neshta | 5c9e13a34395196a53bd88c14464479837f0d912f2dba237e4237a086ef3f2ca

Sharing

Copy URL Twitter E-mail

General

Target

5c9e13a34395196a53bd88c14464479837f0d912f2dba237e4237a086ef3f2ca
Size

147KB
MD5

fdc3ec0c9380610742bdd92396f6451b
SHA1

7837a5370288637a20246ea16e64a80bf9073303
SHA256

5c9e13a34395196a53bd88c14464479837f0d912f2dba237e4237a086ef3f2ca
SHA512

1f413baed730d2c9e062ffedca5e92fa287ddd0ddc412e3d5700ab02f524f00830f51c90c39a9c69ccf70b1c7c8a69052ea57f2fb733e5aa1675eb7060b8e577
SSDEEP

3072:+jALokqu1uMjkI9jm2/11PFJzQg7iOgvWC9Jr85C:+mjjkIB1xFKg7iNWC9l9

Score

10^/10

neshta

Malware Config

Signatures

Detect Neshta payload 1 IoCs

resource	yara_rule
sample	family_neshta

Neshta family
neshta

Files

5c9e13a34395196a53bd88c14464479837f0d912f2dba237e4237a086ef3f2ca
.exe windows x86

66b557f5bb8066a933d34f277a37ab09

Code Sign

12:7e:e4:4c:29:9c:8d:b2:4f:6c:d3:78:27:6d:94:7b
Certificate

Issuer

CN=Root Agency

Not Before

13/09/2012, 00:33

Not After

31/12/2039, 23:59

Subject

CN=dev.mozilla.org

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

01/05/2012, 00:00

Not After

31/12/2012, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G3,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

da:fe:dc:0a:a5:d6:6c:8f:c8:fd:08:30:d7:e8:07:a8:2e:8f:d5:cd
Signer

Actual PE Digest

da:fe:dc:0a:a5:d6:6c:8f:c8:fd:08:30:d7:e8:07:a8:2e:8f:d5:cd

Digest Algorithm

sha1

PE Digest Matches

false

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=dev.mozilla.org

03/10/2012, 20:35
Valid: false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

DeleteFileA
VirtualProtect
GetCurrentDirectoryA
CloseHandle
LocalFree
ReadFile
SetFilePointer
LocalAlloc
GetFileSize
CreateFileA
GetModuleFileNameA
ResumeThread
CreateMutexA
GetCurrentProcessId
WriteFile
VirtualAllocEx
GetCurrentProcess
ExitThread
ReleaseMutex
GetModuleHandleA
EnumCalendarInfoW
GetNamedPipeInfo
GetProcessTimes
CallNamedPipeW
LoadLibraryA
SetVolumeMountPointW
EnumResourceTypesA
SetComputerNameA
LockFileEx
ClearCommBreak
VirtualProtectEx
SetVolumeLabelW
BuildCommDCBAndTimeoutsA
BuildCommDCBA
GlobalFindAtomA
SetConsoleWindowInfo
ReplaceFileW
BackupWrite
UpdateResourceA
SetTimeZoneInformation
LocalHandle
SetConsoleOutputCP
OpenSemaphoreW
_hwrite
GetCurrencyFormatA
VirtualFree
VirtualAlloc
SuspendThread
GetCPInfoExW
GetProcAddress

advapi32

GetUserNameA

user32

wsprintfA
FindWindowA
GetWindow
DefWindowProcA
UnhookWinEvent
DestroyWindow
CreateWindowExA
SetWinEventHook
RegisterClassExA
IsCharUpperA
ShowWindowAsync
CreateDesktopW
SetDoubleClickTime
SetMenuInfo
GetWindowRgnBox
HiliteMenuItem
PaintDesktop
OemToCharW
LoadKeyboardLayoutA
DlgDirListComboBoxA
GetMenuBarInfo
ValidateRgn
UnregisterHotKey
DdeConnect
LookupIconIdFromDirectoryEx
EnumDesktopsA
DlgDirSelectExW
DdeQueryConvInfo
GetSystemMenu
SetCaretBlinkTime
GetMenu
RealGetWindowClassW
SetLastErrorEx
EnumWindowStationsA
CreateMDIWindowA
SetProcessDefaultLayout
SetPropA
AnyPopup
CreateIconFromResource
RegisterRawInputDevices

ole32

CoInitialize
CoUninitialize

Sections

.text
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 292B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 124KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

66b557f5bb8066a933d34f277a37ab09

Code Sign

12:7e:e4:4c:29:9c:8d:b2:4f:6c:d3:78:27:6d:94:7bCertificate

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:edCertificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

da:fe:dc:0a:a5:d6:6c:8f:c8:fd:08:30:d7:e8:07:a8:2e:8f:d5:cdSigner

Signature Validations

Verification

03/10/2012, 20:35 Valid: false

Headers

File Characteristics

Imports

kernel32

advapi32

user32

ole32

Sections

.text Size: 24KB - Virtual size: 23KB

.rdata Size: 3KB - Virtual size: 2KB

.data Size: 512B - Virtual size: 292B

.CRT Size: 512B - Virtual size: 4B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 1024B - Virtual size: 124KB

12:7e:e4:4c:29:9c:8d:b2:4f:6c:d3:78:27:6d:94:7b
Certificate

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

da:fe:dc:0a:a5:d6:6c:8f:c8:fd:08:30:d7:e8:07:a8:2e:8f:d5:cd
Signer

03/10/2012, 20:35
Valid: false

.text
Size: 24KB - Virtual size: 23KB

.rdata
Size: 3KB - Virtual size: 2KB

.data
Size: 512B - Virtual size: 292B

.CRT
Size: 512B - Virtual size: 4B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 1024B - Virtual size: 124KB