neshta | a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514 | Triage

Submit
Reports

Overview

overview

Static

static

a91e0748bb...14.exe

windows7-x64

a91e0748bb...14.exe

windows10-2004-x64

Sharing

General

Target

a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514
Size

261KB
Sample

221125-wswf5adh67
MD5

0063bb0a460508738af4af2f11fdf880
SHA1

9b3a753a220d631c3333fefcf63ef8ffe8b29edd
SHA256

a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514
SHA512

0c82c75d4f1def4deaa6ff8ef3fc44b217070b4daa616999f06928c2678fb95f04a4a4119148fa4408ad5d25b2d9b8d9df9af85787cac4504b9472a1db6e78e6
SSDEEP

6144:k9Lrgq6hbWjq/zbu6OKdCQ3mkxxNc56ud8csg06n21XDalEdi:SrCNvoB2zudA/GWdi

Score

10^/10

neshta adware persistence spyware stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe

Resource

win7-20220812-en

neshta adware persistence spyware stealer

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe

Resource

win10v2004-20220812-en

neshta adware persistence spyware stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514
- Size
  
  261KB
- MD5
  
  0063bb0a460508738af4af2f11fdf880
- SHA1
  
  9b3a753a220d631c3333fefcf63ef8ffe8b29edd
- SHA256
  
  a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514
- SHA512
  
  0c82c75d4f1def4deaa6ff8ef3fc44b217070b4daa616999f06928c2678fb95f04a4a4119148fa4408ad5d25b2d9b8d9df9af85787cac4504b9472a1db6e78e6
- SSDEEP
  
  6144:k9Lrgq6hbWjq/zbu6OKdCQ3mkxxNc56ud8csg06n21XDalEdi:SrCNvoB2zudA/GWdi
Score

10^/10

neshta adware persistence spyware stealer
- Detect Neshta payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

Browser Extensions

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

neshtaadwarepersistencespywarestealer

behavioral2

neshtaadwarepersistencespywarestealer

© 2018-2024

Terms | Privacy