General
-
Target
энео.exe
-
Size
37KB
-
Sample
220712-v29jnseah7
-
MD5
560bbfc461eedb8cf63829ba541cf3d9
-
SHA1
ed000f409135eae31b75f6099ab67ed51f33682c
-
SHA256
7a044001bcda446a4ab9b93675974040c7fe94c56f29958a32ba4525649ffa4c
-
SHA512
8faa7c76316c43e33b929295a9141f9bdf0630c24d60c2ec1dd92e7216520850fb3fbcf48e7141ade89e3efeb801c658122bd71551a40b79ce05049b212afafb
Malware Config
Extracted
njrat
im523
лох
7.tcp.eu.ngrok.io:11298
4d4d7566839b1261810c4b0008fc6da7
-
reg_key
4d4d7566839b1261810c4b0008fc6da7
-
splitter
|'|'|
Targets
-
-
Target
энео.exe
-
Size
37KB
-
MD5
560bbfc461eedb8cf63829ba541cf3d9
-
SHA1
ed000f409135eae31b75f6099ab67ed51f33682c
-
SHA256
7a044001bcda446a4ab9b93675974040c7fe94c56f29958a32ba4525649ffa4c
-
SHA512
8faa7c76316c43e33b929295a9141f9bdf0630c24d60c2ec1dd92e7216520850fb3fbcf48e7141ade89e3efeb801c658122bd71551a40b79ce05049b212afafb
-
Detect Neshta payload
-
Modifies WinLogon for persistence
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (File Manager Actions)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (File Manager Actions)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Process Listing)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Process Listing)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-