Overview

overview

10

Static

static

2816723_In...pt.vbs

windows7_x64

10

2816723_In...pt.vbs

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2816723_Invoice_receipt.vbs

  • Size

    3KB

  • Sample

    210917-ww1v1sahgr

  • MD5

    eaf19e86a4dab23ea534c50700044dff

  • SHA1

    32fdfb387dfde6946a4ca7851500bbaffd2608c2

  • SHA256

    49d201c4f1d8da00165e974d19bade57ee89df4ad2bfd84fb5f6129d5ef9c840

  • SHA512

    6c7affea47a243db26c83ff98f7778efd0779f52721762857a0eb0c40c772ba06a9cb3478f153a53238d48e275bd79f4c6f206ebb8ad241223a4a5194ed46519

Score
10/10
neshtapersistencespyware

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://transfer.sh/nlFGs3/bypass.txt

Targets

    • Target

      2816723_Invoice_receipt.vbs

    • Size

      3KB

    • MD5

      eaf19e86a4dab23ea534c50700044dff

    • SHA1

      32fdfb387dfde6946a4ca7851500bbaffd2608c2

    • SHA256

      49d201c4f1d8da00165e974d19bade57ee89df4ad2bfd84fb5f6129d5ef9c840

    • SHA512

      6c7affea47a243db26c83ff98f7778efd0779f52721762857a0eb0c40c772ba06a9cb3478f153a53238d48e275bd79f4c6f206ebb8ad241223a4a5194ed46519

    Score
    10/10
    neshtapersistencespyware

    • Detect Neshta Payload

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks