      8601e9fbd0710b734aaa95ba56ebf397

    • SHA1

      d5fefeba0606f92a7223bbe51091132404670daa

    • SHA256

      b224f2409381b02e0f465d688fba51a84efc05092c484fc5521b6b2ac8698aa9

    • SHA512

      2f85167f109a1cbe77dcbe5bebbcd00f83abc72f34f491657f3e25319aaed07ee68e529287e500ca6220fb88f2b171f4b7cb0040de34c488d3d8b72c70abc95d

    • Detect Neshta Payload

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks