85bccf48bd69110456515b5b1fc35fc21c6d983e67c162ab14fb7d8f66616e71

General
Target

85bccf48bd69110456515b5b1fc35fc21c6d983e67c162ab14fb7d8f66616e71

Size

939KB

Sample

211216-y7vt9acha8

Score
10 /10
MD5

cd1f4fa4338ae35dc3e24b7d4fdd2c36

SHA1

35585771c3637ad3df287166a5873f1587003194

SHA256

85bccf48bd69110456515b5b1fc35fc21c6d983e67c162ab14fb7d8f66616e71

SHA512

629cbd4806d4aa68c7f4223180d5c2a06378c9a5f1b7c3587f6e3f375ce5fdbc7eff20b0e9f24458d6c0eaa41c79ef786bd54b0e7c7eebf3a1c103b4eff4c669

Malware Config

Extracted

Family xloader
Version 2.5
Campaign ea0r
Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

metalumber.com

sclvfu.com

macanostore.online

projecturs.com

ahcprp.com

gztyfnrj.com

lospacenos.com

tak-etranger.com

dingermail.com

skiin.club

ystops.com

tnboxes.com

ccafgz.com

info1337.xyz

platinum24.top

hothess.com

novelfinancewhite.xyz

theselectdifference.com

flufca.com

giftcodefreefirevns.com

kgv-lachswehr.com

report-alfarabilabs.com

skeetones.com

4bcinc.com

americamr.com

wewonacademy.com

evrazavto.store

true-fanbox.com

greencofiji.com

threecommaspartners.com

Targets
Target

85bccf48bd69110456515b5b1fc35fc21c6d983e67c162ab14fb7d8f66616e71

MD5

cd1f4fa4338ae35dc3e24b7d4fdd2c36

Filesize

939KB

Score
10/10
SHA1

35585771c3637ad3df287166a5873f1587003194

SHA256

85bccf48bd69110456515b5b1fc35fc21c6d983e67c162ab14fb7d8f66616e71

SHA512

629cbd4806d4aa68c7f4223180d5c2a06378c9a5f1b7c3587f6e3f375ce5fdbc7eff20b0e9f24458d6c0eaa41c79ef786bd54b0e7c7eebf3a1c103b4eff4c669

Tags

Signatures

  • Modifies system executable filetype association

    Tags

    TTPs

    Modify RegistryChange Default File Association
  • Neshta

    Description

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    Tags

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • Xloader Payload

    Tags

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Tasks