neshta

General

Target

hello.exe
Size

37KB
Sample

220616-2ssccscae3
MD5

f6578c4f484063121bb63109b543fb95
SHA1

baae4772f958a85f2420a7c112f3b0ee02f962ce
SHA256

c27c8f029c0ce21a116cdb60c78676cac7ea9dd38aab8bf5c394075b407d6f5e
SHA512

882590671a309211271e40665ad0561c2f9474aac477a55dbe79e58122cb4370854641e84a9bd7d2d138eca3bef2d2453bacac501042139a7ec74cd37cacd87c

Score

10^/10

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

gay

C2

5.tcp.eu.ngrok.io:12059

Mutex

17a12256c22089ecda68e950006be021

Attributes

reg_key
17a12256c22089ecda68e950006be021
splitter
|'|'|

Extracted

Family

njrat

Version

im523

Botnet

109.197.196.135:9991

Mutex

413491cbe232876548b9b7cd8a1b451d

Attributes

reg_key
413491cbe232876548b9b7cd8a1b451d
splitter
|'|'|

Targets

- Target
  
  hello.exe
- Size
  
  37KB
- MD5
  
  f6578c4f484063121bb63109b543fb95
- SHA1
  
  baae4772f958a85f2420a7c112f3b0ee02f962ce
- SHA256
  
  c27c8f029c0ce21a116cdb60c78676cac7ea9dd38aab8bf5c394075b407d6f5e
- SHA512
  
  882590671a309211271e40665ad0561c2f9474aac477a55dbe79e58122cb4370854641e84a9bd7d2d138eca3bef2d2453bacac501042139a7ec74cd37cacd87c
Score

10^/10

neshta njrat ramnit next banker evasion persistence spyware stealer suricata trojan upx worm
- Detect Neshta Payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata
- suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
  suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
  suricata
- suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)
  suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)
  suricata
- suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
  suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
  suricata
- suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
  suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
  suricata
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2