{ "id": "dd99d4ea-c1d0-42a3-9ffa-205a4da38ee6", "created_at": "2026-04-06T00:13:57.324179Z", "updated_at": "2026-04-10T03:30:33.245765Z", "deleted_at": null, "sha1_hash": "ab3db0161d2f5c2e905664d2874280754f40945b", "title": "XPCTRA Malware Steals Banking and Digital Wallet User's Credentials", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 701468, "plain_text": "XPCTRA Malware Steals Banking and Digital Wallet User's\r\nCredentials\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 17:11:09 UTC\r\n1. Introduction\r\nWhile hunting some phishing emails these days, I came across a malware campaign similar to EngineBox, a\r\nbanker capable of stealing user credentials from multiple banks [1]. XPCTRA, as I call today’s variant, in addition\r\nto banking data, steals online digital wallet users’ credentials from services such as Blockchain.info and\r\nPerfectMoney.\r\nThe malspams used in the campaign try to induce the victim to open a supposed bank bill link. It actually leads to\r\nthe download of the XPCTRA dropper, that is, the part of the malware responsible for  environment recognition\r\nand downloading new components. Once executed, it initiates a connection with an Internet address to download\r\nother malware parts responsible for later malicious actions.\r\nIn this diary, I present the XPCTRA analysis the indicators of compromise used in this campaign.\r\n2. Threat analysis\r\nUnlike the previous variant, XPCTRA (read it like “expectra”) does not make use of as many layers of encoding\r\nas EngineBox did to try bypassing security layers, which made the analysis simpler.\r\nLook at the diagram shown in Figure 1 and the textual description below to understand the threat flow, from\r\nmalicious e-mail to data theft:\r\nThe infection vector (malspam) links to a supposed PDF invoice, which actually leads the victim to\r\ndownload an executable file (dropper);\r\nOnce executed, the dropper downloads a “.zip” file, unzips and executes the malware payload;\r\nIt then begins a series of actions, including:\r\nPersists itself into the OS, in order to survive system reboot;\r\nChanges Firewall policies to allow the malware to communicate unrestrictedly with the Internet;\r\nInstantiates “Fliddler”, an HTTP Proxy that is used to monitor and intercept user access to the\r\nfinancial institutions;\r\nInstalls the Fiddler root certificate to prevent the user from receiving digital certificate errors;\r\nPoints Internet Browsers settings to the local proxy (Fiddler);\r\nMonitors and captures user credentials while accessing the websites of 2 major Brazilian banks and\r\nother financial institutions;\r\nStolen credentials are sent to criminals through an unencrypted C\u0026C channel;\r\nhttps://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/\r\nPage 1 of 6\n\nEstablishes an encrypted channel to allow the victim’s system to be controlled by the attackers\r\n(RAT);\r\nMonitors and captures user credentials while accessing email services like Microsoft Live, Terra, IG\r\nand Hotmail. These accesses are used to spread the malware further;\r\nhttps://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/\r\nPage 2 of 6\n\nFigure 1 - XPCTRA Threat Flow\r\nNOTE: The XPCTRA sample analysed here (idfptray.exe) was not yet known by VT (VirusTotal) until my\r\nsubmission.\r\nhttps://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/\r\nPage 3 of 6\n\n3. Quasar RAT\r\nAfter posting EngineBox malware analysis [1] last month, through community feedback, I came to know that the\r\nthreat embedded a framework called Quasar RAT [2] developed in C#. The goal of this framework is to provide a\r\ntool for remote access and management of Windows computers— hence the name, RAT (Remote Access Tool).\r\nIt turns out the variety of functions the open-source framework has, such as remote desktop, keylogger, etc., made\r\nit quite attractive for cybercriminals who ended up using it as a RAT (Remote Access Trojan) tool within their\r\nmalware.\r\nNotice in Figure 2 the similarity of Quasar RAT directory tree on the left, and the XPCTRA code on the right.\r\nFigure 2—Similarity between Quasar RAT and XPCTRA directory trees\r\nIn addition to Quasar, XPCTRA incorporates Fiddler to play the role of HTTP Proxy and, of course, the code\r\nresponsible for intercepting communications with financial institutions and sending SPAM as well.\r\n4. Digital currency wallets\r\nIn addition to banking credentials, XPCTRA is able to steal digital currency wallet’s credentials hosted online like\r\nBlockchain.info, PerfectMoney and Neteller. Look at Figures 3 and 4 for code snippets of capturing moments and\r\nsending user credentials from some of these institutions.\r\nhttps://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/\r\nPage 4 of 6\n\nFigure 3 - Capturing user’s PerfectMoney credentials\r\nFigure 4 – Sending data to C\u0026C\r\n5. Final words\r\nThe result of this analysis draws our attention to the security of digital currency wallets, especially those “hosted”\r\nin the cloud. Just as customers of traditional financial institutions have faced over the years the most diverse fraud\r\nattempts and had to protect themselves, so should digital money users. Give preference to services that offer a\r\nsecond authentication factor for transactions and be sure to enable it.\r\n6. Indicators of compromise (IOCs)\r\nFiles\r\nMD5 (250920178234282343294329423.exe) = 4fec5a95ba8222979b80c0fc83f81edd\r\nMD5 (idfptray.exe) = 339c48b0ac25a9b187b8e76582580570\r\nNetwork\r\nhttps://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/\r\nPage 5 of 6\n\nhxxp://65.181.113.151/telnetd/chaves3.zip\r\nhxxp://fritas.cheddarmcmelt.top/master/PhpTrafico.php\r\nhxxp://fritas.cheddarmcmelt.top/master/Controle.php\r\nhxxp://fritas.cheddarmcmelt.top/master/conf/Html.txt\r\ncoca.cheddarmcmelt.top TCP/8799\r\ncoca.cheddarmcmelt.top TCP/222\r\n7. References\r\n[1] https://morphuslabs.com/enginebox-malware-amea%C3%A7a-clientes-de-mais-de-10-bancos-brasileiros-a8061c4c3cda\r\n[2] https://github.com/quasar/QuasarRAT\r\n--\r\nRenato Marinho\r\nMorphus Labs| LinkedIn|Twitter\r\nSource: https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/\r\nhttps://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/" ], "report_names": [ "22868" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434437, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ab3db0161d2f5c2e905664d2874280754f40945b.pdf", "text": "https://archive.orkl.eu/ab3db0161d2f5c2e905664d2874280754f40945b.txt", "img": "https://archive.orkl.eu/ab3db0161d2f5c2e905664d2874280754f40945b.jpg" } }