neshta | 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb | Triage

Submit
Reports

Overview

overview

Static

static

5ecdf9607a...46.exe

windows7_x64

5ecdf9607a...46.exe

windows10_x64

Sharing

General

Target

5ecdf9607af624d3ec1ed2bc9f0e9146.exe
Size

339KB
Sample

211007-kyw43acdbp
MD5

5ecdf9607af624d3ec1ed2bc9f0e9146
SHA1

d68079d495932ef242efc76e96fe6d75a1ab8dc0
SHA256

934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb
SHA512

b7fe77eb6f6fbd620a5a7d187d1355fb43ece505d46846703ea71e84205fb6511867756552202a5b95163cc651a5ab9a14cb1b0c13e50260a5c57993df39835c

Score

10^/10

neshta xloader p08r loader persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

5ecdf9607af624d3ec1ed2bc9f0e9146.exe

Resource

win7v20210408

neshta xloader p08r loader persistence rat spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

5ecdf9607af624d3ec1ed2bc9f0e9146.exe

Resource

win10-en-20210920

neshta xloader p08r loader persistence rat spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p08r

C2

http://www.puremicrodosing.com/p08r/

Decoy

focalstead.com

adult-affi2401.com

tamaracastrillejo.com

klimatika.pro

vineyardsimple.com

maskrgl.com

anamontenegro.website

lockolock.com

lkdgd.com

bgcs.online

tasteofgadsdencounty.com

abbastanza.info

serviciomovistar.online

xaudix.com

flintandfern.com

ranchoptician.com

tradeplay.net

chazuo.store

fb90km.com

americandropper.com

shopmoly.com

standunitedforamerica.us

whiteknucklegrips.com

clarysvillemotel.online

cunnters.com

cameroon-infos.net

minisoshop.com

consulitate.xyz

iriny1.com

globalservicesproviders.com

mai1xia.xyz

apeironnature.com

snobite.net

hyvecommerce.com

consumersvoice.net

blinglj.com

oarlary.xyz

elemnetoutdoor.com

wandawallinbristow.com

cyworldl.com

windpeople.store

happinessfashionline.com

representelectrical.com

istc3.com

alskdfalskdf.com

micaixmt.com

outnoble.online

bbeway.com

truenettnpasumo3.xyz

989451.com

kennycheng.tech

rankedclub.com

alynzmy.top

topcatrecords.net

yappiiblog.com

cannaonline.net

universityplacehome.com

tksonline.club

curlya-shop.com

checkbox-staging-pmgi.com

ziomotors.com

underdodrat.info

110cy.top

musiciridium.com

Targets

- Target
  
  5ecdf9607af624d3ec1ed2bc9f0e9146.exe
- Size
  
  339KB
- MD5
  
  5ecdf9607af624d3ec1ed2bc9f0e9146
- SHA1
  
  d68079d495932ef242efc76e96fe6d75a1ab8dc0
- SHA256
  
  934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb
- SHA512
  
  b7fe77eb6f6fbd620a5a7d187d1355fb43ece505d46846703ea71e84205fb6511867756552202a5b95163cc651a5ab9a14cb1b0c13e50260a5c57993df39835c
Score

10^/10

neshta xloader p08r loader persistence rat spyware stealer
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtaxloaderp08rloaderpersistenceratspywarestealer

behavioral2

neshtaxloaderp08rloaderpersistenceratspywarestealer

© 2018-2024

Terms | Privacy