neshta | a3eaed42c0457e69736b65abc55639deba7e6bfb94948dd3ed8b5f6ca968a979 | Triage

Sharing

General

Target

tmp
Size

140KB
Sample

220729-hnlt8sfger
MD5

cde0aa36b80beafa74e258c5384ab684
SHA1

0678a1ca625aebb6e88d38e3dc0796be573b5c06
SHA256

a3eaed42c0457e69736b65abc55639deba7e6bfb94948dd3ed8b5f6ca968a979
SHA512

373d420c21dfff931396416781011930701544c5a241097044f402079f3dcd2a35b982fe3eac66899692071222f047fdf4bff0a5e0466fb2aa88244d6a20e4d7

Score

10^/10

neshta remcos president persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

President

C2

winam.ddns.net:2401

dropy2.ddns.net:2400

dropy1.ddns.net:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
svchost.exe
copy_folder
updates
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
windows
keylog_path
%AppData%
mouse_option
false
mutex
remcos_bvmobmufbe
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
Logs
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  tmp
- Size
  
  140KB
- MD5
  
  cde0aa36b80beafa74e258c5384ab684
- SHA1
  
  0678a1ca625aebb6e88d38e3dc0796be573b5c06
- SHA256
  
  a3eaed42c0457e69736b65abc55639deba7e6bfb94948dd3ed8b5f6ca968a979
- SHA512
  
  373d420c21dfff931396416781011930701544c5a241097044f402079f3dcd2a35b982fe3eac66899692071222f047fdf4bff0a5e0466fb2aa88244d6a20e4d7
Score

10^/10

neshta remcos president persistence rat spyware stealer
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtaremcospresidentpersistenceratspywarestealer

behavioral2

neshtaremcospresidentpersistenceratspywarestealer