neshta | 0efd3949bdca68716bd115e68de2f6247135e19dca8ff9e300eea9c7e9b4260f | Triage

Submit
Reports

Overview

overview

Static

static

EX77538070...__.rtf

windows7_x64

EX77538070...__.rtf

windows10_x64

1

Sharing

General

Target

EX775380705313.doc__.rtf
Size

384KB
Sample

211213-sjgd3aehcp
MD5

99f1bdd67c558c943d6ba062bc327d28
SHA1

3694f22edb747d065595c4760fa25119581a43f1
SHA256

0efd3949bdca68716bd115e68de2f6247135e19dca8ff9e300eea9c7e9b4260f
SHA512

a64d3834bec69ed63a00c77de68b12a11d48362f1772e926afea29f6b203c1d17c93bb3d4bc1956f32ac0a6bdb4a918ffc0f1437399c38e97ea923a2389989a0

Score

10^/10

neshta xloader b62n loader persistence rat spyware stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

EX775380705313.doc__.rtf

Resource

win7-en-20211208

neshta xloader b62n loader persistence rat spyware stealer suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

EX775380705313.doc__.rtf

Resource

win10-en-20211208

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b62n

C2

http://www.multidetoxhepatico.com/b62n/

Decoy

childzplanet.com

nine8culture.com

yourfoodmenu.com

nxhxyzjy.com

nobelies.com

baetsupreme.net

indiadiscountedfares.com

iconnect-design.com

durston.store

sweetcreationsbyjp.com

ktieman.com

getvirtualaddress.com

cryptopoly-figures.com

minismi2.com

ricemoment.com

regionalhomescommercial.com

onelike.biz

d22.group

kwissleapp.com

cindyrandband.com

wolfgap.com

ilogic8.com

digitize-vision.com

qiunianns.com

tejpalmeet.com

joywalkerconsultingllc.com

daudcoffee.com

muktobangla.xyz

tendenciaofertas.com

xuongkhophoanghuong.pro

circleofdeth.com

spoilthemrottenpets.com

innasamudra.com

pizzadelta.com

jcmsomedia.com

applelost-support.info

ridvanyilmaz.com

catherinehaskins.com

fogelsingleywedding.com

suddennnnnnnnnnnn20.xyz

3leadsaday.xyz

xn--salihzzmrt-icb8ec.com

rdaniels2.com

xn--growbb-fvab.com

badkyker.quest

sdoook.com

bagways.com

bullseyefunrun.com

ff4c2myy0.xyz

stardustfuel.com

yiyuanpai.net

permaculturemd.com

prospectly.cloud

myonchain.art

atlasconcretos.com

ghost.immo

kondanginyuk.online

mohamedtaher.xyz

sxsxnt.com

sofiarust.xyz

playmayka.com

eemtyx.com

tashamurphy.com

akoya-kyoto.com

Targets

- Target
  
  EX775380705313.doc__.rtf
- Size
  
  384KB
- MD5
  
  99f1bdd67c558c943d6ba062bc327d28
- SHA1
  
  3694f22edb747d065595c4760fa25119581a43f1
- SHA256
  
  0efd3949bdca68716bd115e68de2f6247135e19dca8ff9e300eea9c7e9b4260f
- SHA512
  
  a64d3834bec69ed63a00c77de68b12a11d48362f1772e926afea29f6b203c1d17c93bb3d4bc1956f32ac0a6bdb4a918ffc0f1437399c38e97ea923a2389989a0
Score

10^/10

neshta xloader b62n loader persistence rat spyware stealer suricata
- Detect Neshta Payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Change Default File Association

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

neshtaxloaderb62nloaderpersistenceratspywarestealersuricata

behavioral2

© 2018-2024

Terms | Privacy