Overview

overview

10

Static

static

1360a43316...28.exe

windows7-x64

10

1360a43316...28.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1360a433163123d6090024079d0e243df1ba90160033ac18bd957cf8e28f2c28

  • Size

    644KB

  • Sample

    221202-fhm41aef66

  • MD5

    5ded28488039ac0caaef106470673dc5

  • SHA1

    8423fe1a22ccafab69673be11a683b28fdec3f8a

  • SHA256

    1360a433163123d6090024079d0e243df1ba90160033ac18bd957cf8e28f2c28

  • SHA512

    e6ae5ef0519960e64076f17036f23e2f955049ab90698f29f33d0fff9173e4fc0034002b5366f248306793b03c76593c11864fbfc4e8aa4171a2673dffdd6177

  • SSDEEP

    3072:JGPFW5ncGtupKj61mG3mQztTcNOtOnX+HVktyqtWB9C26bX6+:qEnc4upKSmG3nTybnXKCt7IzC2i

Score
10/10
neshtadiscoverypersistencespywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    zadrot-css.do.am
  • Port:
    21
  • Username:
    8zadrot-css
  • Password:
    qwerfake

Targets

    • Target

      1360a433163123d6090024079d0e243df1ba90160033ac18bd957cf8e28f2c28

    • Size

      644KB

    • MD5

      5ded28488039ac0caaef106470673dc5

    • SHA1

      8423fe1a22ccafab69673be11a683b28fdec3f8a

    • SHA256

      1360a433163123d6090024079d0e243df1ba90160033ac18bd957cf8e28f2c28

    • SHA512

      e6ae5ef0519960e64076f17036f23e2f955049ab90698f29f33d0fff9173e4fc0034002b5366f248306793b03c76593c11864fbfc4e8aa4171a2673dffdd6177

    • SSDEEP

      3072:JGPFW5ncGtupKj61mG3mQztTcNOtOnX+HVktyqtWB9C26bX6+:qEnc4upKSmG3nTybnXKCt7IzC2i

    Score
    10/10
    neshtadiscoverypersistencespywarestealer

    • Detect Neshta payload

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks