neshta

General

Target

NL Brute 1.2.zip
Size

8.9MB
Sample

250103-sshy9azrbw
MD5

35d75a5d32712a71b31f534cf75dc964
SHA1

28c279a79b08313da6659cf159b01de6d328c121
SHA256

e533e9171cd5be1442ac411b60af0e29bcef9ecd53cc27236aeb200ad18c7271
SHA512

6bef83b0858601cd280e44a378dc9dc0e7e621ceda69cc08e0ccee8cd7cdb683dfa7f1630b88a7f7ae02982eee0f4a51a2e14acc3745ccabe3585f0a0b975e5a
SSDEEP

196608:Mpw1Kjc2E1vdRh5pIwoPklOb2Vdeudpa2VdgTT9V+Z7s:oc2QvXXpIwIklOb262VSJV+u

Score

10^/10

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  NL Brute 1.2.exe
- Size
  
  10.1MB
- MD5
  
  50b072669d250694e04f3e2d27153ece
- SHA1
  
  616d07f52763be900b56eafdf54e996e1183da4a
- SHA256
  
  3837bbb589f027fe75534ac85223641d8cb3f162420e8843aa94ade7045fa35a
- SHA512
  
  f556f495692011df4170c2e2a21378d9fbb4bb6769d87116f31afca3f9200a9eb22f24e275d087098ffed5a5b0108d04b52296892fd9b6c15399ac5e53b28682
- SSDEEP
  
  196608:RL1f+fCWf+fCufu0p8Y4DFbBJ5dIa82Vou2j09a3XAydVdODHMD16UAsdfPL9:RxWJWhn8YwFV/dIa8wp2j09qXAyYDHMD
Score

10^/10

neshta xred backdoor discovery evasion persistence spyware stealer
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Neshta family
  neshta
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1