Extracted

• • Target

    REQUEST_.EXE

  • Size

    891KB

  • MD5

    164a1a27b7b433966e4baacfd59353cc

  • SHA1

    7d1593f5ccecd3b714b47cce75b66d477b2a6025

  • SHA256

    9e375d13756195da6c9c580e435042ff8105ef2c2e83b0270d98f3fc387e6ce8

  • SHA512

    0a5df388544611698fe7398ee1227e4f8c25b772fc041acdc5e9f35866efd48f268519d8089f9b0b1c4fdeee54d01b719d1c839ac3194d80f479f9d4f03f9a20

  • SSDEEP

    12288:/Lk70TnvjcJU26d4PjQGeEBO7QMPTzAwO7DiXH8EjLvQcVnHYe0ScK1hk:zk70TrcJUL/GeEBO7QMyDMHnvGBSpc

  Score

  10^/10

  neshtapersistencespywarestealerblustealerstormkittycollection

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer

  • Detect Neshta payload

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies system executable filetype association

    persistence

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2