neshta | 255f5a92f6d426254f7fdf56f9940855914b50516e94b1e6cab2af9a5a7d625e | Triage

Submit
Reports

Overview

overview

Static

static

كركل كروم.exe

windows7-x64

كركل كروم.exe

windows10-2004-x64

Sharing

General

Target

66d6bab5c56a9cf6167077a97334a3c8_JaffaCakes118
Size

533KB
Sample

240522-lrj2laba81
MD5

66d6bab5c56a9cf6167077a97334a3c8
SHA1

f0e954d37d356b8240d9e5278cbb72591370b434
SHA256

255f5a92f6d426254f7fdf56f9940855914b50516e94b1e6cab2af9a5a7d625e
SHA512

3894a2414c3fe810bf64affd4ddb424389c41d619cb209fbf343f20d5d79776c47274322458e3c4ad57f56dd40c9e5dba439d6ae8ee3a966cdb601a5221c0cfc
SSDEEP

12288:8lzr1LIHeIeTFZEWkQxxKR8ndHPU0ASyNItfb0KZIO:8trD1TKQxPP1AKtj0HO

Score

10^/10

neshta xtremerat persistence rat spyware stealer

Static task

static1

neshta xtremerat

5 signatures

Behavioral task

behavioral1

Sample

كركل كروم.exe

Resource

win7-20240508-en

neshta xtremerat persistence rat spyware stealer

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

كركل كروم.exe

Resource

win10v2004-20240226-en

neshta xtremerat persistence rat spyware stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

xtremerat

C2

ali00.ddns.net

Targets

- Target
  
  كركل كروم.exe
- Size
  
  1.8MB
- MD5
  
  2e591b7018d1b289707e487a096a4f86
- SHA1
  
  1c8ce2c64944e9f56ed72f8f1314115bf4aa7b15
- SHA256
  
  5c9428ade02a7ad9a3d887b8c244ae962c8891daa2446077345649f82da87d2c
- SHA512
  
  ef32df169f9deeb26e45580cbdbb7fe16b78d6d456bcadafdc536c97a4e5a05ede4c616c1bf94473d7d4f2dbf0889065640c48190bc48302081cbae40ea9dbcd
- SSDEEP
  
  24576:kB4Uzr6UeRmmZg8ADHWsJuFfo5jYbYzHSG/UpnMUnFz3Y/l0:Xw+
Score

10^/10

neshta xtremerat persistence rat spyware stealer
- Detect Neshta payload
- Detect XtremeRAT payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Change Default File Association

Privilege Escalation

Event Triggered Execution

Change Default File Association

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

neshtaxtremerat

behavioral1

neshtaxtremeratpersistenceratspywarestealer

behavioral2

neshtaxtremeratpersistenceratspywarestealer

© 2018-2024

Terms | Privacy