neshta

General

Target

Fast
Size

96KB
Sample

220131-gf2eaaffgr
MD5

450530b6fe77db0c5283fdbc8461a6b5
SHA1

0f6d22fd7a5b78ae62d048d9d648f954a06b7a22
SHA256

a4008ecc4d4ff0cb00b21beb49dfd9ff74f21dac59d7d9495f7556af02e09196
SHA512

f2239705b8ae7aaf42ae4a4f3b28550539f08cd5b7c7e351b81892c205200c1a6786169d8bd3090b6a825c742df20277fda0f64e369739657f8d9cfd5d384c7d

Score

10^/10

Malware Config

Targets

- Target
  
  Fast
- Size
  
  96KB
- MD5
  
  450530b6fe77db0c5283fdbc8461a6b5
- SHA1
  
  0f6d22fd7a5b78ae62d048d9d648f954a06b7a22
- SHA256
  
  a4008ecc4d4ff0cb00b21beb49dfd9ff74f21dac59d7d9495f7556af02e09196
- SHA512
  
  f2239705b8ae7aaf42ae4a4f3b28550539f08cd5b7c7e351b81892c205200c1a6786169d8bd3090b6a825c742df20277fda0f64e369739657f8d9cfd5d384c7d
Score

10^/10

neshta phobos evasion persistence ransomware spyware stealer
- Detect Neshta Payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2