neshta | 9633233c282a607fa77c682297792ee969551fecf2d1f8b4aef84d1c5727815f | Triage

Submit
Reports

Overview

overview

Static

static

44433.xlsx

windows7_x64

44433.xlsx

windows10_x64

1

Sharing

General

Target

44433.xlsx
Size

228KB
Sample

211117-rwxq5shhep
MD5

4b706efaed4510b2dd3666d5db7c031d
SHA1

685b71c0c0c322355631216d0bc1151a6907f107
SHA256

9633233c282a607fa77c682297792ee969551fecf2d1f8b4aef84d1c5727815f
SHA512

794baae84872ffa510995d8aa888ef658d2d002d6d638c4171d5159dcdcb94c634d4d6c406005d40bbd3b43a68585dd11fd7af1ad2a4e4d612ac7b354fecfbf0

Score

10^/10

neshta persistence spyware stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

44433.xlsx

Resource

win7-en-20211104

neshta persistence spyware stealer suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

44433.xlsx

Resource

win10-en-20211104

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  44433.xlsx
- Size
  
  228KB
- MD5
  
  4b706efaed4510b2dd3666d5db7c031d
- SHA1
  
  685b71c0c0c322355631216d0bc1151a6907f107
- SHA256
  
  9633233c282a607fa77c682297792ee969551fecf2d1f8b4aef84d1c5727815f
- SHA512
  
  794baae84872ffa510995d8aa888ef658d2d002d6d638c4171d5159dcdcb94c634d4d6c406005d40bbd3b43a68585dd11fd7af1ad2a4e4d612ac7b354fecfbf0
Score

10^/10

neshta persistence spyware stealer suricata
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Change Default File Association

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtapersistencespywarestealersuricata

behavioral2

© 2018-2024

Terms | Privacy