General

  • Target

    a9704735e10e7b769bebf6b33f8fd17d8a1f2d97ef774bf2f8d3ff3694ccf6d9

  • Size

    482KB

  • Sample

    211215-jdbrysghe6

  • MD5

    81b76350a44f6356246271612e6f23f2

  • SHA1

    bfafb16fcc983399191cf2596d700aa03ee6f75c

  • SHA256

    a9704735e10e7b769bebf6b33f8fd17d8a1f2d97ef774bf2f8d3ff3694ccf6d9

  • SHA512

    e275f3b36eff3788b3da3a8c05002660e8454e44ddd1ee4a38c85fe54d310c61ffc7228026f74b1e33ac1bcab5144cb65a289566229d1524f46c75d9e6532b1a

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Targets

    • Target

      a9704735e10e7b769bebf6b33f8fd17d8a1f2d97ef774bf2f8d3ff3694ccf6d9

    • Size

      482KB

    • MD5

      81b76350a44f6356246271612e6f23f2

    • SHA1

      bfafb16fcc983399191cf2596d700aa03ee6f75c

    • SHA256

      a9704735e10e7b769bebf6b33f8fd17d8a1f2d97ef774bf2f8d3ff3694ccf6d9

    • SHA512

      e275f3b36eff3788b3da3a8c05002660e8454e44ddd1ee4a38c85fe54d310c61ffc7228026f74b1e33ac1bcab5144cb65a289566229d1524f46c75d9e6532b1a

    • Detect Neshta Payload

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Change Default File Association

1
T1042

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks