neshta | 0079ba87b80bba1dbeb2fb1ea7361f7a44d0c4e9d55995c28b3329e9265a8c14 | Triage

Submit
Reports

Overview

overview

Static

static

3

DangerousRAT.exe

windows7-x64

DangerousRAT.exe

windows10-2004-x64

Sharing

General

Target

DangerousRAT.exe
Size

7.2MB
Sample

250208-jdgcfatrer
MD5

302cb7218c3275c139ac070dae4f4daa
SHA1

bcf24a42ae53f36863caa8b9c49a67d6a2bbc223
SHA256

0079ba87b80bba1dbeb2fb1ea7361f7a44d0c4e9d55995c28b3329e9265a8c14
SHA512

118819ac3011e0cb6222e883c95d179a970b8166dccdff7ed3bdeb34d1f67a5eee1ef2b251d708fd67b07835eb67cdbfcf877bb722f35a4dd086e38bf98c8adb
SSDEEP

196608:/btBPRnfvon6IZYhydLLCdsflb8MKHTdas:7ZQ60LyS8MSas

Score

10^/10

neshta xworm discovery persistence rat spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

DangerousRAT.exe

Resource

win7-20241010-en

neshta xworm discovery persistence rat spyware trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

DangerousRAT.exe

Resource

win10v2004-20250207-en

neshta xworm discovery persistence rat spyware trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.0

C2

3skr.uncofig.com:9999

Mutex

wRjQMjeNtaZnUCMU

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7942324376:AAFz5Z-GdKIj1CePZyqIUmvNWOymMRw8Lmk/sendMessage?chat_id=2078478344

aes.plain

Targets

- Target
  
  DangerousRAT.exe
- Size
  
  7.2MB
- MD5
  
  302cb7218c3275c139ac070dae4f4daa
- SHA1
  
  bcf24a42ae53f36863caa8b9c49a67d6a2bbc223
- SHA256
  
  0079ba87b80bba1dbeb2fb1ea7361f7a44d0c4e9d55995c28b3329e9265a8c14
- SHA512
  
  118819ac3011e0cb6222e883c95d179a970b8166dccdff7ed3bdeb34d1f67a5eee1ef2b251d708fd67b07835eb67cdbfcf877bb722f35a4dd086e38bf98c8adb
- SSDEEP
  
  196608:/btBPRnfvon6IZYhydLLCdsflb8MKHTdas:7ZQ60LyS8MSas
Score

10^/10

neshta xworm discovery persistence rat spyware trojan
- Detect Neshta payload
- Detect Xworm Payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Neshta family
  neshta
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtaxwormdiscoverypersistenceratspywaretrojan

behavioral2

neshtaxwormdiscoverypersistenceratspywaretrojan

© 2018-2025

Terms | Privacy