neshta

General

Target

иуеr.exe
Size

25KB
Sample

220522-wxnbbaagf6
MD5

ae72c198c0825712f203e258571c0e87
SHA1

066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA256

7237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512

a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\3582-490\@Please_Read_Me@.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

gay

C2

7.tcp.eu.ngrok.io:14345

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Targets

- Target
  
  иуеr.exe
- Size
  
  25KB
- MD5
  
  ae72c198c0825712f203e258571c0e87
- SHA1
  
  066ef64d5f5bb96e1714247c97aaf291907a7b3f
- SHA256
  
  7237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
- SHA512
  
  a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
Score

10^/10

neshta njrat wannacry gay aspackv2 discovery persistence ransomware spyware stealer suricata trojan worm
- Detect Neshta Payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral1