neshta | 0079ba87b80bba1dbeb2fb1ea7361f7a44d0c4e9d55995c28b3329e9265a8c14

General

Target

Dangerous RAT.exe
Size

7.2MB
MD5

302cb7218c3275c139ac070dae4f4daa
SHA1

bcf24a42ae53f36863caa8b9c49a67d6a2bbc223
SHA256

0079ba87b80bba1dbeb2fb1ea7361f7a44d0c4e9d55995c28b3329e9265a8c14
SHA512

118819ac3011e0cb6222e883c95d179a970b8166dccdff7ed3bdeb34d1f67a5eee1ef2b251d708fd67b07835eb67cdbfcf877bb722f35a4dd086e38bf98c8adb
SSDEEP

196608:/btBPRnfvon6IZYhydLLCdsflb8MKHTdas:7ZQ60LyS8MSas

Score

10^/10

neshta xworm discovery persistence rat spyware trojan

Malware Config

Extracted

Family

xworm

Version

3.0

C2

3skr.uncofig.com:9999

Mutex

wRjQMjeNtaZnUCMU

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7942324376:AAFz5Z-GdKIj1CePZyqIUmvNWOymMRw8Lmk/sendMessage?chat_id=2078478344

aes.plain

Signatures

Detect Neshta payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0012000000016d3f-16.dat	family_neshta
behavioral1/memory/2720-20-0x0000000000A00000-0x000000000153E000-memory.dmp	family_neshta

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012262-6.dat	family_xworm
behavioral1/memory/2156-8-0x0000000000150000-0x0000000000160000-memory.dmp	family_xworm

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
2156	set.exe
2720	Dangerous RAT 2020 Cracked by Unknown Venom.exe

Loads dropped DLL 5 IoCs

pid	Process
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3008	2720	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dangerous RAT 2020 Cracked by Unknown Venom.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1872	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	2772	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2772	AUDIODG.EXE
Token: 33	2772	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2772	AUDIODG.EXE
Token: SeDebugPrivilege	2156	set.exe
Token: SeDebugPrivilege	2720	Dangerous RAT 2020 Cracked by Unknown Venom.exe
Token: SeDebugPrivilege	1872	taskmgr.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2156	3064	Dangerous RAT.exe	31
PID 3064 wrote to memory of 2156	3064	Dangerous RAT.exe	31
PID 3064 wrote to memory of 2156	3064	Dangerous RAT.exe	31
PID 3064 wrote to memory of 2720	3064	Dangerous RAT.exe	33
PID 3064 wrote to memory of 2720	3064	Dangerous RAT.exe	33
PID 3064 wrote to memory of 2720	3064	Dangerous RAT.exe	33
PID 3064 wrote to memory of 2720	3064	Dangerous RAT.exe	33
PID 2720 wrote to memory of 3008	2720	Dangerous RAT 2020 Cracked by Unknown Venom.exe	35
PID 2720 wrote to memory of 3008	2720	Dangerous RAT 2020 Cracked by Unknown Venom.exe	35
PID 2720 wrote to memory of 3008	2720	Dangerous RAT 2020 Cracked by Unknown Venom.exe	35
PID 2720 wrote to memory of 3008	2720	Dangerous RAT 2020 Cracked by Unknown Venom.exe	35

C:\Users\Admin\AppData\Local\Temp\Dangerous RAT.exe
"C:\Users\Admin\AppData\Local\Temp\Dangerous RAT.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\set.exe
  "C:\Users\Admin\AppData\Local\Temp\set.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Users\Admin\AppData\Local\Temp\Dangerous RAT 2020 Cracked by Unknown Venom.exe
  "C:\Users\Admin\AppData\Local\Temp\Dangerous RAT 2020 Cracked by Unknown Venom.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 564
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3008

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dangerous RAT 2020 Cracked by Unknown Venom.exe

Filesize
11.2MB

MD5
fb40ba1b494af4057ab259bba5f33fe6

SHA1
b872393a07d3949947a41871132b736c00c771bb

SHA256
40a82c50b9875698551a2f6dd4f71fc23b4a04eeec655a4746111279ef57d2ac

SHA512
f2feec8be6578aa273efd363ae1eba0862fc240a441fd8d1f14942fda241e34896e7b76179d7132af97f18acdf13afd4032f1874a9b20cc04120706beff9e804

Download Submit
C:\Users\Admin\AppData\Local\Temp\set.exe

Filesize
38KB

MD5
e1929d0781ff08abf8be3051479043b6

SHA1
0605a5657e022bd1cadf80f13446c678728dcde9

SHA256
b4ae6a462c5f24bec5870f6e92d94a00b1e1a4abd95e5433d6ac99a0f9d92042

SHA512
fb47c341b636293d500f1892f02e2be2b16bd0301eedc0c30025c00ae22ce3fe6d42abc0a4837cc5551eeed6cd5bbe815a0301db86bac6a84177a6c103d54d27

Download Submit
memory/1872-29-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1872-28-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1872-27-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1872-26-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2156-8-0x0000000000150000-0x0000000000160000-memory.dmp

Filesize
64KB

Download
memory/2720-20-0x0000000000A00000-0x000000000153E000-memory.dmp

Filesize
11.2MB

Download
memory/3064-19-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-0-0x000007FEF6423000-0x000007FEF6424000-memory.dmp

Filesize
4KB

Download
memory/3064-14-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-10-0x000007FEF6423000-0x000007FEF6424000-memory.dmp

Filesize
4KB

Download
memory/3064-9-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-1-0x00000000013A0000-0x0000000001AE2000-memory.dmp

Filesize
7.3MB

Download

Analysis

Sharing