Overview

overview

10

Static

static

10

a49fb8e2dc...3c.exe

windows7_x64

10

a49fb8e2dc...3c.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a49fb8e2dcc7117513ade566b7599d633e9c122a1f35562cd730f16fab043a3c

  • Size

    1.3MB

  • Sample

    220701-hnjpwaada4

  • MD5

    4b0ea69a5c818637289aab3f1559cc37

  • SHA1

    1b56746e5b5dd99037ef81c12410bb6d16ef7f82

  • SHA256

    a49fb8e2dcc7117513ade566b7599d633e9c122a1f35562cd730f16fab043a3c

  • SHA512

    6da4dd807902369c479c4c0675ce6f1845faf8141e41bf98aecf40ddb2e9bbc80cbcb1f83a29c90aa6faac3029a1bcec4f705e99974ed1519e03bdf057c08a7c

Score
10/10
neshtasalitybackdoorevasionpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      a49fb8e2dcc7117513ade566b7599d633e9c122a1f35562cd730f16fab043a3c

    • Size

      1.3MB

    • MD5

      4b0ea69a5c818637289aab3f1559cc37

    • SHA1

      1b56746e5b5dd99037ef81c12410bb6d16ef7f82

    • SHA256

      a49fb8e2dcc7117513ade566b7599d633e9c122a1f35562cd730f16fab043a3c

    • SHA512

      6da4dd807902369c479c4c0675ce6f1845faf8141e41bf98aecf40ddb2e9bbc80cbcb1f83a29c90aa6faac3029a1bcec4f705e99974ed1519e03bdf057c08a7c

    Score
    10/10
    neshtapersistencespywarestealersalitybackdoorevasiontrojanupx

    • Detect Neshta Payload

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Modify Existing Service

1
T1031

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

5
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks