neshta | cd6a8e6b17a1ecb5aafb24ef4f7ec0ba0be44508ea10dbde551e0037220571f8 | Triage

Submit
Reports

Overview

overview

Static

static

6410f4bc5d...9a.exe

windows7_x64

6410f4bc5d...9a.exe

windows10-2004_x64

Sharing

General

Target

6410f4bc5d7a56d4af850984b05b149a.exe
Size

893KB
Sample

220706-tgryfsggb3
MD5

6410f4bc5d7a56d4af850984b05b149a
SHA1

07b105db29418af54a19426d7bd9959a16ad0575
SHA256

cd6a8e6b17a1ecb5aafb24ef4f7ec0ba0be44508ea10dbde551e0037220571f8
SHA512

fc0ab672676b206eb7eafd882fd5d56e3d0a64b6dad0862624fe34fb9085a1b59a67958c4d8cebc0154b940440ead70b6072658e7dac08b011c8124c4d3aa4c3

Score

10^/10

neshta redline ch discovery infostealer persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

6410f4bc5d7a56d4af850984b05b149a.exe

Resource

win7-20220414-en

neshta redline ch discovery infostealer persistence spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

6410f4bc5d7a56d4af850984b05b149a.exe

Resource

win10v2004-20220414-en

neshta redline ch discovery infostealer persistence spyware stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

redline

Botnet

ch

C2

34.174.95.150:54865

Targets

- Target
  
  6410f4bc5d7a56d4af850984b05b149a.exe
- Size
  
  893KB
- MD5
  
  6410f4bc5d7a56d4af850984b05b149a
- SHA1
  
  07b105db29418af54a19426d7bd9959a16ad0575
- SHA256
  
  cd6a8e6b17a1ecb5aafb24ef4f7ec0ba0be44508ea10dbde551e0037220571f8
- SHA512
  
  fc0ab672676b206eb7eafd882fd5d56e3d0a64b6dad0862624fe34fb9085a1b59a67958c4d8cebc0154b940440ead70b6072658e7dac08b011c8124c4d3aa4c3
Score

10^/10

neshta redline ch discovery infostealer persistence spyware stealer
- Detect Neshta Payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Change Default File Association

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

neshtaredlinechdiscoveryinfostealerpersistencespywarestealer

behavioral2

neshtaredlinechdiscoveryinfostealerpersistencespywarestealer

© 2018-2024

Terms | Privacy