Overview

overview

10

Static

static

10

FN CHECKER...ER.exe

windows7-x64

10

FN CHECKER...ER.exe

windows10-2004-x64

10

FN CHECKER...rp.dll

windows7-x64

1

FN CHECKER...rp.dll

windows10-2004-x64

1

FN CHECKER...et.dll

windows7-x64

1

FN CHECKER...et.dll

windows10-2004-x64

1

FN CHECKER...to.dll

windows7-x64

1

FN CHECKER...to.dll

windows10-2004-x64

1

FN CHECKER...re.dll

windows7-x64

1

FN CHECKER...re.dll

windows10-2004-x64

1

FN CHECKER...rp.dll

windows7-x64

1

FN CHECKER...rp.dll

windows10-2004-x64

1

FN CHECKER...Re.dll

windows7-x64

1

FN CHECKER...Re.dll

windows10-2004-x64

1

FN CHECKER...le.dll

windows7-x64

1

FN CHECKER...le.dll

windows10-2004-x64

1

FN CHECKER...ne.dll

windows7-x64

1

FN CHECKER...ne.dll

windows10-2004-x64

1

FN CHECKER...or.dll

windows7-x64

1

FN CHECKER...or.dll

windows10-2004-x64

1

FN CHECKER...rp.dll

windows7-x64

1

FN CHECKER...rp.dll

windows10-2004-x64

1

FN CHECKER...ma.dll

windows7-x64

1

FN CHECKER...ma.dll

windows10-2004-x64

1

FN CHECKER...et.dll

windows7-x64

1

FN CHECKER...et.dll

windows10-2004-x64

1

FN CHECKER...er.dll

windows7-x64

1

FN CHECKER...er.dll

windows10-2004-x64

1

FN CHECKER...er.exe

windows7-x64

10

FN CHECKER...er.exe

windows10-2004-x64

10

FN CHECKER...as.dll

windows7-x64

1

FN CHECKER...as.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FNCHECKER.rar

  • Size

    9.3MB

  • Sample

    250101-mrhn7svngr

  • MD5

    6482e45fb445409bef7715b68d54103e

  • SHA1

    38f68925a5ba43dfd2af0d9b4c3a2e4404594bf4

  • SHA256

    0e5a0815a7c2ae0cc67cd267c8c8013fa0bdcfcace45a6f88460d8e8af70cf0f

  • SHA512

    aa916205de1769043e27de68b8871aceb9b099ce9e86cbf1da3a8027ea2743b1fbcbed8f445d076042d2c8c55c68e550b7a850512a09fa59a2067cdd4dbf06a9

  • SSDEEP

    196608:D783WPE+aGwf7YMWju0ApEFrg5eAkzBsguAIFG9qYEmzyT:Dw3j5D8uZp6mmBsRAIFiq9TT

Score
10/10
neshtaxwormdiscoverypersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

Version

3.1

C2

daddy.linkpc.net:7000

Mutex

487KBZwHTRfdTb7E

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      FN CHECKER/FN CHECKER/FN CHECKER.exe

    • Size

      997KB

    • MD5

      d428119c48f140f0c31ebcef8d9d8f8a

    • SHA1

      af9e82b05da11ea19d3381829ae56d2c3e74491b

    • SHA256

      4b857cbd956518dfb4150be4da9e0c33eb31d086a99cae49c13713e32b24c9db

    • SHA512

      5b0e34fa4cdfbd7f1b959ca5d7d739340165d6e95fa4bb3e198d20043f790c5d42afb784b27828fa19493c8137e7a25abbdcf34846e211d33954349bafa680b8

    • SSDEEP

      24576:5FyISeHTiJKkt9SrQOLS7dUL/3rhEdMP9Mg:5EI1+IxrrLS0ThEdMKg

    Score
    10/10
    neshtaxwormdiscoverypersistenceratspywaretrojanupx

    • Detect Neshta payload

    • Detect Xworm Payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Neshta family

      neshta

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      FN CHECKER/FN CHECKER/bin/AngleSharp.dll

    • Size

      810KB

    • MD5

      43cf95989d4b20c1a50a888c968536f6

    • SHA1

      5306e571de0faa7cef8dfd9fe46621c5c50a9b16

    • SHA256

      d9609f320e054e17c2ba1129ad293281b733625425028587b7326550bca398a0

    • SHA512

      d3c4102ce4bae9fff3e1ae1f3aaaa8560c9acd73ad6441ac18203744011191ad2bd80caed37bd286bfc6410357928b15cffea4e4db61cf780db4d2bd939e4cf0

    • SSDEEP

      6144:frPn0zXwluf4iupAvWw2Gf7tmp7gM6S6tCDELdzKnIgTAR3yFT2X39sKxqHNU0oE:frbWvW1q3LQDVI/RiM05B/

    Score
    1/10
    behavioral3behavioral4

    • Target

      FN CHECKER/FN CHECKER/bin/BCrypt.Net.dll

    • Size

      14KB

    • MD5

      6a56593ef2ef2d86f5ec26d2b3c50686

    • SHA1

      344d593b6973288b62c6ae91d26237ecaf02096f

    • SHA256

      e1f0f6abd5b942172ec00f8b6a341dc9e484e6a63031b7699c5b41f02df9cd55

    • SHA512

      ba2dc71006550d9fed140459020c31183f16f90d6f2e3793ff79035706514a3fc8fb10c68dd64fdfb4fa23b6082c21e18559fb7ec4e7d1ee4571645ab8f92262

    • SSDEEP

      192:irPd5E17sTjoomT8VqFVAeXJHJAyZJg8D0KThxA+rAQE+tnJiOUDyv8ov9jhCGk:eKP2qMeXJpJgLa0MpfDVQGky5X

    Score
    1/10
    behavioral5behavioral6

    • Target

      FN CHECKER/FN CHECKER/bin/BouncyCastle.Crypto.dll

    • Size

      2.5MB

    • MD5

      f0b3e112ce4807a28e2b5d66a840ed7f

    • SHA1

      54a6743781fd4ceb720331fce92f16186931192d

    • SHA256

      333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c

    • SHA512

      dc8ec9754c5e86f7e54e75ff3e5859c1b057f90e9c41788037b944a5db2cb3b70060763d0efcbe55ec595bcc47a9c0ff847a4876821470ca1659c31afd5b0190

    • SSDEEP

      49152:OSSJ+G1PjodumkjD6Oc0mqHZwueCtbu9kQN:6xodumo6Lr

    Score
    1/10
    behavioral7behavioral8

    • Target

      FN CHECKER/FN CHECKER/bin/CaptchaSharp.Services.More.dll

    • Size

      14KB

    • MD5

      35037461c0ab99e6013fc99adc5acc88

    • SHA1

      1e84a20fb07c28b9a227f1bf55a8d045f18f7982

    • SHA256

      7ace519a9c2d943f2cd8358573eeb4f21f4dfa723720ca6c4bffd67b08d4f63c

    • SHA512

      197f9f5aea0d1dfd56f2d705a4f79846b6b84f1e3ff50f460cbd60de7cdf78e09e19e92f9ae7deee4894322ac34b8dabcc8770ce18645e8e312811c4550dad9c

    • SSDEEP

      384:CXwLIayjGdhDrVaOsgC5bxZiE71rHJDT:CvS7rVf0/ZnrpDT

    Score
    1/10
    behavioral10behavioral9

    • Target

      FN CHECKER/FN CHECKER/bin/CaptchaSharp.dll

    • Size

      95KB

    • MD5

      de9dbbe708a35baa84dddb61066a68a7

    • SHA1

      16cc77bf5a0709b2343d7d4a68791c21a48b0e5c

    • SHA256

      72e5f45ff10cf78298be28a706214e8af96f5165294aa1db77820a27fa85143a

    • SHA512

      70579920debbe302b96058ad1c79a595b63af6ed369385a210b91bf7f3220d92f93a2bbf3e25d28a6d783ccda007df9ae6364671c0fc7778564ae71bbeac1031

    • SSDEEP

      1536:0U71loylHoU4lQsZTM16RBlpRV5LaIST+cu5aXwZXo+PbYw0cejuEruLd:06s6rOQveBlpRVeXwZXo+PMw0cejuw2d

    Score
    1/10
    behavioral11behavioral12

    • Target

      FN CHECKER/FN CHECKER/bin/CloudflareSolverRe.dll

    • Size

      79KB

    • MD5

      80406e5e8caf22ac3ad1aaec6ce05379

    • SHA1

      9e35560a4acfc389f520ebf5e431e5990e59316f

    • SHA256

      705bab4da9023768a242b899008ac1ecc5521131a8ce928929c74aff69672e79

    • SHA512

      e03295f37984bf78948e6bc84c10de8134bde7bf80887fb216e5f45646f5153d17e93d666d74d49effc3baebd280544d19b556f670258b920903e68975a45222

    • SSDEEP

      1536:bYivK8sVHezgHOtEVVnmG0mC5OqGTiDm7b0YM89TQZKqqKKO2eWu27Jl6i46iBdz:sDHAo+EV4rj4T7b0YM89TQZKqqKKO2e5

    Score
    1/10
    behavioral13behavioral14

    • Target

      FN CHECKER/FN CHECKER/bin/Colorful.Console.dll

    • Size

      88KB

    • MD5

      ac4267b870699a799e05b2be2d2956da

    • SHA1

      bad70ee226a1be3b27ee780888cd8cc78f89c855

    • SHA256

      309c616209120ee751df11612a8eadd06e8c86e68510d0b31ba21290782516fc

    • SHA512

      f694e6506229aac78c5c81bfcdf606244fe5bcd7a1d63f6dcbdd5babb2f020ec03415f75af030aa2d574f083fa72050fa8f08d9c03efbeed54cfea05609b9086

    • SSDEEP

      1536:YLeJYyqw6Yu+tJ9gbYm35KNaxe97LCnbhN:Yxyqwpu+IzOJ97LwVN

    Score
    1/10
    behavioral15behavioral16

    • Target

      FN CHECKER/FN CHECKER/bin/CommandLine.dll

    • Size

      200KB

    • MD5

      af2580e5be07d301ef803e3b6243422d

    • SHA1

      959ab9ca00903322f2e4b8a9610b245679cf3d5c

    • SHA256

      cdd1eea8dd04fbf463d9c6f5b65541abd0536fd7e79dcd4dae796a50048b5592

    • SHA512

      77c43440cdb91de5b072b178b9f34942d23752701f148771dedac14a9022c806104f55190b4aa6197369f729d5d94852316990ad54612eb610107b0a01e34839

    • SSDEEP

      3072:/GhXtCTHuV1UaXUsKn7t5NQxS3XXINsrWyRsdEme5niIGLfG8M+pR+dP:/YCTOV1UaXUsotGNsCyRsdQmLepk

    Score
    1/10
    behavioral17behavioral18

    • Target

      FN CHECKER/FN CHECKER/bin/CommonServiceLocator.dll

    • Size

      9KB

    • MD5

      e5f3b59ab9fd9157857d69b3d9611d0b

    • SHA1

      057db8a55c224569a192f24c88f7cf0af02dd9bd

    • SHA256

      8951f1b70412949c6ac5f5a73441e689d954522ee199f17f56c97d3c90908afd

    • SHA512

      425261a0f0487a8b7f2c99ca41adb4535c90a561792076a67c9fad7dd9faa30989a64d59e4b281aefe5943bae0b19b5b381b6a7e9ed265836a726292d8edc623

    • SSDEEP

      192:RVtbOf3jdnqSoG4MUzGRxHjgiqyOwFRc/giW:RVtaf3jP4MUzOxHjgiqPYiW

    Score
    1/10
    behavioral19behavioral20

    • Target

      FN CHECKER/FN CHECKER/bin/CryptSharp.dll

    • Size

      58KB

    • MD5

      ed9a681e7f612ec8ddeae668312c6778

    • SHA1

      033a171624699a0a8ebf5226916a2a051bc29bbb

    • SHA256

      f14e2e528b56f88106e7df0d40db9c4fcde3dcdb7f7182873b6997cb8d5d0610

    • SHA512

      51d2060851b03d0c132d00ae600707561a749a80b0cec8f131c0aca4d9509fb0f327a08056c00d54f24d03986fa2ee239b9a1955a8eea3c420ee871cbeace42e

    • SSDEEP

      768:gLmEUv+8NQBYED86sGNgnRj4+hKkF1vnGq+xu9z8nS0ezkdh0RoqXfLt4s+B:tcPWn1+xIISfwmouL+z

    Score
    1/10
    behavioral21behavioral22

    • Target

      FN CHECKER/FN CHECKER/bin/Esprima.dll

    • Size

      207KB

    • MD5

      cf45d39c42564d253930934fc1122ec3

    • SHA1

      ae89c96e521b1260c4cbe4103c63ee3ba29e6b1e

    • SHA256

      0c31753c4efc29be353e6c11ebfe0a80b7c8bb3453c67a694b56751094ba281e

    • SHA512

      25edba6944ca66b15ed97032fa14b5cc7fc143da6ea4714d71b34c2cb5cf356af800b87936369a518a1a15986d439e2af361864e0bbce16bddfc47cf4eb4c5a7

    • SSDEEP

      3072:PRWz+01XNw3Y1gFSmf6akNMSQl2dbdE2eShc0sqJ81xtE:PN0/w3/VkNbQlQdE2akaj

    Score
    1/10
    behavioral23behavioral24

    • Target

      FN CHECKER/FN CHECKER/bin/Extreme.Net.dll

    • Size

      121KB

    • MD5

      01fb96e4876441feaedf92a5cbe8bb0b

    • SHA1

      faae8c94055f8311293c8a00b9b9cf53cd5a17bb

    • SHA256

      eb1b67954ac21c77eb4086939ac4e895cac5bd4425fb6964ac56e3298a392d74

    • SHA512

      1820760f46e38ba95d75fe516934aedac8102517f203f7f2b1be6e994f9f285b728036be8e94445993c0c1247dd5d9e1eb4ee0cd7ada7a029f6863af00a3a124

    • SSDEEP

      3072:GYEOsKG5/7enk7upwH54I0UpQzRE1c0Y8eVMV6cWIyqMG4iNjT:GmsK7uNLpERDV

    Score
    1/10
    behavioral25behavioral26

    • Target

      FN CHECKER/FN CHECKER/bin/Fizzler.dll

    • Size

      35KB

    • MD5

      b939e24b37c2c15e8f63dc00cafb81c1

    • SHA1

      f428575525b1b74291fd2ca1684260c915ebc5e0

    • SHA256

      17a47ed50db606c1c1061c23c894b8814223dbe24c45592e0b03e784e4d746ab

    • SHA512

      38e3aae36f6d711f69cc0989afe49e4314c671ea012e62b3ec87cf1fdfbbbb74a4a0349743a48e371be1e7cf3e441dc7f59f45a04fcfc2b952ae81ed88c204ec

    • SSDEEP

      768:RSwaeXSAlhblpJGlytZKdmwwA3VmiggSRTl1V:RBaet/bhG0KdDwLRDV

    Score
    1/10
    behavioral27behavioral28

    • Target

      FN CHECKER/FN CHECKER/bin/Fortnite checker.exe

    • Size

      517KB

    • MD5

      4ee4eb93c2b66408bb2b7ed294ce8456

    • SHA1

      0c5e89962612ae857dcdc7ae157c810a23c484a2

    • SHA256

      3ccceb62c17463b89547b63957065b00621bfe611f6c83df1f6cb71c3c3b1c0f

    • SHA512

      a44cc99c858c44ea7ce52328dcacec30e749804da182dcabf6978c1e73f1f5ff90dfb8c20ee1e82a6b2ee791a24289a0694b5e990de09df5d0b1c41d09af8088

    • SSDEEP

      6144:k9EcZu6Te3V8zcL/9QRL5t5mVMZjE4usD6:BuTZ2lQRL5t5mOs

    Score
    10/10
    neshtadiscoverypersistencespywarestealer

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Neshta family

      neshta

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral29behavioral30

    • Target

      FN CHECKER/FN CHECKER/bin/GalaSoft.MvvmLight.Extras.dll

    • Size

      21KB

    • MD5

      810e42e2bbfb536bdc01abf882a24938

    • SHA1

      7bd37217aaf5ec27d2f993bb4212b0b8ab94d220

    • SHA256

      cb4d844434a8ffbd33531470e094524be27b88ca42b2c2197492bbe8246ea1bb

    • SHA512

      176769ef15d87373c53cc39241126bd39ce57b18af0df4d9d2cf68645868dd53090cb5ab93b8ba78303a3e6b5f3888d2150e6def57b26462df1b12fe7450f650

    • SSDEEP

      384:+/l5QKk8gdYAT5gb5DoCEJkUvuXctCRJEITSIjZ4qbhPyWAPslJ:ijQKJAW9Ehvvs+CRJxTb6qhPLAPslJ

    Score
    1/10
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Tasks

static1

neshta
Score
10/10

behavioral1

neshtaxwormdiscoverypersistenceratspywaretrojanupx
Score
10/10

behavioral2

neshtaxwormdiscoverypersistenceratspywaretrojanupx
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral30

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral31

Score
1/10

behavioral32

Score
1/10