Extracted

• • Target

    Dangerous RAT.exe

  • Size

    7.2MB

  • MD5

    302cb7218c3275c139ac070dae4f4daa

  • SHA1

    bcf24a42ae53f36863caa8b9c49a67d6a2bbc223

  • SHA256

    0079ba87b80bba1dbeb2fb1ea7361f7a44d0c4e9d55995c28b3329e9265a8c14

  • SHA512

    118819ac3011e0cb6222e883c95d179a970b8166dccdff7ed3bdeb34d1f67a5eee1ef2b251d708fd67b07835eb67cdbfcf877bb722f35a4dd086e38bf98c8adb

  • SSDEEP

    196608:/btBPRnfvon6IZYhydLLCdsflb8MKHTdas:7ZQ60LyS8MSas

  Score

  10^/10

  neshtaxwormadwarediscoverypersistenceprivilege_escalationratspywarestealertrojan

  • Detect Neshta payload

  • Detect Xworm Payload

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta

  • Neshta family

    neshta

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Downloads MZ/PE file

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1