neshta | cd8e870fce0c84649d1cbddfaae7d5c983a6165475f6d9b2f845c48a678dff8d | Triage

Submit
Reports

Overview

overview

Static

static

Ref Swift ...r.xlsx

windows7_x64

Ref Swift ...r.xlsx

windows10_x64

1

Sharing

General

Target

Ref Swift Transfer.xlsx
Size

186KB
Sample

211103-xx84fseeg7
MD5

99433830e4ab9d54a431a440f57e1ab9
SHA1

e997077f8cec8e3055dc5064e4b75db4ea4b4645
SHA256

cd8e870fce0c84649d1cbddfaae7d5c983a6165475f6d9b2f845c48a678dff8d
SHA512

d90f47ad8a95f72aa7bb522ef80bd4fc91cc6ccd198b1a801083bb7a25c8bf625af3842e41dff0e5f17674de65d2576482f8f80d908fcfce0cba2568987540dd

Score

10^/10

neshta xloader qw2c loader persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

Ref Swift Transfer.xlsx

Resource

win7-en-20211014

neshta xloader qw2c loader persistence rat spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Ref Swift Transfer.xlsx

Resource

win10-en-20210920

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

qw2c

C2

http://www.qhatu-peru.com/qw2c/

Decoy

tripleincome.trade

theorigins.xyz

codzpays.com

tacocoparker.com

athensbyozanfirat.com

aero-charger.com

mobiushs.com

wealthpatternsllc.net

oneuplord.net

19kaldenbergplace.com

dxalt.com

pageants.xyz

mengyaoke.xyz

xn--80aaudhcmg4b.online

kpmg-grab.com

unsiontv.com

builderclubvn.com

shafara.com

bmwrepairnashville.com

gelgist.com

sauver-uhalas.com

theastonishop.com

ncell-gift.online

versebay.com

victocha.com

anthonylink.top

kemerya.com

entrepreneurbizlife.com

belfamarts.top

everydayhealth.space

gyghw.com

clarkstown65.com

zzjn12.xyz

barber-king.online

narasiforum.club

tokentoto.info

urteuzemni.quest

kmieske.art

dewy-shop.com

pecornwell.com

transactioninsite.com

anta-media.com

duckworthwedding.com

viklsonbas.xyz

cruisebookingsonlineukorg.com

41dgj.xyz

phoenixvirtualstaff.net

golfladys.com

tzkaxh.com

sachitool.com

mirofotografias.com

bumiths.com

noon2f.com

suzukiecuardor.com

ll-safe-keepingtoyof6.xyz

marcosvendasecursos.com

northcoastcedrick.com

eskrimwalls.com

alltimedivine.com

jdnissan.com

atzoom.net

hanseionlinemarketing.com

yanarajoubdesign.com

movieschor.info

Targets

- Target
  
  Ref Swift Transfer.xlsx
- Size
  
  186KB
- MD5
  
  99433830e4ab9d54a431a440f57e1ab9
- SHA1
  
  e997077f8cec8e3055dc5064e4b75db4ea4b4645
- SHA256
  
  cd8e870fce0c84649d1cbddfaae7d5c983a6165475f6d9b2f845c48a678dff8d
- SHA512
  
  d90f47ad8a95f72aa7bb522ef80bd4fc91cc6ccd198b1a801083bb7a25c8bf625af3842e41dff0e5f17674de65d2576482f8f80d908fcfce0cba2568987540dd
Score

10^/10

neshta xloader qw2c loader persistence rat spyware stealer
- Detect Neshta Payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Change Default File Association

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtaxloaderqw2cloaderpersistenceratspywarestealer

behavioral2

© 2018-2024

Terms | Privacy