neshta

Sharing

Copy URL

Twitter E-mail

General

Target

4e32bec63d6c3bd84610060a50c7bffb89a7e19c2d41953b613d20f3d74dba2d
Size

3.2MB
Sample

221125-w8brnaad5t
MD5

07812bb2c19bbeb96f25aa87b0c08c89
SHA1

d2f120d2f3f784c61495f2fca3e8b3708b7bb00d
SHA256

4e32bec63d6c3bd84610060a50c7bffb89a7e19c2d41953b613d20f3d74dba2d
SHA512

a2b4cdc46ffe163b2e9f75c7dc3c9cd4e334f5473c61aec796b72169c3e14f482e6a95302c4e1b3a16069849d500c690f9e0c90711f31027aee8c6876639eb2a
SSDEEP

98304:iPccVoXKlwgxG7IAJ40zSiRNMKBMLaVae9F8w:2toXKlylLO2jBMLSa9w

Score

10^/10

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

- Target
  
  announce.exe
- Size
  
  116KB
- MD5
  
  511e3d166caf4df562a82b58f564bead
- SHA1
  
  5c6be8a2e31193d6fe743c13c6585037782f413f
- SHA256
  
  57d6ff0340f289696e455ca0310a3051a92f45605e2fadf2b752f7fec9dfcc29
- SHA512
  
  970bcd311ffae687df778608d1c7109eb37de64b4e296595a11e6583d0a87a45a7e93b7aea4ad9a440d442975ffd03f1343896a2f94567b75a9247db899bf1c6
- SSDEEP
  
  3072:Oa1jqZp+DtSXLB2bJcB+x2cd0OC0Lj+ylG8:OM+ZtXkCBO40Lj9
Score

10^/10

sality backdoor evasion trojan upx
- Modifies firewall policy service
  evasion
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2
- Target
  
  plugins/regex.so
- Size
  
  492KB
- MD5
  
  725fab3337ca01519ede745ddc7df8bd
- SHA1
  
  8cb8ba907bda0377733903566a431627ad74aa88
- SHA256
  
  3c2736f07f3f33ef171e8256e05d4026186c3113c1099eb93f1501c6e94bbeb2
- SHA512
  
  321abf3bd4d101b0d1c224d5c9f716f0088854fd99854b80cdda36ec8e84825aceb263d3aa55948f44b29d074bd085b64c63328ae06a8f685273b30a62656393
- SSDEEP
  
  6144:GVaie3gqUPqJWk8mdGVzvOIfcBAz0PC2r9nDkwL8e9oF1N53yYLu0om9WEF+fPn:hQPvO60PC2rNkwL8e9oF1N53rIn
Score

1^/10
behavioral3
- Target
  
  plugins/sscanf.dll
- Size
  
  38KB
- MD5
  
  d3a8f99e44c376a50f6396ec1454a572
- SHA1
  
  553e00ac98b1617cd57e2fe58fce56caab9f910f
- SHA256
  
  ffeb11d2dfccb50ba2f4e78d71711a73dad50501c302d9ff5c970fc7c7e33d32
- SHA512
  
  d252d0ed264cd22b74c1ac49ba13dfa40ce25e85cfcbc7592756840381a12c2136fbe9753f6c6892c5aca5d1e9cb940fc20a4af746567089df6e1f1ec0da768a
- SSDEEP
  
  768:4n/wthm6BJirKQgh80i6pl7PcBGQl4gAu/KGeaUMYDJb4Co7KvSqRO8irdqk:4n/wthm6Lir3oi6bcH4gz7bKO8i
Score

3^/10
behavioral4 behavioral5
- Target
  
  plugins/sscanf.so
- Size
  
  54KB
- MD5
  
  fa38465283d483e031dfe5ff13d390c4
- SHA1
  
  93a472eb113c16f008ea42a60529eeaa6a12f8cd
- SHA256
  
  1724a4f6ce8c0a644f2a4c4943aee7d3e5e1645518165a752aadc2d0802282be
- SHA512
  
  9640646a28577b8eb3a77467e3160b0d9a703da79fe1af5bbe5b7108f134883c1d3544ff96cbc66f651b4f82bacbb625d4596966095fc585eb4d7cf99d7a2780
- SSDEEP
  
  1536:NBOa10md/7tX40US+mJaAOhr38Q4CjV1Tc9Oo5qHpbURRD+9GaoGjeaT+RiD4me:Sa10CD1AUR5oocaRiDre
Score

1^/10
behavioral6
- Target
  
  plugins/streamer.dll
- Size
  
  235KB
- MD5
  
  7477d1fa17cc49434d3f2535758d3953
- SHA1
  
  2873741669e06720718b4c05cc9512b36938100a
- SHA256
  
  e1ebb301bb05859d6aedde494c2fe7e102df0c79e1b9a575d8dee8fa0296cc6f
- SHA512
  
  60d95b90e90fa031121216e04df81e5a0b816fe49ac58712c21a3a7ed02ee75236ce98c572149d3bde2a67ac02138a010df50c83b0ae8ab3be68feca53190ca9
- SSDEEP
  
  3072:HPmx4ysuRVx9nVvPdhx6nIHQEPCYTbGyZTwKZUR7HGANOrP1zwnrOZqzxF+VC:v6DswlPD8IC8UR7mAcP1zwrOZqu
Score

3^/10
behavioral7 behavioral8
- Target
  
  plugins/streamer.so
- Size
  
  559KB
- MD5
  
  f4e669c541f8d4c72c657f998420ca17
- SHA1
  
  487b553fbbe248a56ea89619130f8f8781623e7c
- SHA256
  
  1b291e53b63255fa908275212484b5a7cf27e7f227a5e1a70de191677fe98089
- SHA512
  
  cd3c8d6ea1fbf2d750474e7e2954d289fda28cd77a00aa3c2c5f3910198099608277fc90ce341890f7217ce2984bd148b594a37589018fb1a9eddb32ad3f5ab8
- SSDEEP
  
  12288:JJbiOu+oNZIpVsaqv/FH6o2JhCB4le1frTOAroNaCe:JQZIpVsaqnFH6o2JhY4le1DiAc2
Score

1^/10
behavioral9
- Target
  
  samp-npc.exe
- Size
  
  392KB
- MD5
  
  5a1e2e8b2fca5a40ab426bd3f533b3f2
- SHA1
  
  7f73f23a7b16aa3c8262d76fc30b1e514cfbe7de
- SHA256
  
  b9c417d03289754578824f61d7788c8e1967610d29c9a8a63a53fc22fa366805
- SHA512
  
  514e32472eac1ebdf963136e1d80f249e4c097a4926e362697d005f3100add5afd7f76a4e1b59b321800eabe5ab42f0261b318939d5c3d63f60e4ed18fc9d9e2
- SSDEEP
  
  6144:Pu++THBU7JnFjlJlQ8TM4r0zsaBuxtj/cjAOvP99qqDLuEnIorHSzhl6GkkakJL:9+TIvSGrOsaBuPcjwqnuqI7LaQL
Score

10^/10

neshta sality backdoor evasion persistence spyware stealer trojan upx
- Modifies firewall policy service
  evasion
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral10 behavioral11
- Target
  
  samp-server.exe
- Size
  
  960KB
- MD5
  
  652fc3d187426969c78b5896c55f0bd3
- SHA1
  
  5905c3f30aae347c6781c9ba54f2e9acb789b8aa
- SHA256
  
  80851b341f41613d761255eb22e31e59e0b7ef31f80b6606e6313548d61c5af8
- SHA512
  
  23d6d3cc33d0d6d2601162b2f2de8875029cbfbf29f976ab4380d007f74180c2a6b8e2a37be2df21066b262b52b6deb625b78456a7e988cc234d34545fdf0a42
- SSDEEP
  
  24576:6qa8CCL4TO9g+a4VlrotyQlRRYIW0DAOngnclqx3eUk++uKH:qe40a4ktYISOMclv5l
Score

10^/10

sality backdoor evasion trojan upx
- Modifies firewall policy service
  evasion
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral12 behavioral13
- Target
  
  scriptfiles/ladmin/logs/Objects.txt
- Size
  
  171B
- MD5
  
  25c6f2ff1d6ae1ef43ca12344f2de8ce
- SHA1
  
  cb293bf61ace426ca7b38431813ee80ec50d5b18
- SHA256
  
  f386f081f3b420d3ee4590dc677178b24700e0cabd58172e796eb5bbf367b8f0
- SHA512
  
  4a2b8099350d026818ddc0d8102b99681351e7747afd350e7df13fa31df040750dfde1a78b0f702146760fdf231517d1f2fc0cfbcea429d9b861810c937d58f6
Score

1^/10
behavioral14 behavioral15
- Target
  
   /pawno/include/a_objects.inc
- Size
  
  3KB
- MD5
  
  2bc967b685dc21b9728887fd660d8c6b
- SHA1
  
  29d36110a5b3aa564c41eb26f11ec23a6d025408
- SHA256
  
  c3e08eb8ec7e26b72541bc0c4779f531b0e99328d58e768c3dd285edceea703a
- SHA512
  
  abcbbf4b0971f5a32a94bf944afd21d5db7266f8c13c835aa1d5add232cb021ad6839f18964db59c9c540a19d800442159efabcc20b8be236e2d13d4ea94e880
Score

1^/10
behavioral16 behavioral17
- Target
  
   /pawno/include/antiattack.inc
- Size
  
  34KB
- MD5
  
  dd6ab985edeee35919380f8ad0dc490b
- SHA1
  
  ded0a184975651ce07c7479d8bf97a827273952c
- SHA256
  
  b5d221060979efe82f820aafaca4e9cabc7ba00cfd34a0eabf9de4081d6ba2cf
- SHA512
  
  6af3fe940d08f98651b38a6b3ed175221e903dacd8286451a86c36c05de0806150aca8fb05ad2e089530c17259b54e5519d118fdb46e3a16b691057c1cd7c794
- SSDEEP
  
  768:ITrRDdRD9ZqGvF7ZtfWqEyYnekWOggoJ5235CFF2biroVX6djE5nxnRC9bu6/Bfq:yDPD9ZqGvF7ZtfWqEyYnekWOggoJspMm
Score

1^/10
behavioral18 behavioral19
- Target
  
   /pawno/libpawnc.dll
- Size
  
  275KB
- MD5
  
  1f3b35dc739f9e6d843cfaa595f320b2
- SHA1
  
  ac37a03427b356e3e4c1c1fe9d1f10f4a6d97f9c
- SHA256
  
  b7a6d406aaad6c6dc6621889a3e5c006755a16e577a46a806df2a85203813b56
- SHA512
  
  549c8b7ee2c4e59220e74053ef0147d35fdf6cb923726956e882c3e5640483e0108c3ccaca96934ce94ee3d387a16f022df86f38dbb6692c6b688ec8fc0734d7
- SSDEEP
  
  6144:DQUATh1kDLdQRUOi6XqXOKcB5B5jriaCvWwApMtye6cEIfUGmpkRQBfcqlu4V2lr:DQUATh1k3dQRUOi6XqXO9/B5jriaCe/E
Score

1^/10
behavioral20 behavioral21
- Target
  
   /pawno/pawncc.exe
- Size
  
  15KB
- MD5
  
  5b8766d335b25f1a180af10cb736b6ba
- SHA1
  
  83f081d683840f9e9cfb161801d13edbcfd50646
- SHA256
  
  e086cbaeee177c5e56cc3cf124a014f3496297c8d8de0fe17d49468584a9fb3f
- SHA512
  
  25bf21940a7399fbe5709997d5327142d706e5023cd14560b29d65eb1e1dc3526a3432c94b0d711f2affedbfdcb6f3be84af6549a742d0d62832530558f58d2d
- SSDEEP
  
  192:1m58SVl+4smhjTMW6vrkTGeTDT//BWLGeTkGeTGOvs7HlFMMafc:1m58SV04lt6MGevTnYLGeQGeyVHlSMak
Score

1^/10
behavioral22 behavioral23
- Target
  
   /pawno/pawno.exe
- Size
  
  580KB
- MD5
  
  1b75ef0464d6dd4a93569decf01c0ac4
- SHA1
  
  ef15482df2bb08f7474bacf91d67c744d94f4e70
- SHA256
  
  381617f42ae8eb2337483a393c8bb911d1f50b1f3cc5d3f55992d67c88a7c10d
- SHA512
  
  34741d24183513765f106336867b5574ca58559967cbdaed7e4fe0b02d3eeda2dd9fbb15afb58a50b62456caf2308ad68a9be1159c2baff1b779b3b2ad2d24d1
- SSDEEP
  
  12288:8qV5dU7oTWKYEEF5J87vzLh8aVJS/HqV5dU79HqV5dU79HqV5dU79HqV5dU79HqD:8qV5yMzJ45J8DznVJAqV5yBqV5yBqV5/
Score

8^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral24 behavioral25

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Modifies firewall policy service

Sality

UAC bypass

Windows security bypass

UPX packed file

Windows security modification

Checks whether UAC is enabled

Modifies firewall policy service

Modifies system executable filetype association

Sality

UAC bypass

Windows security bypass

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Checks whether UAC is enabled

Enumerates connected drives

Drops autorun.inf file

Modifies firewall policy service

Sality

UAC bypass

Windows security bypass

UPX packed file

Windows security modification

Checks whether UAC is enabled

Enumerates connected drives

Drops autorun.inf file

UPX packed file

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25