General

  • Target

    2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta

  • Size

    217KB

  • Sample

    240522-ppkrwsbd42

  • MD5

    2219802df8a09e0ce53ddf7dc5fde337

  • SHA1

    ad7c0b0bf751f5cf10cf4f541f78b4a6e4981080

  • SHA256

    5ebf9f85b062b4e0417fad150002e55b7563af040dcde97834c76ed827745188

  • SHA512

    268720b30db5885920f6b5a667bf167b72b3f3acc15ab426b86296ea1a2627df302dc19d85768298b1c35a0e5eb9d320722fa3cd17be3159a1bed0f2374ea898

  • SSDEEP

    3072:sr85Ct2M+lmsolAIrRuw+mqv9j1MWLQy5qMjvAFs9xfOMHr85Ct:k9tV+lDAAtos9z9t

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.138.16.245:3232

Mutex

0UFV4aMOGjS4dAoi

Attributes
  • Install_directory

    %AppData%

  • install_file

    updater.exe

  • telegram

    https://api.telegram.org/bot6540672623:AAGukZDFGHruAlAUrHlj3x5shLqUsP0iku8/sendMessage?chat_id=6300910507

aes.plain

Targets

    • Target

      2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta

    • Size

      217KB

    • MD5

      2219802df8a09e0ce53ddf7dc5fde337

    • SHA1

      ad7c0b0bf751f5cf10cf4f541f78b4a6e4981080

    • SHA256

      5ebf9f85b062b4e0417fad150002e55b7563af040dcde97834c76ed827745188

    • SHA512

      268720b30db5885920f6b5a667bf167b72b3f3acc15ab426b86296ea1a2627df302dc19d85768298b1c35a0e5eb9d320722fa3cd17be3159a1bed0f2374ea898

    • SSDEEP

      3072:sr85Ct2M+lmsolAIrRuw+mqv9j1MWLQy5qMjvAFs9xfOMHr85Ct:k9tV+lDAAtos9z9t

    • Detect Neshta payload

    • Detect Xworm Payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects executables using Telegram Chat Bot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks