neshta | 1b6ff162d06ef0d1df78ada89bc99374b76362c5693b625ef9d46c9ee50e5309 | Triage

Submit
Reports

Overview

overview

Static

static

b4c024b530...7b.exe

windows7_x64

b4c024b530...7b.exe

windows10_x64

Sharing

General

Target

b4c024b530685b4d6624a05969d9997b.exe
Size

327KB
Sample

211103-yce6baefd8
MD5

b4c024b530685b4d6624a05969d9997b
SHA1

a584891d70ea5cc84d7d2934f3ea70af83b83980
SHA256

1b6ff162d06ef0d1df78ada89bc99374b76362c5693b625ef9d46c9ee50e5309
SHA512

3c6db8b881da0e6b0ee4b4effea7f1130ec6fec5e603f8617e2365cc4816c837bbca3c38af61015f48d201a20b027d131adac5a2e3df45b71d801b8feee1c4eb

Score

10^/10

neshta xloader qw2c loader persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

b4c024b530685b4d6624a05969d9997b.exe

Resource

win7-en-20211014

neshta xloader qw2c loader persistence rat spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

b4c024b530685b4d6624a05969d9997b.exe

Resource

win10-en-20210920

neshta xloader qw2c loader persistence rat spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

qw2c

C2

http://www.qhatu-peru.com/qw2c/

Decoy

tripleincome.trade

theorigins.xyz

codzpays.com

tacocoparker.com

athensbyozanfirat.com

aero-charger.com

mobiushs.com

wealthpatternsllc.net

oneuplord.net

19kaldenbergplace.com

dxalt.com

pageants.xyz

mengyaoke.xyz

xn--80aaudhcmg4b.online

kpmg-grab.com

unsiontv.com

builderclubvn.com

shafara.com

bmwrepairnashville.com

gelgist.com

sauver-uhalas.com

theastonishop.com

ncell-gift.online

versebay.com

victocha.com

anthonylink.top

kemerya.com

entrepreneurbizlife.com

belfamarts.top

everydayhealth.space

gyghw.com

clarkstown65.com

zzjn12.xyz

barber-king.online

narasiforum.club

tokentoto.info

urteuzemni.quest

kmieske.art

dewy-shop.com

pecornwell.com

transactioninsite.com

anta-media.com

duckworthwedding.com

viklsonbas.xyz

cruisebookingsonlineukorg.com

41dgj.xyz

phoenixvirtualstaff.net

golfladys.com

tzkaxh.com

sachitool.com

mirofotografias.com

bumiths.com

noon2f.com

suzukiecuardor.com

ll-safe-keepingtoyof6.xyz

marcosvendasecursos.com

northcoastcedrick.com

eskrimwalls.com

alltimedivine.com

jdnissan.com

atzoom.net

hanseionlinemarketing.com

yanarajoubdesign.com

movieschor.info

Targets

- Target
  
  b4c024b530685b4d6624a05969d9997b.exe
- Size
  
  327KB
- MD5
  
  b4c024b530685b4d6624a05969d9997b
- SHA1
  
  a584891d70ea5cc84d7d2934f3ea70af83b83980
- SHA256
  
  1b6ff162d06ef0d1df78ada89bc99374b76362c5693b625ef9d46c9ee50e5309
- SHA512
  
  3c6db8b881da0e6b0ee4b4effea7f1130ec6fec5e603f8617e2365cc4816c837bbca3c38af61015f48d201a20b027d131adac5a2e3df45b71d801b8feee1c4eb
Score

10^/10

neshta xloader qw2c loader persistence rat spyware stealer
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtaxloaderqw2cloaderpersistenceratspywarestealer

behavioral2

neshtaxloaderqw2cloaderpersistenceratspywarestealer

© 2018-2024

Terms | Privacy