neshta | c5736dc1d870791ee98c77c6c845bb2a1b04eb5e23bcab7cc52f1d98ef251dc5 | Triage

Submit
Reports

Overview

overview

Static

static

c5736dc1d8...c5.exe

windows7-x64

c5736dc1d8...c5.exe

windows10-2004-x64

Sharing

General

Target

c5736dc1d870791ee98c77c6c845bb2a1b04eb5e23bcab7cc52f1d98ef251dc5
Size

401KB
Sample

221120-n1gzpsfc5z
MD5

304670fe2180be81c4c4ba7c45423e0b
SHA1

18e602132ad830ed4f108cdd497860d8d7ef79a0
SHA256

c5736dc1d870791ee98c77c6c845bb2a1b04eb5e23bcab7cc52f1d98ef251dc5
SHA512

71556a18b467e82a02806fda0f966832ac33251e1e22a52de65505721515518a7095da25be267fc5cc194a710892beb8323f57aa08f667c8f978e2842acbeeb8
SSDEEP

6144:k9JYCuQD4bGWx8JlRLoCVv4H79Iu/crfHS2ULQQhzodcXNOoizXZm3:S4QUbGoirEWYKu/crfHS2UHzodoizJK

Score

10^/10

neshta persistence spyware stealer vmprotect

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

c5736dc1d870791ee98c77c6c845bb2a1b04eb5e23bcab7cc52f1d98ef251dc5.exe

Resource

win7-20221111-en

neshta persistence spyware stealer vmprotect

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

c5736dc1d870791ee98c77c6c845bb2a1b04eb5e23bcab7cc52f1d98ef251dc5.exe

Resource

win10v2004-20221111-en

neshta persistence spyware stealer vmprotect

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  c5736dc1d870791ee98c77c6c845bb2a1b04eb5e23bcab7cc52f1d98ef251dc5
- Size
  
  401KB
- MD5
  
  304670fe2180be81c4c4ba7c45423e0b
- SHA1
  
  18e602132ad830ed4f108cdd497860d8d7ef79a0
- SHA256
  
  c5736dc1d870791ee98c77c6c845bb2a1b04eb5e23bcab7cc52f1d98ef251dc5
- SHA512
  
  71556a18b467e82a02806fda0f966832ac33251e1e22a52de65505721515518a7095da25be267fc5cc194a710892beb8323f57aa08f667c8f978e2842acbeeb8
- SSDEEP
  
  6144:k9JYCuQD4bGWx8JlRLoCVv4H79Iu/crfHS2ULQQhzodcXNOoizXZm3:S4QUbGoirEWYKu/crfHS2UHzodoizJK
Score

10^/10

neshta persistence spyware stealer vmprotect
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtapersistencespywarestealervmprotect

behavioral2

neshtapersistencespywarestealervmprotect

© 2018-2024

Terms | Privacy