neshta | 599f33c3eff24c7748de28d8189de0894249e1baac8fd0e7c162d8aa989875c4 | Triage

Submit
Reports

Overview

overview

Static

static

599f33c3ef...c4.exe

windows7-x64

599f33c3ef...c4.exe

windows10-2004-x64

Sharing

General

Target

599f33c3eff24c7748de28d8189de0894249e1baac8fd0e7c162d8aa989875c4
Size

362KB
Sample

220724-ydc3caebdq
MD5

a1c286d8f670186a3d14ec2766f096c5
SHA1

814121996088aac0011294f974f980553a0f228f
SHA256

599f33c3eff24c7748de28d8189de0894249e1baac8fd0e7c162d8aa989875c4
SHA512

1320de5991cc4c56b6d44544469e3c0074a25658cb080e6c99c537e6b5037806a92138f0958efcf96332f17c75807b0e321550ef3835a72afb1f77b2cbdea12a

Score

10^/10

neshta sodinokibi persistence ransomware spyware stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

599f33c3eff24c7748de28d8189de0894249e1baac8fd0e7c162d8aa989875c4.exe

Resource

win7-20220715-en

neshta sodinokibi persistence ransomware spyware stealer

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

599f33c3eff24c7748de28d8189de0894249e1baac8fd0e7c162d8aa989875c4.exe

Resource

win10v2004-20220721-en

neshta sodinokibi persistence ransomware spyware stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  599f33c3eff24c7748de28d8189de0894249e1baac8fd0e7c162d8aa989875c4
- Size
  
  362KB
- MD5
  
  a1c286d8f670186a3d14ec2766f096c5
- SHA1
  
  814121996088aac0011294f974f980553a0f228f
- SHA256
  
  599f33c3eff24c7748de28d8189de0894249e1baac8fd0e7c162d8aa989875c4
- SHA512
  
  1320de5991cc4c56b6d44544469e3c0074a25658cb080e6c99c537e6b5037806a92138f0958efcf96332f17c75807b0e321550ef3835a72afb1f77b2cbdea12a
Score

10^/10

neshta sodinokibi persistence ransomware spyware stealer
- Detect Neshta payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Sodinokibi/Revil sample
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtasodinokibipersistenceransomwarespywarestealer

behavioral2

neshtasodinokibipersistenceransomwarespywarestealer

© 2018-2024

Terms | Privacy