neshta | 602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4

General

Target

36ca5751b0b2d9321215f223a18aefbf.exe
Size

324KB
MD5

36ca5751b0b2d9321215f223a18aefbf
SHA1

c9661ff48f2eaa2718a46b23a70a02a8461715be
SHA256

602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4
SHA512

f698c83167eda1832e90eeed65d39883b6515c0f6c718e3ce6d517e6d230bab14b15a920f90979a2cf55c601688819deec0de2b47278a032103a22fd2fe2774c

Score

10^/10

neshta xloader ga6b loader persistence rat spyware stealer

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ga6b

C2

http://www.egyptian-museum.com/ga6b/

Decoy

diasporacospices.com

sd-shenghe.com

onlinewritingjobs.net

greenstreamgroup.store

garageair.agency

idh-bf.com

middenhavendambreskens.com

szkoleniawcag.online

wiremefeelings.com

ottosperformance.com

brothermush.com

weiserpath.com

baohiemtv24h.com

glassgalaxynft.com

spiritualmind.space

18130072012.com

3v0.space

smartgadgetscompare.com

corvusexpeditii.xyz

egcontabilidade.website

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

36ca5751b0b2d9321215f223a18aefbf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	36ca5751b0b2d9321215f223a18aefbf.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4008-122-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4008-123-0x000000000041D4E0-mapping.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

36ca5751b0b2d9321215f223a18aefbf.exe36ca5751b0b2d9321215f223a18aefbf.exe

pid process

4052 36ca5751b0b2d9321215f223a18aefbf.exe
4008 36ca5751b0b2d9321215f223a18aefbf.exe
Loads dropped DLL 1 IoCs

Processes:

36ca5751b0b2d9321215f223a18aefbf.exe

pid process

4052 36ca5751b0b2d9321215f223a18aefbf.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

36ca5751b0b2d9321215f223a18aefbf.exe

description pid process target process

PID 4052 set thread context of 4008 4052 36ca5751b0b2d9321215f223a18aefbf.exe 36ca5751b0b2d9321215f223a18aefbf.exe

pid	process
4052	36ca5751b0b2d9321215f223a18aefbf.exe
4008	36ca5751b0b2d9321215f223a18aefbf.exe

pid	process
4052	36ca5751b0b2d9321215f223a18aefbf.exe

description	pid	process	target process
PID 4052 set thread context of 4008	4052	36ca5751b0b2d9321215f223a18aefbf.exe	36ca5751b0b2d9321215f223a18aefbf.exe

Drops file in Program Files directory 53 IoCs

Processes:

36ca5751b0b2d9321215f223a18aefbf.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	36ca5751b0b2d9321215f223a18aefbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	36ca5751b0b2d9321215f223a18aefbf.exe

Drops file in Windows directory 1 IoCs

Processes:

36ca5751b0b2d9321215f223a18aefbf.exe

description ioc process

File opened for modification C:\Windows\svchost.com 36ca5751b0b2d9321215f223a18aefbf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	36ca5751b0b2d9321215f223a18aefbf.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe	nsis_installer_2

Modifies registry class 1 IoCs

Processes:

36ca5751b0b2d9321215f223a18aefbf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	36ca5751b0b2d9321215f223a18aefbf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

36ca5751b0b2d9321215f223a18aefbf.exe

pid process

4008 36ca5751b0b2d9321215f223a18aefbf.exe
4008 36ca5751b0b2d9321215f223a18aefbf.exe

pid	process
4008	36ca5751b0b2d9321215f223a18aefbf.exe
4008	36ca5751b0b2d9321215f223a18aefbf.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

36ca5751b0b2d9321215f223a18aefbf.exe36ca5751b0b2d9321215f223a18aefbf.exe

description	pid	process	target process
PID 968 wrote to memory of 4052	968	36ca5751b0b2d9321215f223a18aefbf.exe	36ca5751b0b2d9321215f223a18aefbf.exe
PID 968 wrote to memory of 4052	968	36ca5751b0b2d9321215f223a18aefbf.exe	36ca5751b0b2d9321215f223a18aefbf.exe
PID 968 wrote to memory of 4052	968	36ca5751b0b2d9321215f223a18aefbf.exe	36ca5751b0b2d9321215f223a18aefbf.exe
PID 4052 wrote to memory of 4008	4052	36ca5751b0b2d9321215f223a18aefbf.exe	36ca5751b0b2d9321215f223a18aefbf.exe
PID 4052 wrote to memory of 4008	4052	36ca5751b0b2d9321215f223a18aefbf.exe	36ca5751b0b2d9321215f223a18aefbf.exe
PID 4052 wrote to memory of 4008	4052	36ca5751b0b2d9321215f223a18aefbf.exe	36ca5751b0b2d9321215f223a18aefbf.exe
PID 4052 wrote to memory of 4008	4052	36ca5751b0b2d9321215f223a18aefbf.exe	36ca5751b0b2d9321215f223a18aefbf.exe
PID 4052 wrote to memory of 4008	4052	36ca5751b0b2d9321215f223a18aefbf.exe	36ca5751b0b2d9321215f223a18aefbf.exe
PID 4052 wrote to memory of 4008	4052	36ca5751b0b2d9321215f223a18aefbf.exe	36ca5751b0b2d9321215f223a18aefbf.exe

C:\Users\Admin\AppData\Local\Temp\36ca5751b0b2d9321215f223a18aefbf.exe
"C:\Users\Admin\AppData\Local\Temp\36ca5751b0b2d9321215f223a18aefbf.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe
MD5
2cdc3d96a11abe92e9869d888d6c1696

SHA1
910cb0036b3e9a2834208a2361ca28912ade8f6c

SHA256
34957e2abc46b8e90fa220eedbdaedd08b021f54bfbc1155069b1165858b67dd

SHA512
dee221ce6e7d3ecc76af588897780b2c7124058e3bc8edb8c50112bde90ef28a7d3dc9557a0d6ccbc85396c748608497a6601fbbf256bd4cb2ba087cc283654b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe
MD5
2cdc3d96a11abe92e9869d888d6c1696

SHA1
910cb0036b3e9a2834208a2361ca28912ade8f6c

SHA256
34957e2abc46b8e90fa220eedbdaedd08b021f54bfbc1155069b1165858b67dd

SHA512
dee221ce6e7d3ecc76af588897780b2c7124058e3bc8edb8c50112bde90ef28a7d3dc9557a0d6ccbc85396c748608497a6601fbbf256bd4cb2ba087cc283654b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe
MD5
2cdc3d96a11abe92e9869d888d6c1696

SHA1
910cb0036b3e9a2834208a2361ca28912ade8f6c

SHA256
34957e2abc46b8e90fa220eedbdaedd08b021f54bfbc1155069b1165858b67dd

SHA512
dee221ce6e7d3ecc76af588897780b2c7124058e3bc8edb8c50112bde90ef28a7d3dc9557a0d6ccbc85396c748608497a6601fbbf256bd4cb2ba087cc283654b

Download Submit
\Users\Admin\AppData\Local\Temp\nsbE12A.tmp\tdledysx.dll
MD5
ab2962aabbe70e27d355dacf203405e6

SHA1
729bb1a7412903e2574ccc129409b70cbd55e01a

SHA256
dc3786cc8cbf1abd5261926553b407c82c97eefa6d4cafdb3c7147295a65e450

SHA512
3e8c94d585a02f108fd2fd0bfef3a252e196280e03a2e17e3b5d978a6d9ae5652cdfc5bc9ddd5df2f986a1d1e3fe959391be75a49e84d51771dea3d0854f3d40

Download Submit
memory/4008-122-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4008-123-0x000000000041D4E0-mapping.dmp

Download
memory/4008-125-0x00000000009C0000-0x0000000000CE0000-memory.dmp

Filesize
3.1MB

Download
memory/4052-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads