General

  • Target

    aaaa.exe

  • Size

    3.3MB

  • Sample

    230916-vdyr9seg59

  • MD5

    b6a18b64ba64922793c6849464a26332

  • SHA1

    883da851ff68f948ab237679e0df43561bab0a18

  • SHA256

    073d21d343ad5ea56b3a94e49a1a4e7c1ecb3c4a3e4aae167cd30d22b794ca6c

  • SHA512

    e8c0204eb07cd66960e3648435570afa63a5e7654d19092d89213e151ef8cddce3d333c8244bf60f3710e26507d333e0bf6b34d8f5aff3f90d237b9df61675d3

  • SSDEEP

    98304:P9qUaXiv7NMhB0qCp1KOU/Yqd0AuU0wA:P9Cy2hBOcgqd0G

Malware Config

Targets

    • Target

      aaaa.exe

    • Size

      3.3MB

    • MD5

      b6a18b64ba64922793c6849464a26332

    • SHA1

      883da851ff68f948ab237679e0df43561bab0a18

    • SHA256

      073d21d343ad5ea56b3a94e49a1a4e7c1ecb3c4a3e4aae167cd30d22b794ca6c

    • SHA512

      e8c0204eb07cd66960e3648435570afa63a5e7654d19092d89213e151ef8cddce3d333c8244bf60f3710e26507d333e0bf6b34d8f5aff3f90d237b9df61675d3

    • SSDEEP

      98304:P9qUaXiv7NMhB0qCp1KOU/Yqd0AuU0wA:P9Cy2hBOcgqd0G

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies system executable filetype association

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks