neshta | 0079ba87b80bba1dbeb2fb1ea7361f7a44d0c4e9d55995c28b3329e9265a8c14

General

Target

Dangerous RAT.exe
Size

7.2MB
MD5

302cb7218c3275c139ac070dae4f4daa
SHA1

bcf24a42ae53f36863caa8b9c49a67d6a2bbc223
SHA256

0079ba87b80bba1dbeb2fb1ea7361f7a44d0c4e9d55995c28b3329e9265a8c14
SHA512

118819ac3011e0cb6222e883c95d179a970b8166dccdff7ed3bdeb34d1f67a5eee1ef2b251d708fd67b07835eb67cdbfcf877bb722f35a4dd086e38bf98c8adb
SSDEEP

196608:/btBPRnfvon6IZYhydLLCdsflb8MKHTdas:7ZQ60LyS8MSas

Score

10^/10

neshta xworm discovery persistence rat spyware trojan

Malware Config

Extracted

Family

xworm

Version

3.0

C2

3skr.uncofig.com:9999

Mutex

wRjQMjeNtaZnUCMU

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7942324376:AAFz5Z-GdKIj1CePZyqIUmvNWOymMRw8Lmk/sendMessage?chat_id=2078478344

aes.plain

Signatures

Detect Neshta payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023ce1-21.dat	family_neshta
behavioral1/memory/4052-32-0x0000000000430000-0x0000000000F6E000-memory.dmp	family_neshta

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000023ce0-7.dat	family_xworm
behavioral1/memory/2344-16-0x0000000000380000-0x0000000000390000-memory.dmp	family_xworm

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 1 IoCs

flow	pid	Process
42	4272	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2499155680-3253481302-763015360-1000\Control Panel\International\Geo\Nation	Dangerous RAT.exe

Executes dropped EXE 2 IoCs

pid	Process
2344	set.exe
4052	Dangerous RAT 2020 Cracked by Unknown Venom.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4240	4052	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dangerous RAT 2020 Cracked by Unknown Venom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1424	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	set.exe
Token: SeDebugPrivilege	4052	Dangerous RAT 2020 Cracked by Unknown Venom.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 2344	4408	Dangerous RAT.exe	89
PID 4408 wrote to memory of 2344	4408	Dangerous RAT.exe	89
PID 4408 wrote to memory of 4052	4408	Dangerous RAT.exe	90
PID 4408 wrote to memory of 4052	4408	Dangerous RAT.exe	90
PID 4408 wrote to memory of 4052	4408	Dangerous RAT.exe	90

C:\Users\Admin\AppData\Local\Temp\Dangerous RAT.exe
"C:\Users\Admin\AppData\Local\Temp\Dangerous RAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Users\Admin\AppData\Local\Temp\set.exe
  "C:\Users\Admin\AppData\Local\Temp\set.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Users\Admin\AppData\Local\Temp\Dangerous RAT 2020 Cracked by Unknown Venom.exe
  "C:\Users\Admin\AppData\Local\Temp\Dangerous RAT 2020 Cracked by Unknown Venom.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 852
    3⤵
    - Program crash
    PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4052 -ip 4052
1⤵
PID:4356

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0Y2MDkwQjctNjMxQi00RDQzLUE3QTctOEMyMzdCNDlENTIyfSIgdXNlcmlkPSJ7RDYxM0NEMUUtMkU4NS00OEYyLUE0NzctOUE3RDA2Q0NFNEQ4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTY5N0NFNjgtNTlCRS00RkI4LUFEOEYtRDZCQUI3QUI3Qjc0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ0OTciIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNjkzODEzMjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjM2OTE5MjgzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dangerous RAT 2020 Cracked by Unknown Venom.exe

Filesize
11.2MB

MD5
fb40ba1b494af4057ab259bba5f33fe6

SHA1
b872393a07d3949947a41871132b736c00c771bb

SHA256
40a82c50b9875698551a2f6dd4f71fc23b4a04eeec655a4746111279ef57d2ac

SHA512
f2feec8be6578aa273efd363ae1eba0862fc240a441fd8d1f14942fda241e34896e7b76179d7132af97f18acdf13afd4032f1874a9b20cc04120706beff9e804

Download Submit
C:\Users\Admin\AppData\Local\Temp\set.exe

Filesize
38KB

MD5
e1929d0781ff08abf8be3051479043b6

SHA1
0605a5657e022bd1cadf80f13446c678728dcde9

SHA256
b4ae6a462c5f24bec5870f6e92d94a00b1e1a4abd95e5433d6ac99a0f9d92042

SHA512
fb47c341b636293d500f1892f02e2be2b16bd0301eedc0c30025c00ae22ce3fe6d42abc0a4837cc5551eeed6cd5bbe815a0301db86bac6a84177a6c103d54d27

Download Submit
memory/2344-36-0x000000001B180000-0x000000001B190000-memory.dmp

Filesize
64KB

Download
memory/2344-37-0x00007FFFC67F0000-0x00007FFFC72B1000-memory.dmp

Filesize
10.8MB

Download
memory/2344-16-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/2344-15-0x00007FFFC67F0000-0x00007FFFC72B1000-memory.dmp

Filesize
10.8MB

Download
memory/4052-31-0x000000007386E000-0x000000007386F000-memory.dmp

Filesize
4KB

Download
memory/4052-32-0x0000000000430000-0x0000000000F6E000-memory.dmp

Filesize
11.2MB

Download
memory/4052-33-0x0000000005EB0000-0x0000000006454000-memory.dmp

Filesize
5.6MB

Download
memory/4052-34-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/4052-35-0x00000000059A0000-0x0000000005A3C000-memory.dmp

Filesize
624KB

Download
memory/4408-30-0x00007FFFC67F0000-0x00007FFFC72B1000-memory.dmp

Filesize
10.8MB

Download
memory/4408-4-0x00007FFFC67F0000-0x00007FFFC72B1000-memory.dmp

Filesize
10.8MB

Download
memory/4408-1-0x0000000000240000-0x0000000000982000-memory.dmp

Filesize
7.3MB

Download
memory/4408-0-0x00007FFFC67F3000-0x00007FFFC67F5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing