neshta | c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05 | Triage

Submit
Reports

Overview

overview

Static

static

c1ffccb9ef...5N.exe

windows7-x64

c1ffccb9ef...5N.exe

windows10-2004-x64

Sharing

General

Target

c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
Size

2.6MB
Sample

241216-gveh3axnas
MD5

b78e2c578bae5735a163d4c7f07edd20
SHA1

31bc51da25b88d7f8eb8ab6a383c46d7a685b35e
SHA256

c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05
SHA512

3733cda9f98a2f3e3a4ed8f3c3c69678b27dfda62f29d214d61eff0662bf4e79ebcdc88c9aea8bfcb4207107f1ad94492504eef1a600c3292d57b762ac674ec9
SSDEEP

49152:dnsHyjtk2MYC5GDzHyjtk2MYC5GDbHyjtk2MYC5GDRRDdz3sC4nYn9:dnsmtk2ammtk2aemtk2aoRDp3shnYn9

Score

10^/10

neshta xred backdoor discovery macro persistence spyware stealer

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe

Resource

win7-20240729-en

neshta xred backdoor discovery macro persistence spyware

windows7-x64

18 signatures

120 seconds

Behavioral task

behavioral2

Sample

c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe

Resource

win10v2004-20241007-en

neshta xred backdoor discovery persistence spyware stealer

windows10-2004-x64

23 signatures

120 seconds

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
- Size
  
  2.6MB
- MD5
  
  b78e2c578bae5735a163d4c7f07edd20
- SHA1
  
  31bc51da25b88d7f8eb8ab6a383c46d7a685b35e
- SHA256
  
  c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05
- SHA512
  
  3733cda9f98a2f3e3a4ed8f3c3c69678b27dfda62f29d214d61eff0662bf4e79ebcdc88c9aea8bfcb4207107f1ad94492504eef1a600c3292d57b762ac674ec9
- SSDEEP
  
  49152:dnsHyjtk2MYC5GDzHyjtk2MYC5GDbHyjtk2MYC5GDRRDdz3sC4nYn9:dnsmtk2ammtk2aemtk2aoRDp3shnYn9
Score

10^/10

neshta xred backdoor discovery macro persistence spyware stealer
- Detect Neshta payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Neshta family
  neshta
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Suspicious Office macro
  Office document equipped with macros.
  macro
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Change Default File Association

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Change Default File Association

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtaxredbackdoordiscoverymacropersistencespyware

behavioral2

neshtaxredbackdoordiscoverypersistencespywarestealer

© 2018-2024

Terms | Privacy