neshta

Sharing

Copy URL

Twitter E-mail

General

Target

DangerousRAT.zip
Size

34.1MB
Sample

250225-sxlwpssrs7
MD5

a34b27d5181f264bf71b808b0661c2b7
SHA1

8f672f156303812e2b68228cab83c0c6062ae167
SHA256

6a051afc95e34431e4abbe7d4a4de66f07c80ea2dc42cbe5e5816ea3da6eaee6
SHA512

2fdd9a049196aa8d899960b116b208b7d61f2e15423970a625eea2ad0210094a94e0879637d5c382938cfb26f64d6e62556bca36ba2b3b0c12365cba7f015bae
SSDEEP

786432:8uRb8iHLwBGk+DKptwSIuqCyllWApExmjbL7wRy3yrXk:8uRAitDKp/q2ApEybfwRyCrU

Score

10^/10

Malware Config

Extracted

Family

njrat

Mutex

%Cor%

Attributes

reg_key
%Cor%
splitter
|-F-|

Extracted

Family

xworm

Version

3.0

3skr.uncofig.com:9999

Mutex

wRjQMjeNtaZnUCMU

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7942324376:AAFz5Z-GdKIj1CePZyqIUmvNWOymMRw8Lmk/sendMessage?chat_id=2078478344

aes.plain

Targets

- Target
  
  Dangerous RAT/Dangerous RAT.exe
- Size
  
  7.2MB
- MD5
  
  302cb7218c3275c139ac070dae4f4daa
- SHA1
  
  bcf24a42ae53f36863caa8b9c49a67d6a2bbc223
- SHA256
  
  0079ba87b80bba1dbeb2fb1ea7361f7a44d0c4e9d55995c28b3329e9265a8c14
- SHA512
  
  118819ac3011e0cb6222e883c95d179a970b8166dccdff7ed3bdeb34d1f67a5eee1ef2b251d708fd67b07835eb67cdbfcf877bb722f35a4dd086e38bf98c8adb
- SSDEEP
  
  196608:/btBPRnfvon6IZYhydLLCdsflb8MKHTdas:7ZQ60LyS8MSas
Score

10^/10

neshta xworm discovery persistence rat spyware trojan
- Detect Neshta payload
- Detect Xworm Payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Neshta family
  neshta
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  Dangerous RAT/Extensions/Bind.dat
- Size
  
  35KB
- MD5
  
  8820452a304f56a3f2e6d495b5385bd2
- SHA1
  
  494fe0909bacb62c9e181bb4d70ef2be7d4d0815
- SHA256
  
  64959c6420c9b668abbaefa724253cb83573f4947b0c3c43597dcb961dc09da6
- SHA512
  
  6545e7430fba5e7cdf4e82b4f7aa2bb96488922ebd75cfb57111d67cfcd2858aacc1a1d64bc247382e7adcfac5c70e91d5c7f615b2048067954f541fd96f2415
- SSDEEP
  
  384:un3viNVJ4BpGCG0w4JXuEn00oXnPSGecL/p9xWMoDdIm7:of8VeM+WV9xWMoCm
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  Dangerous RAT/FastColoredTextBox.dll
- Size
  
  333KB
- MD5
  
  b746707265772b362c0ba18d8d630061
- SHA1
  
  4b185e5f68c00bef441adb737d0955646d4e569a
- SHA256
  
  3701b19ccdac79b880b197756a972027e2ac609ebed36753bd989367ea4ef519
- SHA512
  
  fd67f6c55940509e8060da53693cb5fbac574eb1e79d5bd8f9bbd43edbd05f68d5f73994798a0eed676d3e583e1c6cde608b54c03604b3818520fa18ad19aec8
- SSDEEP
  
  6144:4FErOIif3RzSHh+20lXs1TzCeBcQeDbNlz7:eEeR52bmeh0n
Score

1^/10
behavioral5 behavioral6
- Target
  
  Dangerous RAT/Kalogar_Online/Dell-12-30-2020/Keylog.rtf
- Size
  
  418B
- MD5
  
  2cb3d075e3e836741d45d2e0f5adcd93
- SHA1
  
  9faaee0fb2aea0c8021b4a08d4ab9c4485001dbc
- SHA256
  
  a7b6e9c3d31de8e8f22f346f9ff38f8f0a3f258a46f563ccb5f832a715bc3a26
- SHA512
  
  4c81eb27a74f8576d4f11e4a9296f4d2e4760f0b8d6779d6f3978dcd2873d11f9aeed64ce2ea7fd5a97878c609b18cdcd97b8af5b9cb9f5a1d86c6f5a9d33c26
Score

4^/10

discovery
behavioral7 behavioral8
- Target
  
  Dangerous RAT/Kay/Bind.dat
- Size
  
  33KB
- MD5
  
  98dca3c1bae7b12d90e05d56e23aab17
- SHA1
  
  4d0b3e9ef7f5e0d18bd8b97774963e89493c3494
- SHA256
  
  7b0d30222fd50ca8a4a5ea1af483e85ea7a332545b54344fc8fceb2e2fc2bfb9
- SHA512
  
  d8732a9c076f6f4d2fcce6c287705923b4f3983e0ce0381a419267c43f0b17d618e513f2981b7a033b0c546fe216671f4bb4ca1980dd7575da0ee8c7a3bbb8ca
- SSDEEP
  
  384:7L/Lu3GPLT8h16CnEkYuAu3tm9uuTMmv5Onuuuu/uuuuhuu7+sgPnEsU99uuEuu+:v63+SmnE55kQYd5c6s
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  Dangerous RAT/Kay/Stub.bin
- Size
  
  15KB
- MD5
  
  ea2fe690956e04b29db465f14fc26690
- SHA1
  
  d027c14e779aee5e8c3f4028417eca8d53c77c1f
- SHA256
  
  15ac5860a78b240b7063b95d2f701848162f21155baa9ec4d528c516bba25893
- SHA512
  
  6b4c60460b23aa063d55e1dc051fcc5dcf434c6f1d3d7b2656d48cc05246294f38f4f3477006fdc48c7c3383cc242be1bd36f96362ee57ec0de79c5f58fe2709
- SSDEEP
  
  192:FIfeuLOlUZ+7STfJwYfStbfSNQgaZm6LKnloYU45WtIhfjrX9iv8I/0lLBP:FIfeGO7uxykMBLf45WQfjrX968/BBP
Score

7^/10

discovery execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral11 behavioral12
- Target
  
  Dangerous RAT/Kay/Stub.dat
- Size
  
  14KB
- MD5
  
  dc4b478752e593e0e246d6b61a98c14c
- SHA1
  
  ff7f8dd6d53071382456a5289d3626975c5a4ea3
- SHA256
  
  d76432bca73fe93e090730595e8e7e81decf40391010500ed3eb4b0d8980d2a6
- SHA512
  
  11168eb4244598c25f2c862df72aa18e92f16822e269644201917ba4c6b9623e1155ba45798c909e03a27a05f31a24359e4963dfdc83fbb2c8ec69bd4bb199bb
- SSDEEP
  
  192:iFkrdkC/edZo7jUbUeu5wZmNYnloYk4suNIDLTNp7kFT7Cx23wqYn:iFWdkuec8a4sO+LTNpA8x3qY
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  Dangerous RAT/Kay/Stub.il
- Size
  
  277KB
- MD5
  
  c3bb1b357fb7ffdabe2d72f67a8efdfe
- SHA1
  
  e75a83b862d6920773cde8cf424bdb739dbf73b9
- SHA256
  
  6e6e8087faee9b91bbb2bc996feb1057321b98913266e4054ef227c86eb42ccb
- SHA512
  
  65d678bc75b37acab474027e24c3528d802907c5513d2523c2bc67548cb37b2debaf55beb7351980b8741868412923059df5e85f0c155e3736be42da117f3f65
- SSDEEP
  
  3072:1zP6lrekZOtsTOpwmx0dMtTf4bKFLk1euINYXI:1zClnZOtuOpgdM9fyKFLk1fINYXI
Score

1^/10
behavioral15 behavioral16
- Target
  
  Dangerous RAT/Mono.Cecil.dll
- Size
  
  305KB
- MD5
  
  851ec9d84343fbd089520d420348a902
- SHA1
  
  f8e2a80130058e4db3cf569cf4297d07d05c93e0
- SHA256
  
  cdadc26c09f869e21053ee1a0acf3b2d11df8edd599fe9c377bd4d3ce1c9cda9
- SHA512
  
  5e1d1b953fda4a905749eff8c4133a164748ba08c4854348539d335cf53c873eae7c653807a2701bf307693a049ae6c523bd1497a8e659bdea0a71085a58a5f1
- SSDEEP
  
  6144:ueMQM/aMOZabe3h1PtRjAqmYVNf3yTXcYBbt6KMBhu:uF/aMDb8BtRjA7XcYNclB
Score

1^/10
behavioral17 behavioral18
- Target
  
  Dangerous RAT/NAudio.dll
- Size
  
  382KB
- MD5
  
  422193aabd3d62275b2b98470279d9f2
- SHA1
  
  62ff295275cfbc07132934e473e43b0a4749ec39
- SHA256
  
  cd9709bf1c7396f6fe3684b5177fa0890c706ca82e2b98ba58e8d8383632a3c8
- SHA512
  
  1ac568f7448ed4a7eed1a9296a8ea132eb0bea0d5e622f80147bca701ab1212421d25a847dbc469abc4089042d3c662235be6d44b12446d174b13223a78f682c
- SSDEEP
  
  6144:r+RsYcXreeC8Kl6jQX4ZL2dmeNVnhZD6sg++3aadCDbjuCNj2GLk:IgXfexdD+Y+dCA
Score

1^/10
behavioral19 behavioral20
- Target
  
  Dangerous RAT/Plugin/AN.dll
- Size
  
  15KB
- MD5
  
  b3c721c3314d2c20ba685e6b03601467
- SHA1
  
  8f1e158e5199394f9687f25e216213ee8172996d
- SHA256
  
  3120498168f968b2e7a3f44ef09b9c2e99da6b3dd64b1728df20f873297b7431
- SHA512
  
  7d71934d84a4d99d65ba03c2019632694a1bce76dc0ea95ca52db00070bfc660e66bd288b8d08928767222b74a4232cbc5019eef56952f6a522eb64ef8846eef
- SSDEEP
  
  384:b0is/P8/d+iU1irbb09VkwqELjwF2pMT0HWSJU36:b0iu81gKbbsxi6
Score

1^/10
behavioral21 behavioral22
- Target
  
  Dangerous RAT/Plugin/Adf.dll
- Size
  
  17KB
- MD5
  
  d1a3d0619a4f1c40ad0042ee0f37ce3e
- SHA1
  
  bf86bf2d7ede77a29a75b257c4d1ead85b0d01b9
- SHA256
  
  2c860ae1f6b9ad6f0fed907c268714cb2c2c7615d89f0733682014ec852bb3fe
- SHA512
  
  3023603ebd8dd527787c94eaca844c8df422a02f3da6f51c66d417a5138903bfa283c48dc64e757a63343320a80a50cdd72abc6544f5cb2c1a750f5e06781030
- SSDEEP
  
  384:Qs/W8W+vkpJc49GjS2HLjwSBpM/bnQdWJzyg:Qn8WikrGjbqy
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  Dangerous RAT/Plugin/Ant.dll
- Size
  
  14KB
- MD5
  
  8854809c9c8f5feb776ed337761c0390
- SHA1
  
  1ed9deb4a774852b92cfd58d769c539c583a6ec1
- SHA256
  
  4d962f32f94f83d52e193a191df6d0202d441773eba0969df4fcada62385baeb
- SHA512
  
  d267cf32a009155648a8aa6e011465331d37c5a349e042a2099420824bb7128a38fbf87ee3d18df39cc6de2f3a97eb5fad4568bbcf430b32833e9f7ea1bb2905
- SSDEEP
  
  384:GgdovW5UJ0ELsElpBIx68tSzmtuxNvoF:BdoOH6kYNvoF
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  Dangerous RAT/Plugin/Anx.dll
- Size
  
  20KB
- MD5
  
  44d692fbbdb6885457057ee5bd5d257b
- SHA1
  
  b861d3dcba13aa578679f69a16d251c5b3b68a6d
- SHA256
  
  f5e3a28d021745b4f3eb8e12f228fcba12bd01d668569f70d6c1aecd33a21777
- SHA512
  
  5e06c1851dd17c884fccc2bb5da12dacda4df228c7fd1853df1b17c93420ae23edb727eddfad170598c9e1367ee41e40ba1cb7f66aef3bb634fceb4c38c0363b
- SSDEEP
  
  384:2xQ9Bb0GlHF6ar+i9gAlpBIx6wvtSz17xrtcM8MqPIM+5:H9pVF6eT9hsVi7P8MqPIH5
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  Dangerous RAT/Plugin/Cli.dll
- Size
  
  15KB
- MD5
  
  39c44ad43461da2127dfbb978853c210
- SHA1
  
  af5208fcc091d0168cfd2ad131cbc810d4062b73
- SHA256
  
  8ee8407c076076b5bcd1a6f2f245a18aa5cfdbc16df19d69dc6375a0ec098533
- SHA512
  
  f2ba948e4c1b383d0c47acb252f2eb1e04016eeee4db39ad1f36cf8d33124a99d3369ae26416f1afa2afe7540160467f7a826a323ee3b986e24e72c90f488a49
- SSDEEP
  
  384:cbJymHbacA1dl+ASQilpBIx6wvtSz1zPBFMClguw:EJyMbVAKQesVibMClguw
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  Dangerous RAT/Plugin/Dc.dll
- Size
  
  23KB
- MD5
  
  a16dcbae0d7f2d40066e1528e9520ea3
- SHA1
  
  3c50db3271b099d69e49783c8d8c240ab19f371a
- SHA256
  
  4fe2421b3b896dfb0c1e81f2f8a2b97a9776fba3f6cdd1f97595138cc10d7d66
- SHA512
  
  6b368be2620624f9ba18555d927fe8f10d0aac9b0215cb35016f36d7599c825db212e9d9796389152d9bd017350cfb0ad7b1309696a2a3a868cb14bb7c78fcca
- SSDEEP
  
  384:rx82T3sfbHOpiyjVYMlpBIx6STB6iNqkPDRk2:r3sMiyj2YiNqYDRk2
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detect Neshta payload

Detect Xworm Payload

Neshta family

Xworm

Xworm family

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Checks computer location settings

Command and Scripting Interpreter: PowerShell

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32