neshta | 2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c | Triage

Submit
Reports

Overview

overview

Static

static

2b8ae2c48f...3c.exe

windows7-x64

2b8ae2c48f...3c.exe

windows10-2004-x64

Sharing

General

Target

2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c
Size

235KB
Sample

221127-c5gc7adc62
MD5

988e1645954b11aa0f2f1525debfb8f5
SHA1

7178cbe334ed2b609ca42c5b539258f7c41a9234
SHA256

2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c
SHA512

098b7c07ca8276b552a4263e209347b916f55bc03662c7e2a370ad433dbcd0541589c2ea6cccc191874b4e49fc9ffc46a44f02deb95a4badfccbc887ce555134
SSDEEP

3072:zr8WDrCy6Qhd2e4vNRyOZIu440livAzoUZmebfG5R:Pu7QhdJOZIur9ocUZA5R

Score

10^/10

neshta persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe

Resource

win7-20220812-en

neshta persistence spyware stealer

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe

Resource

win10v2004-20220901-en

neshta persistence spyware stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c
- Size
  
  235KB
- MD5
  
  988e1645954b11aa0f2f1525debfb8f5
- SHA1
  
  7178cbe334ed2b609ca42c5b539258f7c41a9234
- SHA256
  
  2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c
- SHA512
  
  098b7c07ca8276b552a4263e209347b916f55bc03662c7e2a370ad433dbcd0541589c2ea6cccc191874b4e49fc9ffc46a44f02deb95a4badfccbc887ce555134
- SSDEEP
  
  3072:zr8WDrCy6Qhd2e4vNRyOZIu440livAzoUZmebfG5R:Pu7QhdJOZIur9ocUZA5R
Score

10^/10

neshta persistence spyware stealer
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

neshtapersistencespywarestealer

behavioral2

neshtapersistencespywarestealer

© 2018-2024

Terms | Privacy