neshta | c980b816152d185a63ce5cc4bcd88091c8115e2db31db45055d887f4610bac9e | Triage

Submit
Reports

Overview

overview

Static

static

c980b81615...9e.exe

windows7-x64

c980b81615...9e.exe

windows10-2004-x64

Sharing

General

Target

c980b816152d185a63ce5cc4bcd88091c8115e2db31db45055d887f4610bac9e
Size

90KB
Sample

221001-wjx9csheb9
MD5

795f9d6272dce23fe5a0acafcd36ffe0
SHA1

17420b413d387e66753f31892275f43ff245fed6
SHA256

c980b816152d185a63ce5cc4bcd88091c8115e2db31db45055d887f4610bac9e
SHA512

2dbae35e0e88faaa5a2c554a3fb82eed973585fea884792f7090ad029b791fc984f7312d448ef5bbc0d8c2f3bed72707dd030a42c2bc57a5c0fa0ccffe4ac721
SSDEEP

1536:JxqjQ+P04wsmJC4RQEw4Oa8eYc1evXZV4rXcQWB:sr85C4RQEAa8fc1eh4sdB

Score

10^/10

neshta njrat evasion persistence spyware stealer trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

c980b816152d185a63ce5cc4bcd88091c8115e2db31db45055d887f4610bac9e.exe

Resource

win7-20220901-en

neshta evasion persistence spyware stealer

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

c980b816152d185a63ce5cc4bcd88091c8115e2db31db45055d887f4610bac9e.exe

Resource

win10v2004-20220812-en

neshta njrat evasion persistence spyware stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  c980b816152d185a63ce5cc4bcd88091c8115e2db31db45055d887f4610bac9e
- Size
  
  90KB
- MD5
  
  795f9d6272dce23fe5a0acafcd36ffe0
- SHA1
  
  17420b413d387e66753f31892275f43ff245fed6
- SHA256
  
  c980b816152d185a63ce5cc4bcd88091c8115e2db31db45055d887f4610bac9e
- SHA512
  
  2dbae35e0e88faaa5a2c554a3fb82eed973585fea884792f7090ad029b791fc984f7312d448ef5bbc0d8c2f3bed72707dd030a42c2bc57a5c0fa0ccffe4ac721
- SSDEEP
  
  1536:JxqjQ+P04wsmJC4RQEw4Oa8eYc1evXZV4rXcQWB:sr85C4RQEAa8fc1eh4sdB
Score

10^/10

neshta evasion persistence spyware stealer njrat trojan
- Detect Neshta payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtaevasionpersistencespywarestealer

behavioral2

neshtanjratevasionpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy