{
	"id": "a12e9e19-7c79-4af6-9194-40ace5fc3765",
	"created_at": "2026-04-06T00:14:33.459214Z",
	"updated_at": "2026-04-10T03:35:55.940677Z",
	"deleted_at": null,
	"sha1_hash": "4ee20a58ccfd865cf078ab4ea37e0c04e79da68b",
	"title": "Inside the SharpPanda's Malware Targeting Malaysia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2003076,
	"plain_text": "Inside the SharpPanda's Malware Targeting Malaysia\r\nBy Anonymous\r\nPublished: 2024-05-24 · Archived: 2026-04-05 20:17:28 UTC\r\nThis post was authored by NetbyteSEC Detecx team.\r\nIn April 2024, the NetbyteSEC (NBS) team discovered a tweet from Group IB Threat Intelligence indicating the\r\ndetection of several malware instances associated with SharpPanda uploaded to VirusTotal. This piqued the NBS\r\nteam's interest to dig more, particularly focusing on the samples that are linked to Malaysia as the uploader of the\r\nsample on the VirusTotal platform was identified from Malaysia.\r\nhttps://notes.netbytesec.com/2024/05/inside-sharppandas-malware-targeting.html\r\nPage 1 of 6\n\nFigure 1: Tweet from Group IB Threat Intelligence\r\nBased on the IOCs (Indicators of Compromise), it appears that the SharpPanda team targeted another Southeast\r\nAsian country besides Malaysia.\r\nNBS team collected all the IOCs from Twitter's thread of the tweet and retrieved the samples from VirusTotal for\r\nfurther analysis. In this case, the NBS team solely focuses on the samples that are linked to Malaysia.\r\nWay before the tweet, another independent security researcher (@4rchib4ld) reported the same context of threat\r\ninformation regarding SharpPanda sample that was uploaded from Malaysia.\r\nFigure 2: Tweet from independent security researcher associated with SharpPanda \r\nThank you to Group IB and (@4rchib4ld) for the malware hunting findings.\r\n1.0 Executive Summary\r\nThe NBS team recently conducted an analysis on a malware sample that belongs to SharpPanda's APT group that\r\nis targeting Malaysia around March to April 2024. Based on the intelligence, the sample leverages a malicious\r\nexecutable that perform the backdoor connection giving access to the attacker once the malware infects the\r\nvictims.  NBS team is unable to identify how the threat actor distributed the malware. Nevertheless, typically, this\r\nkind of malware campaign might involve sending the malicious document and executable file as an attachment in\r\nthe email. Based on our analysis of one of the samples executable, the final objective of the malware is to provide\r\nthe backdoor connection towards the C2 server.\r\nFigure 3: Graph flow of the malware\r\n2.0 Technical Analysis\r\nIn this technical analysis, the NBS team was able to retrieve those samples that were uploaded to VirusTotal and\r\nconduct malware analysis and reverse engineering on the sample. The name of the sample executable is \"REKOD\r\nMINIT KSN KEPADA YAB PM 2023 - 15.exe\" (SHA1: ba12750f122462d16b4847adcb927b86af60b5d6)\r\nInitial Analysis\r\nhttps://notes.netbytesec.com/2024/05/inside-sharppandas-malware-targeting.html\r\nPage 2 of 6\n\nUpon initial analysis, it is apparent that the attacker is leveraging the Microsoft Word icon for the executable file\r\nto deceive users, making the malicious file appear harmless and increasing the likelihood of it being clicked. \r\nFigure 4: The executable file with Microsoft Word icon\r\nThe initial assessment of the executable on VirusTotal, as of the time of this writing, shows that the malware\r\nexecutable has a high detection of Antivirus with a current detection score 46/72 as shown in the figure below.\r\nThis high detection suggests that the malware has a significant ability to infect.\r\nFigure 5: VirusTotal result\r\nPivoting our analysis of the network connection results in the VirusTotal sandbox reveals that the malware makes\r\nfew connections to an endpoint, 185.239.226.91, located in Hong Kong.\r\nFigure 6: Network connection results in the VirusTotal\r\nBased on the figure above, the malware communicates with the C2 server by sending encoded and encrypted\r\nstrings append in the full URL parameter. \r\nString Decryption\r\nUpon reverse engineering the malware sample, it was found that the malware employs a significant amount of\r\nsimple XOR decryption on encrypted strings which will be used for the rest of the malware's functionality. This is\r\nobserved that numerous functions within the malware perform decryption of the strings before proceeding to the\r\nactual functionality.\r\nFigure 7: XOR decryption on encrypted strings\r\nAfter finishing the decryption process for the encrypted values, the strings will be utilized in several\r\nfunctionalities, such as constructing URL paths, employing Windows APIs, defining mutex names, and various\r\nothers.\r\nMutex Creation\r\nUpon decrypting the encrypted strings, the malware proceeds to create a mutex with the name\r\n\"mt_app_http_get_zed2vsp\" typically to avoid multiple infections in the same machine.\r\nhttps://notes.netbytesec.com/2024/05/inside-sharppandas-malware-targeting.html\r\nPage 3 of 6\n\nFigure 8: Mutex creation\r\nWe can double-confirm the mutex creation by reviewing the Handles object of the executable's process.\r\nFigure 9: Review Handles object to validate the mutex creation\r\nOS Information Enumeration\r\nFurthermore, the malware proceeds to another crucial function which is collecting all the operating system\r\ninformation and compiling the results into a single log string. In the following figure, the code performs all the\r\ninformation enumeration and appends it to an acronym accordingly.\r\nFigure 10: Information enumeration\r\nThe attribution of the acronym is as follows:\r\n1. HTN = Hostname\r\n2. OSN = OS Name\r\n3. OSV = OS Version\r\n4. URN = Username\r\n5. ITF = Network Interface\r\n6. PGF = Program Files (Installed)\r\n7. PSL = Running Processes\r\nBelow is the sample of collected data from NBS's lab host:\r\nHTN:DESKTOP-XXXX; OSN:Windows 10 Enterprise; OSV:10.0.19046; URN:mare; ITF:N:1 {4380E106-0381-4C7A-8D3F-9286286\r\nData Encryption and Encoding\r\nAfter collecting all the necessary data, the malware begins encrypting the long string using RC4 and encodes it\r\nwith base64 for the ease of appending it to the URL path parameter.\r\nThe function in the figure below demonstrates the RC4 encryption process applied to the data.\r\nFigure 11: RC4 encryption process \r\nhttps://notes.netbytesec.com/2024/05/inside-sharppandas-malware-targeting.html\r\nPage 4 of 6\n\nThe function below demonstrates the process of base64 encoding applied to the RC4 encrypted data.\r\nFigure 12: Base64 encoding process\r\nAfter completing the encoding and encryption processes, the malware constructs a string builder for the URL path\r\nand appends the base64 encoded data into the URL path parameter, which will be used for the C2 communication.\r\nFigure 13: The process of constructing string builder and appending base64 encoded data into URL path\r\nC2 Communication\r\nUtilizing the previously mentioned URL decoding and string constructor, the malware employs the Windows\r\nSocket Windows API to establish the communication to the threat actor server.\r\nFigure 14: Establish C2 connection using Windows Socket Windows API \r\nThis communication can be seen by sniffing the network communication as shown in figure below:\r\nFigure 15: Malware communication after the host has been infected\r\n3.0 Summary\r\nThe malware initially performs extensive string decryption to prepare for the sequential function. Utilizing the\r\ndecrypted strings, it creates a mutex in the infected host to prevent multiple infections. Subsequently, the malware\r\ngathers various information about the infected host and encrypts it using the RC4 algorithm. The resulting data is\r\nthen encoded with base64 and appended to the URL path. In the final stage of functionality, it initiates C2\r\ncommunication using the previously mentioned URL path and the encrypted data.\r\n4.0 IOCs\r\nNetwork:\r\n185.239.226.91\r\nHash:\r\nSHA256: 20a4256443957fbae69c7c666ae025522533b849e01680287177110603a83a41\r\nhttps://notes.netbytesec.com/2024/05/inside-sharppandas-malware-targeting.html\r\nPage 5 of 6\n\nSource: https://notes.netbytesec.com/2024/05/inside-sharppandas-malware-targeting.html\r\nhttps://notes.netbytesec.com/2024/05/inside-sharppandas-malware-targeting.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://notes.netbytesec.com/2024/05/inside-sharppandas-malware-targeting.html"
	],
	"report_names": [
		"inside-sharppandas-malware-targeting.html"
	],
	"threat_actors": [
		{
			"id": "8a3bd03a-f69b-455b-b88b-3842a3528bfd",
			"created_at": "2022-10-25T16:07:24.178007Z",
			"updated_at": "2026-04-10T02:00:04.89066Z",
			"deleted_at": null,
			"main_name": "SharpPanda",
			"aliases": [
				"Sharp Dragon",
				"SharpPanda"
			],
			"source_name": "ETDA:SharpPanda",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"RoyalRoad",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e7ef34b6-e7b6-46f3-8dd8-2708c1659cd6",
			"created_at": "2023-11-08T02:00:07.107758Z",
			"updated_at": "2026-04-10T02:00:03.415268Z",
			"deleted_at": null,
			"main_name": "SharpPanda",
			"aliases": [
				"Sharp Dragon"
			],
			"source_name": "MISPGALAXY:SharpPanda",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434473,
	"ts_updated_at": 1775792155,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4ee20a58ccfd865cf078ab4ea37e0c04e79da68b.pdf",
		"text": "https://archive.orkl.eu/4ee20a58ccfd865cf078ab4ea37e0c04e79da68b.txt",
		"img": "https://archive.orkl.eu/4ee20a58ccfd865cf078ab4ea37e0c04e79da68b.jpg"
	}
}