neshta | a6dbf734e365972d5b7e27bdaf8a5ab473bbce095a76615514ef865d0d29fd81 | Triage

Submit
Reports

Overview

overview

Static

static

7c917a7aed...d3.exe

windows10-2004-x64

Resubmissions

29-11-2024 09:10

241129-k5dlasxkds 10

30-12-2023 18:55

231230-xkwycsbfdm 10

Sharing

General

Target

7c917a7aed7ca918811fb658bd50b0d3.exe
Size

3.5MB
Sample

241129-k5dlasxkds
MD5

7c917a7aed7ca918811fb658bd50b0d3
SHA1

084ce953cbdc86f1b065e306a5d07bc06cfd1de9
SHA256

a6dbf734e365972d5b7e27bdaf8a5ab473bbce095a76615514ef865d0d29fd81
SHA512

d159d03454ceefc17378a6e61ff7e4a483d56cf457b5767805d61d48d33606f9839af5b5ce7afedbd30363acf3253793be30bfcb017a301e533c5e76c2753321
SSDEEP

98304:Gnsmtk2azmtk2a7mtk2aZnJOIAcUjeCBQRqTnFn9:4LbD6m/Z9

Score

10^/10

neshta xred backdoor discovery persistence spyware

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

7c917a7aed7ca918811fb658bd50b0d3.exe

Resource

win10v2004-20241007-en

neshta xred backdoor discovery persistence spyware

windows10-2004-x64

14 signatures

30 seconds

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  7c917a7aed7ca918811fb658bd50b0d3.exe
- Size
  
  3.5MB
- MD5
  
  7c917a7aed7ca918811fb658bd50b0d3
- SHA1
  
  084ce953cbdc86f1b065e306a5d07bc06cfd1de9
- SHA256
  
  a6dbf734e365972d5b7e27bdaf8a5ab473bbce095a76615514ef865d0d29fd81
- SHA512
  
  d159d03454ceefc17378a6e61ff7e4a483d56cf457b5767805d61d48d33606f9839af5b5ce7afedbd30363acf3253793be30bfcb017a301e533c5e76c2753321
- SSDEEP
  
  98304:Gnsmtk2azmtk2a7mtk2aZnJOIAcUjeCBQRqTnFn9:4LbD6m/Z9
Score

10^/10

neshta xred backdoor discovery persistence spyware
- Detect Neshta payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Neshta family
  neshta
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies system executable filetype association
  persistence
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Change Default File Association

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Change Default File Association

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtaxredbackdoordiscoverypersistencespyware

© 2018-2025

Terms | Privacy