neshta | 3cbfb1f777724a6dded49ae440d80971994b98a51553880601529588717e0e47 | Triage

Submit
Reports

Overview

overview

Static

static

tmp/c945c4...bc.exe

windows7_x64

tmp/c945c4...bc.exe

windows10_x64

Sharing

General

Target

tmp/c945c4d8-65a1-4a58-8035-632fca52aa6a_vbc.exe
Size

397KB
Sample

211216-vp6bgsced2
MD5

023aae8d4a78eb3c9189e94336b4bae6
SHA1

437a019e8b83a84da6ded500f8ca9cd4198398ed
SHA256

3cbfb1f777724a6dded49ae440d80971994b98a51553880601529588717e0e47
SHA512

42a0645f3fb023bd50128229fbd762a90fa53f146ab4d7b0ab283cd44a0da6effb2bbee583fc6ffcd636daeaad2373926e742f856c7d78d6742db782850b8fe4

Score

10^/10

neshta xloader ea0r loader persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

tmp/c945c4d8-65a1-4a58-8035-632fca52aa6a_vbc.exe

Resource

win7-en-20211208

neshta xloader ea0r loader persistence rat spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

tmp/c945c4d8-65a1-4a58-8035-632fca52aa6a_vbc.exe

Resource

win10-en-20211208

neshta xloader ea0r loader persistence rat spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

metalumber.com

sclvfu.com

macanostore.online

projecturs.com

ahcprp.com

gztyfnrj.com

lospacenos.com

tak-etranger.com

dingermail.com

skiin.club

ystops.com

tnboxes.com

ccafgz.com

info1337.xyz

platinum24.top

hothess.com

novelfinancewhite.xyz

theselectdifference.com

flufca.com

giftcodefreefirevns.com

kgv-lachswehr.com

report-alfarabilabs.com

skeetones.com

4bcinc.com

americamr.com

wewonacademy.com

evrazavto.store

true-fanbox.com

greencofiji.com

threecommaspartners.com

hgtradingcoltd.com

xihe1919.com

241mk.com

helplockedout.com

wefundprojects.com

neosecure.store

purenewsworldwide.com

luckylottovip999.com

lottidobler.com

proyectohaciendohistoria.com

raintm.com

theproducerformula.com

trademarkitforyourself.com

ottaweed.com

asiapubz-hk.com

Targets

- Target
  
  tmp/c945c4d8-65a1-4a58-8035-632fca52aa6a_vbc.exe
- Size
  
  397KB
- MD5
  
  023aae8d4a78eb3c9189e94336b4bae6
- SHA1
  
  437a019e8b83a84da6ded500f8ca9cd4198398ed
- SHA256
  
  3cbfb1f777724a6dded49ae440d80971994b98a51553880601529588717e0e47
- SHA512
  
  42a0645f3fb023bd50128229fbd762a90fa53f146ab4d7b0ab283cd44a0da6effb2bbee583fc6ffcd636daeaad2373926e742f856c7d78d6742db782850b8fe4
Score

10^/10

neshta xloader ea0r loader persistence rat spyware stealer
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

neshtaxloaderea0rloaderpersistenceratspywarestealer

behavioral2

neshtaxloaderea0rloaderpersistenceratspywarestealer

© 2018-2024

Terms | Privacy