neshta | bc2f593e8245d9295aa8fc8329e2e740709f517ecce2647869b110f272de28bb | Triage

Submit
Reports

Overview

overview

Static

static

bc2f593e82...bb.exe

windows7_x64

bc2f593e82...bb.exe

windows10-2004_x64

Sharing

General

Target

bc2f593e8245d9295aa8fc8329e2e740709f517ecce2647869b110f272de28bb
Size

744KB
Sample

220701-htwlmaafc5
MD5

a3fc29c6698ca5989e265daec8747bcb
SHA1

dfa0fa264b796d564406f21af73cb77e2f5fe22d
SHA256

bc2f593e8245d9295aa8fc8329e2e740709f517ecce2647869b110f272de28bb
SHA512

3e0e79fa91b7a3b8fffd59763ce39203c8e88bceed64cb4964592738546fc2050210cf76df591cfe4badbf76bba9c781518102cc53836e6df09a77497d7e246e

Score

10^/10

neshta pony persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

bc2f593e8245d9295aa8fc8329e2e740709f517ecce2647869b110f272de28bb.exe

Resource

win7-20220414-en

neshta pony persistence rat spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

bc2f593e8245d9295aa8fc8329e2e740709f517ecce2647869b110f272de28bb.exe

Resource

win10v2004-20220414-en

neshta pony persistence rat spyware stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

pony

C2

http://kahramanlarotolastik.com/w/terry/panel/gate.php

Attributes

payload_url
http://myp0nysite.ru/shit.exe

Targets

- Target
  
  bc2f593e8245d9295aa8fc8329e2e740709f517ecce2647869b110f272de28bb
- Size
  
  744KB
- MD5
  
  a3fc29c6698ca5989e265daec8747bcb
- SHA1
  
  dfa0fa264b796d564406f21af73cb77e2f5fe22d
- SHA256
  
  bc2f593e8245d9295aa8fc8329e2e740709f517ecce2647869b110f272de28bb
- SHA512
  
  3e0e79fa91b7a3b8fffd59763ce39203c8e88bceed64cb4964592738546fc2050210cf76df591cfe4badbf76bba9c781518102cc53836e6df09a77497d7e246e
Score

10^/10

neshta pony persistence rat spyware stealer
- Detect Neshta Payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtaponypersistenceratspywarestealer

behavioral2

neshtaponypersistenceratspywarestealer

© 2018-2024

Terms | Privacy