neshta | 722ff7d4d145e71884c901b846c19c727a557c493238cdf337c37fc118a2d377 | Triage

Submit
Reports

Overview

overview

Static

static

XWorm V3.0.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

XWorm V3.0.exe
Size

8.1MB
Sample

230208-w3nh9sdd4s
MD5

06a5c65502a55e3f91f49cd7a6a6740d
SHA1

b2318b72ab7b098e459baa291cf286519d798546
SHA256

722ff7d4d145e71884c901b846c19c727a557c493238cdf337c37fc118a2d377
SHA512

13b434406c88ae9c27d13dbb7f676f14e80713247a8e7e2d03ccb00021f0206a9b3d1f7705dd907c5e38740d4ab66822f8c64234040ee91fb9e931234a55924c
SSDEEP

196608:XV7FB3fwHcBInMmML22ONosVDor3hCOcls0maMh7K3qx9:F7FBPwlnC2DMrE32thaqx9

Score

10^/10

neshta xworm persistence rat spyware stealer trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

XWorm V3.0.exe

Resource

win10v2004-20221111-en

neshta xworm persistence rat spyware stealer trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

license-donna.at.ply.gg:55049

Mutex

vPxQcY5x2JutoRz0

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  XWorm V3.0.exe
- Size
  
  8.1MB
- MD5
  
  06a5c65502a55e3f91f49cd7a6a6740d
- SHA1
  
  b2318b72ab7b098e459baa291cf286519d798546
- SHA256
  
  722ff7d4d145e71884c901b846c19c727a557c493238cdf337c37fc118a2d377
- SHA512
  
  13b434406c88ae9c27d13dbb7f676f14e80713247a8e7e2d03ccb00021f0206a9b3d1f7705dd907c5e38740d4ab66822f8c64234040ee91fb9e931234a55924c
- SSDEEP
  
  196608:XV7FB3fwHcBInMmML22ONosVDor3hCOcls0maMh7K3qx9:F7FBPwlnC2DMrE32thaqx9
Score

10^/10

neshta xworm persistence rat spyware stealer trojan
- Detect Neshta payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtaxwormpersistenceratspywarestealertrojan

© 2018-2025

Terms | Privacy