neshta | 98191390feded2c9b9bea4acfc3782067624502a702e4929ab3967e1e5cc47ae | Triage

Submit
Reports

Overview

overview

Static

static

1

3131321312313.exe

windows7-x64

3131321312313.exe

windows10-2004-x64

Sharing

General

Target

3131321312313.exe
Size

15.0MB
Sample

230407-v4n1rahh64
MD5

504211aeace6ca8f70cc00a3215bda05
SHA1

502d5280f10f867627ed24e5dc297c3a5badcc28
SHA256

98191390feded2c9b9bea4acfc3782067624502a702e4929ab3967e1e5cc47ae
SHA512

cec60bfe8c941b18d32f6493ab1c2b784143e39577e4e5e33ecb75ba8412ff34f5e49da880c5a8482e4b30b7ed6ff095d160bf28b4866fdd1422bf2b224c6501
SSDEEP

49152:dz1B3kbWTQmYOXQB8eBVhTBUenNT9xaI/Ak3OQaa1ePdql7p3ib/fo1VOaf3sOk7:B

Score

10^/10

neshta njrat hacked persistence ransomware spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

3131321312313.exe

Resource

win7-20230220-en

neshta njrat hacked persistence ransomware spyware trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

3131321312313.exe

Resource

win10v2004-20230220-en

neshta njrat hacked persistence spyware stealer trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

there-carol.at.ply.gg:5855

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Targets

- Target
  
  3131321312313.exe
- Size
  
  15.0MB
- MD5
  
  504211aeace6ca8f70cc00a3215bda05
- SHA1
  
  502d5280f10f867627ed24e5dc297c3a5badcc28
- SHA256
  
  98191390feded2c9b9bea4acfc3782067624502a702e4929ab3967e1e5cc47ae
- SHA512
  
  cec60bfe8c941b18d32f6493ab1c2b784143e39577e4e5e33ecb75ba8412ff34f5e49da880c5a8482e4b30b7ed6ff095d160bf28b4866fdd1422bf2b224c6501
- SSDEEP
  
  49152:dz1B3kbWTQmYOXQB8eBVhTBUenNT9xaI/Ak3OQaa1ePdql7p3ib/fo1VOaf3sOk7:B
Score

10^/10

neshta njrat hacked persistence ransomware spyware trojan stealer
- Detect Neshta payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Defacement

Tasks

static1

behavioral1

neshtanjrathackedpersistenceransomwarespywaretrojan

behavioral2

neshtanjrathackedpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy