neshta

Sharing

Copy URL

Twitter E-mail

General

Target

Dangerous RAT 2020 Crackedd.zip
Size

34.1MB
Sample

231214-2vwskahabq
MD5

a4dfa7c42ac823c1e20e5ea740d9e1ef
SHA1

d5ecb77df6772a9a5fb58d6865075806c495400c
SHA256

e336316abdf79bb96c7685012a67debc84e36d963e3a3c85990e984102bbe8a7
SHA512

932f9c1e0e5642384551520150e91c3a522dd9450cdc131eb4e2be8acc1de5c732dbb335014ca040f44b39477110b38c5cdc4393912c8538259e65037e27216a
SSDEEP

786432:/6/Q1C8x/H1ayWsA5OQcxjrI2drfuCUfoUu3z2EcFNgoLCG5EnqUExXUYs:/6/p8dMPcVLpUfoUGKlNguYjExRs

Score

10^/10

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

soon-lp.at.ply.gg:17209

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Extracted

Family

njrat

Mutex

%Cor%

Attributes

reg_key
%Cor%
splitter
|-F-|

Extracted

Family

xworm

Version

5.0

soon-lp.at.ply.gg:17209

Mutex

Ylp418j84S5UtyAM

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Targets

- Target
  
  Dangerous RAT 2020 Crackedd.zip
- Size
  
  34.1MB
- MD5
  
  a4dfa7c42ac823c1e20e5ea740d9e1ef
- SHA1
  
  d5ecb77df6772a9a5fb58d6865075806c495400c
- SHA256
  
  e336316abdf79bb96c7685012a67debc84e36d963e3a3c85990e984102bbe8a7
- SHA512
  
  932f9c1e0e5642384551520150e91c3a522dd9450cdc131eb4e2be8acc1de5c732dbb335014ca040f44b39477110b38c5cdc4393912c8538259e65037e27216a
- SSDEEP
  
  786432:/6/Q1C8x/H1ayWsA5OQcxjrI2drfuCUfoUu3z2EcFNgoLCG5EnqUExXUYs:/6/p8dMPcVLpUfoUGKlNguYjExRs
Score

1^/10
behavioral1 behavioral2
- Target
  
  Dangerous RAT 2020 Crackedd/Extensions/Bind.dat
- Size
  
  35KB
- MD5
  
  8820452a304f56a3f2e6d495b5385bd2
- SHA1
  
  494fe0909bacb62c9e181bb4d70ef2be7d4d0815
- SHA256
  
  64959c6420c9b668abbaefa724253cb83573f4947b0c3c43597dcb961dc09da6
- SHA512
  
  6545e7430fba5e7cdf4e82b4f7aa2bb96488922ebd75cfb57111d67cfcd2858aacc1a1d64bc247382e7adcfac5c70e91d5c7f615b2048067954f541fd96f2415
- SSDEEP
  
  384:un3viNVJ4BpGCG0w4JXuEn00oXnPSGecL/p9xWMoDdIm7:of8VeM+WV9xWMoCm
Score

1^/10
behavioral3 behavioral4
- Target
  
  Dangerous RAT 2020 Crackedd/FastColoredTextBox.dll
- Size
  
  333KB
- MD5
  
  b746707265772b362c0ba18d8d630061
- SHA1
  
  4b185e5f68c00bef441adb737d0955646d4e569a
- SHA256
  
  3701b19ccdac79b880b197756a972027e2ac609ebed36753bd989367ea4ef519
- SHA512
  
  fd67f6c55940509e8060da53693cb5fbac574eb1e79d5bd8f9bbd43edbd05f68d5f73994798a0eed676d3e583e1c6cde608b54c03604b3818520fa18ad19aec8
- SSDEEP
  
  6144:4FErOIif3RzSHh+20lXs1TzCeBcQeDbNlz7:eEeR52bmeh0n
Score

1^/10
behavioral5 behavioral6
- Target
  
  Dangerous RAT 2020 Crackedd/Kalogar_Online/Dell-12-30-2020/Keylog.rtf
- Size
  
  418B
- MD5
  
  2cb3d075e3e836741d45d2e0f5adcd93
- SHA1
  
  9faaee0fb2aea0c8021b4a08d4ab9c4485001dbc
- SHA256
  
  a7b6e9c3d31de8e8f22f346f9ff38f8f0a3f258a46f563ccb5f832a715bc3a26
- SHA512
  
  4c81eb27a74f8576d4f11e4a9296f4d2e4760f0b8d6779d6f3978dcd2873d11f9aeed64ce2ea7fd5a97878c609b18cdcd97b8af5b9cb9f5a1d86c6f5a9d33c26
Score

4^/10
behavioral7 behavioral8
- Target
  
  Dangerous RAT 2020 Crackedd/Kay/Bind.dat
- Size
  
  33KB
- MD5
  
  98dca3c1bae7b12d90e05d56e23aab17
- SHA1
  
  4d0b3e9ef7f5e0d18bd8b97774963e89493c3494
- SHA256
  
  7b0d30222fd50ca8a4a5ea1af483e85ea7a332545b54344fc8fceb2e2fc2bfb9
- SHA512
  
  d8732a9c076f6f4d2fcce6c287705923b4f3983e0ce0381a419267c43f0b17d618e513f2981b7a033b0c546fe216671f4bb4ca1980dd7575da0ee8c7a3bbb8ca
- SSDEEP
  
  384:7L/Lu3GPLT8h16CnEkYuAu3tm9uuTMmv5Onuuuu/uuuuhuu7+sgPnEsU99uuEuu+:v63+SmnE55kQYd5c6s
Score

1^/10
behavioral10 behavioral9
- Target
  
  Dangerous RAT 2020 Crackedd/Kay/Stub.bin
- Size
  
  15KB
- MD5
  
  ea2fe690956e04b29db465f14fc26690
- SHA1
  
  d027c14e779aee5e8c3f4028417eca8d53c77c1f
- SHA256
  
  15ac5860a78b240b7063b95d2f701848162f21155baa9ec4d528c516bba25893
- SHA512
  
  6b4c60460b23aa063d55e1dc051fcc5dcf434c6f1d3d7b2656d48cc05246294f38f4f3477006fdc48c7c3383cc242be1bd36f96362ee57ec0de79c5f58fe2709
- SSDEEP
  
  192:FIfeuLOlUZ+7STfJwYfStbfSNQgaZm6LKnloYU45WtIhfjrX9iv8I/0lLBP:FIfeGO7uxykMBLf45WQfjrX968/BBP
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral11 behavioral12
- Target
  
  Dangerous RAT 2020 Crackedd/Kay/Stub.dat
- Size
  
  14KB
- MD5
  
  dc4b478752e593e0e246d6b61a98c14c
- SHA1
  
  ff7f8dd6d53071382456a5289d3626975c5a4ea3
- SHA256
  
  d76432bca73fe93e090730595e8e7e81decf40391010500ed3eb4b0d8980d2a6
- SHA512
  
  11168eb4244598c25f2c862df72aa18e92f16822e269644201917ba4c6b9623e1155ba45798c909e03a27a05f31a24359e4963dfdc83fbb2c8ec69bd4bb199bb
- SSDEEP
  
  192:iFkrdkC/edZo7jUbUeu5wZmNYnloYk4suNIDLTNp7kFT7Cx23wqYn:iFWdkuec8a4sO+LTNpA8x3qY
Score

1^/10
behavioral13 behavioral14
- Target
  
  Dangerous RAT 2020 Crackedd/Kay/Stub.il
- Size
  
  277KB
- MD5
  
  c3bb1b357fb7ffdabe2d72f67a8efdfe
- SHA1
  
  e75a83b862d6920773cde8cf424bdb739dbf73b9
- SHA256
  
  6e6e8087faee9b91bbb2bc996feb1057321b98913266e4054ef227c86eb42ccb
- SHA512
  
  65d678bc75b37acab474027e24c3528d802907c5513d2523c2bc67548cb37b2debaf55beb7351980b8741868412923059df5e85f0c155e3736be42da117f3f65
- SSDEEP
  
  3072:1zP6lrekZOtsTOpwmx0dMtTf4bKFLk1euINYXI:1zClnZOtuOpgdM9fyKFLk1fINYXI
Score

1^/10
behavioral15 behavioral16
- Target
  
  Dangerous RAT 2020 Crackedd/Mono.Cecil.dll
- Size
  
  305KB
- MD5
  
  851ec9d84343fbd089520d420348a902
- SHA1
  
  f8e2a80130058e4db3cf569cf4297d07d05c93e0
- SHA256
  
  cdadc26c09f869e21053ee1a0acf3b2d11df8edd599fe9c377bd4d3ce1c9cda9
- SHA512
  
  5e1d1b953fda4a905749eff8c4133a164748ba08c4854348539d335cf53c873eae7c653807a2701bf307693a049ae6c523bd1497a8e659bdea0a71085a58a5f1
- SSDEEP
  
  6144:ueMQM/aMOZabe3h1PtRjAqmYVNf3yTXcYBbt6KMBhu:uF/aMDb8BtRjA7XcYNclB
Score

1^/10
behavioral17 behavioral18
- Target
  
  Dangerous RAT 2020 Crackedd/NAudio.dll
- Size
  
  382KB
- MD5
  
  422193aabd3d62275b2b98470279d9f2
- SHA1
  
  62ff295275cfbc07132934e473e43b0a4749ec39
- SHA256
  
  cd9709bf1c7396f6fe3684b5177fa0890c706ca82e2b98ba58e8d8383632a3c8
- SHA512
  
  1ac568f7448ed4a7eed1a9296a8ea132eb0bea0d5e622f80147bca701ab1212421d25a847dbc469abc4089042d3c662235be6d44b12446d174b13223a78f682c
- SSDEEP
  
  6144:r+RsYcXreeC8Kl6jQX4ZL2dmeNVnhZD6sg++3aadCDbjuCNj2GLk:IgXfexdD+Y+dCA
Score

1^/10
behavioral19 behavioral20
- Target
  
  Dangerous RAT 2020 Crackedd/NjRat Dangerous 2020.exe
- Size
  
  7.2MB
- MD5
  
  472a3f7abc3e03865c88e42cb4fdde8b
- SHA1
  
  5f7eef337495a3634efe356356c73f099173317f
- SHA256
  
  12714ed2cf41c213c6f8c086fa9317b9bd8b6d203948cfd6813cc4502039d509
- SHA512
  
  dbbca25b7c65caa6f870028331e61ec9ed30d64e35ac266d484560695f65d6f179d341328e37af7b07de1bdc090ccd7b1547c761b687ac27d4954c3e9cbfb877
- SSDEEP
  
  196608:PbtBPRnfvon6IZYhydLLCdsflb8MKHTdas:rZQ60LyS8MSas
Score

10^/10

neshta xworm persistence rat spyware trojan
- Detect Neshta payload
- Detect Xworm Payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral21 behavioral22
- Target
  
  Dangerous RAT 2020 Crackedd/Payload.exe
- Size
  
  27KB
- MD5
  
  f7612d84e529131197a62e3d980d7b19
- SHA1
  
  8fa5f69dfa99db4c68249b2c1ec103998cb7f265
- SHA256
  
  7be060fe35abb22983725251663d5a637cf7c5dad65a36ce20e8017c4363ac26
- SHA512
  
  d923caa59b0037d889b6f24b12838876916be1070c0dcfc3c0d4fc7387265e98f92d2d25bff98b1cfe49d0fe9dd4b2711d58a11c1b357ae9d09cc2d2d3df6a89
- SSDEEP
  
  384:KLy2J1dJFKnO4YLJ5zeZsL4E7O4/ChZGPjdx4kM0AQk93vmhm7UMKmIEecKdbXTf:U5JFPleeHU0A/vMHTi9bDy
Score

10^/10

njrat hacked persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral23 behavioral24
- Target
  
  Dangerous RAT 2020 Crackedd/Plugin/AN.dll
- Size
  
  15KB
- MD5
  
  d8bd6580617429c127bf1986f02006bf
- SHA1
  
  8326e56f7e1a3ae1a923e72ba8723dbc6ee5f4f0
- SHA256
  
  aadf0c5019cabefb8b33acb7de63b2d4dbf51a0a47a2550633b9a988675bcd0a
- SHA512
  
  2b72502031b771db467a77a12e0c6fe0e620e858364af96a97c13a27903d9e1261e403640856bd64c83ba3d82ad70dd26a1250443df28e8cdde1966357e33e75
- SSDEEP
  
  384:Jas/P8/d+yU99rbb09VkwqELjwF2pMT0HWSJ1i:Jau81Y9bbsxJi
Score

1^/10
behavioral25 behavioral26
- Target
  
  Dangerous RAT 2020 Crackedd/Plugin/Adf.dll
- Size
  
  17KB
- MD5
  
  31324276f22b6cde3ad9da1f007f95d3
- SHA1
  
  665d3dd5ec752d5df6ca99412f96e0eda4532d23
- SHA256
  
  92a12a022a3fcc8e3002751a5424935c54c15a2e706693ecd4d1fd7cd9c7db44
- SHA512
  
  291bfcac132f951cf6087162ac0599c97942ce0e683f65ed85e77fae8b6906ed79654988d8792166c0a5d3a49e31078c0a1fb5ae985a5ce5a19d2cf089335892
- SSDEEP
  
  384:Gs/W8W+XV9c49GjS2HLjwSBpM/bnQdWJKeg:Gn8W6zGjbDe
Score

1^/10
behavioral27 behavioral28
- Target
  
  Dangerous RAT 2020 Crackedd/Plugin/Ant.dll
- Size
  
  14KB
- MD5
  
  8854809c9c8f5feb776ed337761c0390
- SHA1
  
  1ed9deb4a774852b92cfd58d769c539c583a6ec1
- SHA256
  
  4d962f32f94f83d52e193a191df6d0202d441773eba0969df4fcada62385baeb
- SHA512
  
  d267cf32a009155648a8aa6e011465331d37c5a349e042a2099420824bb7128a38fbf87ee3d18df39cc6de2f3a97eb5fad4568bbcf430b32833e9f7ea1bb2905
- SSDEEP
  
  384:GgdovW5UJ0ELsElpBIx68tSzmtuxNvoF:BdoOH6kYNvoF
Score

1^/10
behavioral29 behavioral30
- Target
  
  Dangerous RAT 2020 Crackedd/Plugin/Anx.dll
- Size
  
  20KB
- MD5
  
  44d692fbbdb6885457057ee5bd5d257b
- SHA1
  
  b861d3dcba13aa578679f69a16d251c5b3b68a6d
- SHA256
  
  f5e3a28d021745b4f3eb8e12f228fcba12bd01d668569f70d6c1aecd33a21777
- SHA512
  
  5e06c1851dd17c884fccc2bb5da12dacda4df228c7fd1853df1b17c93420ae23edb727eddfad170598c9e1367ee41e40ba1cb7f66aef3bb634fceb4c38c0363b
- SSDEEP
  
  384:2xQ9Bb0GlHF6ar+i9gAlpBIx6wvtSz17xrtcM8MqPIM+5:H9pVF6eT9hsVi7P8MqPIH5
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Checks computer location settings

Detect Neshta payload

Detect Xworm Payload

Xworm

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

njRAT/Bladabindi

Checks computer location settings

Drops startup file

Executes dropped EXE

Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32