neshta | d6742c917817f02e01ba40c61606b3707f373bb8d1f525b75b72b1802cd9b290 | Triage

Submit
Reports

Overview

overview

Static

static

61d6215546...31.exe

windows7_x64

61d6215546...31.exe

windows10_x64

Sharing

General

Target

61d62155465f85f8fc4d44a89e7ae831.exe
Size

907KB
Sample

211103-y3vcxscaem
MD5

61d62155465f85f8fc4d44a89e7ae831
SHA1

10e1e0c049b58ff662f960a3e5270bfb97c9868b
SHA256

d6742c917817f02e01ba40c61606b3707f373bb8d1f525b75b72b1802cd9b290
SHA512

b77514d0de8c8582a3773fd76b82049bdc8dbba090827531ff1452d6729bc74eeb389f69701bf38b8b45a7fcebec62d12c26d5abab7e0516bb5cf78dc7dbeb24

Score

10^/10

neshta xloader rqan loader persistence rat spyware stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

61d62155465f85f8fc4d44a89e7ae831.exe

Resource

win7-en-20211014

neshta xloader rqan loader persistence rat spyware stealer suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

61d62155465f85f8fc4d44a89e7ae831.exe

Resource

win10-en-20210920

neshta xloader rqan loader persistence rat spyware stealer suricata

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

rqan

C2

http://www.cardboutiqueapp.com/rqan/

Decoy

panda.wiki

gailkannamassage.com

ungravitystudio.com

coraggiomusicschool.com

51walkerstreetrippleside.com

infemax.store

mapara-foundation.net

elitespeedwaxs.com

manateeprint.com

thelocksmithtradeshow.com

phoenix-out-of-ashes.com

marionkgregory.store

abasketofwords.com

century21nokta.com

anthonyaarnold.com

forevermyanmar.com

ramashi.com

uniquecarbonbrush.com

packecco.com

appelnacrtl.quest

mayo-group.com

healthychefla.com

chuhaitalk.com

promoapp12.com

sergomosta.com

missuniversepr.com

onfinan.com

moyue27.com

miaocharge.com

hubmedia.digital

sarasota-pressurewashing.com

deliciousrecipe.xyz

rosalia-pilates-angers.com

qqsmt09.com

comercialjyv.com

ismarthings.com

b8ceex.com

reviewbyornex.online

familylovmix.com

wurzelwerk-sk.com

buratacoin.com

delocdinh.com

paraspikakasino.com

buyinsurance24.com

d1storesa.com

apollonfitnessvrn.club

tokofebri.store

cambabez.xyz

pointcon.net

digitalcoursepreneur.com

15dgj.xyz

mg-garage.com

claggs.com

yuezhong66.com

uvowtae.xyz

puutuisossa.quest

glitchpunks.art

haferssippe.quest

ucwykl.biz

finlandtwo.xyz

efterpisart.com

usbankofamerican.com

bamubusinesssolutions.com

lakshhomesbalram.info

Targets

- Target
  
  61d62155465f85f8fc4d44a89e7ae831.exe
- Size
  
  907KB
- MD5
  
  61d62155465f85f8fc4d44a89e7ae831
- SHA1
  
  10e1e0c049b58ff662f960a3e5270bfb97c9868b
- SHA256
  
  d6742c917817f02e01ba40c61606b3707f373bb8d1f525b75b72b1802cd9b290
- SHA512
  
  b77514d0de8c8582a3773fd76b82049bdc8dbba090827531ff1452d6729bc74eeb389f69701bf38b8b45a7fcebec62d12c26d5abab7e0516bb5cf78dc7dbeb24
Score

10^/10

neshta xloader rqan loader persistence rat spyware stealer suricata
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtaxloaderrqanloaderpersistenceratspywarestealersuricata

behavioral2

neshtaxloaderrqanloaderpersistenceratspywarestealersuricata

© 2018-2024

Terms | Privacy