neshta | b224f2409381b02e0f465d688fba51a84efc05092c484fc5521b6b2ac8698aa9 | Triage

Submit
Reports

Overview

overview

Static

static

Inquiry do...5.xlsx

windows7_x64

Inquiry do...5.xlsx

windows10_x64

1

Sharing

General

Target

Inquiry docs_00345.xlsx
Size

185KB
Sample

211103-xw36tabfgm
MD5

8601e9fbd0710b734aaa95ba56ebf397
SHA1

d5fefeba0606f92a7223bbe51091132404670daa
SHA256

b224f2409381b02e0f465d688fba51a84efc05092c484fc5521b6b2ac8698aa9
SHA512

2f85167f109a1cbe77dcbe5bebbcd00f83abc72f34f491657f3e25319aaed07ee68e529287e500ca6220fb88f2b171f4b7cb0040de34c488d3d8b72c70abc95d

Score

10^/10

neshta xloader ga6b loader persistence rat spyware stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

Inquiry docs_00345.xlsx

Resource

win7-en-20210920

neshta xloader ga6b loader persistence rat spyware stealer suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Inquiry docs_00345.xlsx

Resource

win10-en-20211014

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ga6b

C2

http://www.egyptian-museum.com/ga6b/

Decoy

diasporacospices.com

sd-shenghe.com

onlinewritingjobs.net

greenstreamgroup.store

garageair.agency

idh-bf.com

middenhavendambreskens.com

szkoleniawcag.online

wiremefeelings.com

ottosperformance.com

brothermush.com

weiserpath.com

baohiemtv24h.com

glassgalaxynft.com

spiritualmind.space

18130072012.com

3v0.space

smartgadgetscompare.com

corvusexpeditii.xyz

egcontabilidade.website

find0utnowfy.info

soulwinningministry.com

digitaldreamcloud.net

service-portal-kundendaten.com

theselectdifference.com

burodev.com

mustafacesuryildiz.com

grupodeinvestigacion.com

toyotadisurabaya.com

partnerbenifits.com

belledescontos.com

nobodybutgod.com

bumiths.com

acacave.com

septoctets.xyz

www73w.xyz

afghantattoos.com

interiorsbe.com

ara7z.com

qqcx666888.top

onra.top

sunfucker.net

suhuabo.com

tangerineinit.com

era636.com

lovenft.xyz

maviesurdvd.com

gullatz-consulting.com

duopasteleras.com

mystudentregistration.com

5559913.win

gritzcharlestonluxuryinn.store

themexicanbg.com

senshop.store

woodentoysforkids.store

globalgamelan.com

anjumanmuhibaneabbas.com

seattleinsurancebrokers.com

naiduteja049.info

traction.legal

twisteid.com

necesryaou.com

apan-group.com

infinityrope.store

Targets

- Target
  
  Inquiry docs_00345.xlsx
- Size
  
  185KB
- MD5
  
  8601e9fbd0710b734aaa95ba56ebf397
- SHA1
  
  d5fefeba0606f92a7223bbe51091132404670daa
- SHA256
  
  b224f2409381b02e0f465d688fba51a84efc05092c484fc5521b6b2ac8698aa9
- SHA512
  
  2f85167f109a1cbe77dcbe5bebbcd00f83abc72f34f491657f3e25319aaed07ee68e529287e500ca6220fb88f2b171f4b7cb0040de34c488d3d8b72c70abc95d
Score

10^/10

neshta xloader ga6b loader persistence rat spyware stealer suricata
- Detect Neshta Payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
  suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Change Default File Association

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtaxloaderga6bloaderpersistenceratspywarestealersuricata

behavioral2

© 2018-2024

Terms | Privacy