neshta | f78ac503e0942a1bafd27fc9464ab605eac94184d9da91a0385beb8debef65e4 | Triage

Submit
Reports

Overview

overview

Static

static

tmp/NHY9Wg...9Y.exe

windows7_x64

tmp/NHY9Wg...9Y.exe

windows10_x64

Sharing

General

Target

tmp/NHY9WgdS1Q8pZ9Y.exe
Size

1.3MB
Sample

211214-q68eysfgg2
MD5

6f1e08f3aeec64cedb74a5bb7ff22392
SHA1

961cc902df5b2ebc015dd848e7da4f7992eb6b54
SHA256

f78ac503e0942a1bafd27fc9464ab605eac94184d9da91a0385beb8debef65e4
SHA512

69d62f15c6a8aae56184be5cb0d2c115af5688d39640b881c9f369b7b73cbf145f372da2a93427853489646a42cea38df84a7e6edb94ae845a5c873e9ba43934

Score

10^/10

neshta xloader b62n loader persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

tmp/NHY9WgdS1Q8pZ9Y.exe

Resource

win7-en-20211208

neshta xloader b62n loader persistence rat spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

tmp/NHY9WgdS1Q8pZ9Y.exe

Resource

win10-en-20211208

neshta xloader b62n loader persistence rat spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b62n

C2

http://www.multidetoxhepatico.com/b62n/

Decoy

childzplanet.com

nine8culture.com

yourfoodmenu.com

nxhxyzjy.com

nobelies.com

baetsupreme.net

indiadiscountedfares.com

iconnect-design.com

durston.store

sweetcreationsbyjp.com

ktieman.com

getvirtualaddress.com

cryptopoly-figures.com

minismi2.com

ricemoment.com

regionalhomescommercial.com

onelike.biz

d22.group

kwissleapp.com

cindyrandband.com

wolfgap.com

ilogic8.com

digitize-vision.com

qiunianns.com

tejpalmeet.com

joywalkerconsultingllc.com

daudcoffee.com

muktobangla.xyz

tendenciaofertas.com

xuongkhophoanghuong.pro

circleofdeth.com

spoilthemrottenpets.com

innasamudra.com

pizzadelta.com

jcmsomedia.com

applelost-support.info

ridvanyilmaz.com

catherinehaskins.com

fogelsingleywedding.com

suddennnnnnnnnnnn20.xyz

3leadsaday.xyz

xn--salihzzmrt-icb8ec.com

rdaniels2.com

xn--growbb-fvab.com

badkyker.quest

sdoook.com

bagways.com

bullseyefunrun.com

ff4c2myy0.xyz

stardustfuel.com

yiyuanpai.net

permaculturemd.com

prospectly.cloud

myonchain.art

atlasconcretos.com

ghost.immo

kondanginyuk.online

mohamedtaher.xyz

sxsxnt.com

sofiarust.xyz

playmayka.com

eemtyx.com

tashamurphy.com

akoya-kyoto.com

Targets

- Target
  
  tmp/NHY9WgdS1Q8pZ9Y.exe
- Size
  
  1.3MB
- MD5
  
  6f1e08f3aeec64cedb74a5bb7ff22392
- SHA1
  
  961cc902df5b2ebc015dd848e7da4f7992eb6b54
- SHA256
  
  f78ac503e0942a1bafd27fc9464ab605eac94184d9da91a0385beb8debef65e4
- SHA512
  
  69d62f15c6a8aae56184be5cb0d2c115af5688d39640b881c9f369b7b73cbf145f372da2a93427853489646a42cea38df84a7e6edb94ae845a5c873e9ba43934
Score

10^/10

neshta xloader b62n loader persistence rat spyware stealer
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Change Default File Association

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

neshtaxloaderb62nloaderpersistenceratspywarestealer

behavioral2

neshtaxloaderb62nloaderpersistenceratspywarestealer

© 2018-2024

Terms | Privacy