neshta | 05b79797cfb2371b3ac1140f0ef096c247098320da81f83508b14ac92b565a35 | Triage

Submit
Reports

Overview

overview

Static

static

05b79797cf...35.exe

windows7_x64

05b79797cf...35.exe

windows10-2004_x64

Sharing

General

Target

05b79797cfb2371b3ac1140f0ef096c247098320da81f83508b14ac92b565a35
Size

213KB
Sample

220217-jb7rlsbgck
MD5

cbe6f7b8ba34b4d382487a8ca97a50a5
SHA1

dd6a98c25d6c6cef9570bb8cee0ac0d89cfbf6e7
SHA256

05b79797cfb2371b3ac1140f0ef096c247098320da81f83508b14ac92b565a35
SHA512

921f8d04c8b7a5fba7ddda3197e77aa19413364d3013e59a0171c8895fa9eb9177eccbd17992f09eca1f06c2e975a6f27e30ba498894fbfddbb7e308bd7be84e

Score

10^/10

neshta netwire botnet persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

05b79797cfb2371b3ac1140f0ef096c247098320da81f83508b14ac92b565a35.exe

Resource

win7-en-20211208

neshta netwire botnet persistence rat spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

05b79797cfb2371b3ac1140f0ef096c247098320da81f83508b14ac92b565a35.exe

Resource

win10v2004-en-20220112

neshta netwire botnet persistence rat spyware stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

needforrat.hopto.org:7777

96.47.228.213:3360

Attributes

activex_autorun
true
activex_key
{VRVQ00BP-0QES-U71M-FL27-Y437O77F8483}
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
vrnshrgM
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
true

Targets

- Target
  
  05b79797cfb2371b3ac1140f0ef096c247098320da81f83508b14ac92b565a35
- Size
  
  213KB
- MD5
  
  cbe6f7b8ba34b4d382487a8ca97a50a5
- SHA1
  
  dd6a98c25d6c6cef9570bb8cee0ac0d89cfbf6e7
- SHA256
  
  05b79797cfb2371b3ac1140f0ef096c247098320da81f83508b14ac92b565a35
- SHA512
  
  921f8d04c8b7a5fba7ddda3197e77aa19413364d3013e59a0171c8895fa9eb9177eccbd17992f09eca1f06c2e975a6f27e30ba498894fbfddbb7e308bd7be84e
Score

10^/10

neshta netwire botnet persistence rat spyware stealer
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtanetwirebotnetpersistenceratspywarestealer

behavioral2

neshtanetwirebotnetpersistenceratspywarestealer

© 2018-2024

Terms | Privacy