Overview

overview

10

Static

static

10

f7c82635ca...ec.exe

windows7-x64

10

f7c82635ca...ec.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f7c82635ca7d853d5a1cd59d1b539af1b0d4bb4580c5b3bcf2e1f35d03a388ec

  • Size

    136KB

  • Sample

    221129-jx5jdaah48

  • MD5

    c6bfb172211360367053fbd5f65655de

  • SHA1

    693449073331dacef7bc0ae97afd5da26a1f602e

  • SHA256

    f7c82635ca7d853d5a1cd59d1b539af1b0d4bb4580c5b3bcf2e1f35d03a388ec

  • SHA512

    a227c8952078c5a9faeed0e4fb9c7c832397585650d57591d8ce756457f39d417fda368205e04fbe2197ad8f40106d3a5b4c2b02f80790d0610819046ae22409

  • SSDEEP

    1536:JxqjQ+P04wsmJCdHfqS+lPwXvOdaBYD4OKUcNz8GQGZT524ut/skr+dExmX8Wwb:sr85CdT+l4/KaBYDr9GX9w4whkExs8WW

Score
10/10
neshtasalitybackdoorevasionpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      f7c82635ca7d853d5a1cd59d1b539af1b0d4bb4580c5b3bcf2e1f35d03a388ec

    • Size

      136KB

    • MD5

      c6bfb172211360367053fbd5f65655de

    • SHA1

      693449073331dacef7bc0ae97afd5da26a1f602e

    • SHA256

      f7c82635ca7d853d5a1cd59d1b539af1b0d4bb4580c5b3bcf2e1f35d03a388ec

    • SHA512

      a227c8952078c5a9faeed0e4fb9c7c832397585650d57591d8ce756457f39d417fda368205e04fbe2197ad8f40106d3a5b4c2b02f80790d0610819046ae22409

    • SSDEEP

      1536:JxqjQ+P04wsmJCdHfqS+lPwXvOdaBYD4OKUcNz8GQGZT524ut/skr+dExmX8Wwb:sr85CdT+l4/KaBYDr9GX9w4whkExs8WW

    Score
    10/10
    neshtasalitybackdoorevasionpersistencespywarestealertrojanupx

    • Detect Neshta payload

    • Modifies firewall policy service

      evasion

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks