neshta | 9556460411e4b61c6437429b9d982b5d0a4f20352f3da2bc7d178cb56d948a4a | Triage

Submit
Reports

Overview

overview

Static

static

SMART 1.exe

windows7-x64

SMART 1.exe

windows10-2004-x64

Sharing

General

Target

9556460411e4b61c6437429b9d982b5d0a4f20352f3da2bc7d178cb56d948a4a
Size

80KB
Sample

221125-ws12lshb4v
MD5

5de8a81cc3b79200533770394be514d6
SHA1

48541d2249b6cc1dfd5c81876930f2e1e918bb2d
SHA256

9556460411e4b61c6437429b9d982b5d0a4f20352f3da2bc7d178cb56d948a4a
SHA512

a87af0410962ee31f05895dd14cea175223ec39cb112816052bd3e75a3b9e29cb07aae80d9a55c17c81efb2b0070a11b93eeda8cee67e48404529290a8572e91
SSDEEP

1536:YMdPpfqtOe060LLGvvlDws9Vf/Rnz5jqYXbvhRLUUfAQKRM7Xq:YjtT0LavvxfVf5z5jJvhRAU4BMW

Score

10^/10

neshta njrat hacked evasion persistence spyware stealer trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

SMART 1.exe

Resource

win7-20221111-en

neshta njrat hacked evasion persistence spyware stealer trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

SMART 1.exe

Resource

win10v2004-20220812-en

neshta njrat hacked evasion persistence spyware stealer trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

medo979.no-ip.biz:5552

Mutex

f02a0dc65ff97aa43cc56ae47f9df6fc

Attributes

reg_key
f02a0dc65ff97aa43cc56ae47f9df6fc
splitter
|'|'|

Targets

- Target
  
  SMART 1.exe
- Size
  
  146KB
- MD5
  
  816c02655dcded0b037bc142076f41a5
- SHA1
  
  43f394fdd26609ae05f8069885ac5633533d46de
- SHA256
  
  24c21788676a5218a6a08ff211fe20bb292c9c89d60feaad64740ddb906d351a
- SHA512
  
  083951e7887bad9af8acd87dc835a555f7a79e97d2e16ef34e5febabdb30f0cf214adb7b2032faa220bd04dbe1155483442d7f604b8868135d745c38467ef8c5
- SSDEEP
  
  3072:sr85C8QOb1sG0+HbGRD5Ds3dKYJgv2MiXtO6Gb86iB:k98QObuG08bGdp0+v21XXqOB
Score

10^/10

neshta njrat hacked evasion persistence spyware stealer trojan
- Detect Neshta payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtanjrathackedevasionpersistencespywarestealertrojan

behavioral2

neshtanjrathackedevasionpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy