neshta

General

Target

XClient.exe
Size

34KB
Sample

241125-zs8m8sspeq
MD5

c066e2162e9aa7dd672e4c20c1c8c9eb
SHA1

20c061ca760ed127dd7c43ad5147064af4009d93
SHA256

f2c139ededc6158ae672aa2ae484cbdf503517af131062ddd80a106dd7827557
SHA512

aa75920ffef507b16ed23f7c4033374ec5b1ae56d9f6f32db6a0b632366a031280be4b6c2fed4ef895fda459899dccb62def861ffb90d287a23112a9d56a4adf
SSDEEP

384:PxXv9qZ/QXokXcjlcTB+Gx//wD7rXVhLHzVdfgkBE2jHuh/58pkFyHBLTLZwYGoy:JXB2GxebHzDyCw/VFye9F+Ojh7yaEr4

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

cheflilou-43810.portmap.host:43810

Mutex

JQrIKWspeoVSCrcE

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1300923716687106088/zBYqs8nJ3MptGRgCn45okL0BWnQ0FdPIXStaaykk5DhZfBnHinW4M0Ve6U2CSPsMATf2

Targets

- Target
  
  XClient.exe
- Size
  
  34KB
- MD5
  
  c066e2162e9aa7dd672e4c20c1c8c9eb
- SHA1
  
  20c061ca760ed127dd7c43ad5147064af4009d93
- SHA256
  
  f2c139ededc6158ae672aa2ae484cbdf503517af131062ddd80a106dd7827557
- SHA512
  
  aa75920ffef507b16ed23f7c4033374ec5b1ae56d9f6f32db6a0b632366a031280be4b6c2fed4ef895fda459899dccb62def861ffb90d287a23112a9d56a4adf
- SSDEEP
  
  384:PxXv9qZ/QXokXcjlcTB+Gx//wD7rXVhLHzVdfgkBE2jHuh/58pkFyHBLTLZwYGoy:JXB2GxebHzDyCw/VFye9F+Ojh7yaEr4
Score

10^/10

neshta stormkitty umbral xworm discovery execution persistence ransomware rat spyware stealer trojan privilege_escalation
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Neshta payload
- Detect Umbral payload
- Detect Xworm Payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Neshta family
  neshta
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2