General

  • Target

    528a540044eb5dfab9ecbd301a63c69c930eea01e090eddd57a38e2cccb325ac

  • Size

    556KB

  • Sample

    211215-je38lahhel

  • MD5

    790d2773e6a7ab6c925661e008dc57d5

  • SHA1

    96056d53acef34d5f75d93c86fe38a4027923443

  • SHA256

    528a540044eb5dfab9ecbd301a63c69c930eea01e090eddd57a38e2cccb325ac

  • SHA512

    4ca8fbbd20674a7cd8d6a8cd54ddbff8510c5802030f1c9086f8bd939523e8b6a0bdc148711184c28c60771de059e51bef22a6167963577f0d060e397580e46b

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Targets

    • Target

      528a540044eb5dfab9ecbd301a63c69c930eea01e090eddd57a38e2cccb325ac

    • Size

      556KB

    • MD5

      790d2773e6a7ab6c925661e008dc57d5

    • SHA1

      96056d53acef34d5f75d93c86fe38a4027923443

    • SHA256

      528a540044eb5dfab9ecbd301a63c69c930eea01e090eddd57a38e2cccb325ac

    • SHA512

      4ca8fbbd20674a7cd8d6a8cd54ddbff8510c5802030f1c9086f8bd939523e8b6a0bdc148711184c28c60771de059e51bef22a6167963577f0d060e397580e46b

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Change Default File Association

1
T1042

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks