neshta | e2e888f5e0dec43e08cdfe000040307b32dba99431d00337b69002cadbb1acae

Analysis

max time kernel
0s
max time network
1s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe
Size

7.8MB
MD5

a2b6b00c9d611b99e47068506941fa31
SHA1

eadf765375639ba78ee98048aa61ef519efb757e
SHA256

e2e888f5e0dec43e08cdfe000040307b32dba99431d00337b69002cadbb1acae
SHA512

6b5ba15df2ef49a7b9564dade3e023119d00e7208bf59586e0e584d95e610d964e509e752f7f1e524fbdc447b27938bc6074255f4f0f3596652ae996f754816a
SSDEEP

98304:Gnsmtk2a0mtk2aUmtk2aPxOpcjacR2lqxZA1pm2KMhSpo1jgPnQng:4Li69NlqxWpm2KM0sKug

Score

10^/10

neshta xred backdoor discovery persistence spyware

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0003000000011c28-4.dat	family_neshta
behavioral1/files/0x0003000000011c28-6.dat	family_neshta
behavioral1/files/0x0003000000011c28-7.dat	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2252
- C:\Users\Admin\AppData\Local\Temp\._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe"
  2⤵
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe

Filesize
128KB

MD5
f39d86ed08800c1edf6ff5b89781f615

SHA1
058245c3e89d4872b73d97e7382ddc00dc9fd418

SHA256
ecc106938cf1c060bc859f488bde73155d7524caf6161497692b0971c91494aa

SHA512
ada5a8f152e67c936afa6b628c4870ed183412c8210f7c78f5c2d2a38d4da93d5b81c914aaa65a9ce827581f5432887cb105de6552a956d62c3dba328b43b5c1

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe

Filesize
2.6MB

MD5
49d6bfc2f65b11039be17378e80d2796

SHA1
dd632af8b4b0a1ef7239971450e86837f5177623

SHA256
29e61a23c178e47f4976027d5f96755871a6a4773d7aa7de51f437bcaaf9e81e

SHA512
731e388c93427a9d5f0e52e5235ccaf909044a2b3b164da0e28da657e5a8717a5e3f2b27e72faa5f2ef294e09279860445c68eb4709e4931e24dbff673e1966c

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe

Filesize
704KB

MD5
fba01224293a7436517a3b0a9cc09c20

SHA1
d491601af4a310b5d4d6e60cb2083fc25fd8e544

SHA256
a7587fdbdce9a1105879c41301b492c6c21323e108a28efec662f8d64fcff261

SHA512
92c5dd52423211454a292e44e12b8608bd7176c041b43e2c42a8ebdc063ef130dc2f31d2a94332fc0a236fefddf3590ddb45269e0d1ca8047c875de80753c6db

Download Submit
memory/2252-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download