Extracted

• • Target

    ea5c159362cac5cdddb32a44b6d23e9ea4be8b908697b1176d1bb793c400494dN.exe

  • Size

    110KB

  • MD5

    3a2df82483cb6ca86e2608b71883b920

  • SHA1

    7be7820c1ce371c7008269fe78faff7a21c7ad32

  • SHA256

    ea5c159362cac5cdddb32a44b6d23e9ea4be8b908697b1176d1bb793c400494d

  • SHA512

    53fa601d09146a1b45eaa59c805812fa1f9a8324f14debf54a53a8f4cc6b90492bae4f38bd6e94acce92c4a57bd090dc3d7f0898069e7a02a8f8b06fdd504c00

  • SSDEEP

    1536:JxqjQ+P04wsmJCzbMmVMxk6Gz3SOYJlVIDhi0Y9JLwIbcuraGMc/Fv57IBl:sr85CzbMmXGOYJlKDk9jP957+l

  Score

  10^/10

  neshtaxwormdiscoveryexecutionpersistenceratspywarestealertrojan

  • Detect Neshta payload

  • Detect Xworm Payload

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta

  • Neshta family

    neshta

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies system executable filetype association

    persistence

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence
  behavioral1behavioral2