General

  • Target

    e657e5580f64554a920f5460edc2a1ae4179b183f7a2adbd613f0e877839bdb4

  • Size

    549KB

  • Sample

    211215-h9tf7shhdj

  • MD5

    7516ac47b4adfef609f6ce4dc1dd809c

  • SHA1

    81d93a74a813e4d2231bf4b06762090d520a5145

  • SHA256

    e657e5580f64554a920f5460edc2a1ae4179b183f7a2adbd613f0e877839bdb4

  • SHA512

    a49542a69ee2ee53ce5ef8db071c80aac38e8eb3a81c025a88229e431c990964dbf7011bdde20240665d791c038cef5cd1c43e02e1367b9ee9c4b4c01c42770b

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Targets

    • Target

      e657e5580f64554a920f5460edc2a1ae4179b183f7a2adbd613f0e877839bdb4

    • Size

      549KB

    • MD5

      7516ac47b4adfef609f6ce4dc1dd809c

    • SHA1

      81d93a74a813e4d2231bf4b06762090d520a5145

    • SHA256

      e657e5580f64554a920f5460edc2a1ae4179b183f7a2adbd613f0e877839bdb4

    • SHA512

      a49542a69ee2ee53ce5ef8db071c80aac38e8eb3a81c025a88229e431c990964dbf7011bdde20240665d791c038cef5cd1c43e02e1367b9ee9c4b4c01c42770b

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Change Default File Association

1
T1042

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks