neshta | cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348 | Triage

Submit
Reports

Overview

overview

Static

static

cded3258be...48.exe

windows7_x64

cded3258be...48.exe

windows10-2004_x64

Sharing

General

Target

cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348
Size

237KB
Sample

220216-zzqe8sdae6
MD5

b07832b0972e53a061c5293a37773a1e
SHA1

cb5d257d565b7fdba79851c8008d0a17d01f914d
SHA256

cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348
SHA512

e977f86dc9f6c288b0e77e6701e89e2dd1d8834fe1a4c2c4926e1493d35ddb538e44df27c7988e83f4b9521aaf717fcb93a55b5449b69729d56f80bc4f8d2be5

Score

10^/10

neshta netwire botnet persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe

Resource

win7-en-20211208

neshta netwire botnet persistence rat spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe

Resource

win10v2004-en-20220113

neshta netwire botnet persistence rat spyware stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

23.105.131.142:3368

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
Love1234
registry_autorun
false
startup_name
use_mutex
false

Targets

- Target
  
  cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348
- Size
  
  237KB
- MD5
  
  b07832b0972e53a061c5293a37773a1e
- SHA1
  
  cb5d257d565b7fdba79851c8008d0a17d01f914d
- SHA256
  
  cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348
- SHA512
  
  e977f86dc9f6c288b0e77e6701e89e2dd1d8834fe1a4c2c4926e1493d35ddb538e44df27c7988e83f4b9521aaf717fcb93a55b5449b69729d56f80bc4f8d2be5
Score

10^/10

neshta netwire botnet persistence rat spyware stealer
- Detect Neshta Payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtanetwirebotnetpersistenceratspywarestealer

behavioral2

neshtanetwirebotnetpersistenceratspywarestealer

© 2018-2024

Terms | Privacy