neshta | 6fd634ad6e74fe9cf0c51adb1e35b475cb128374d2f33f31c575542403bbcc08 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

146dd8f29e...JC.exe

windows7-x64

146dd8f29e...JC.exe

windows10-2004-x64

Sharing

General

Target

146dd8f29e610bbcaa83766607cac07f_JC.exe
Size

418KB
Sample

231005-v3wzzafc27
MD5

146dd8f29e610bbcaa83766607cac07f
SHA1

45fb0ada48cc290c358e9a0054ce28c72a343bc4
SHA256

6fd634ad6e74fe9cf0c51adb1e35b475cb128374d2f33f31c575542403bbcc08
SHA512

c40cc82349d8c93ba18d7185323848f7f55c19f919fee8f439b1ac30762a940da3438020f6cdf6ffd9bd1ff6ab4f4aafa8dd2ad9af651cd721597eb9bb5d4deb
SSDEEP

6144:p1I2PbSyXuF4a4gLZRE65J3EvgxxEvMI2uLZBV+UdvrEFp7hKL:pFBTavRh5J8qxEvMI1BjvrEH7s

Score

10^/10

neshta persistence spyware stealer upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

146dd8f29e610bbcaa83766607cac07f_JC.exe

Resource

win7-20230831-en

neshta persistence spyware stealer upx

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

146dd8f29e610bbcaa83766607cac07f_JC.exe

Resource

win10v2004-20230915-en

neshta persistence spyware stealer upx

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Targets

- Target
  
  146dd8f29e610bbcaa83766607cac07f_JC.exe
- Size
  
  418KB
- MD5
  
  146dd8f29e610bbcaa83766607cac07f
- SHA1
  
  45fb0ada48cc290c358e9a0054ce28c72a343bc4
- SHA256
  
  6fd634ad6e74fe9cf0c51adb1e35b475cb128374d2f33f31c575542403bbcc08
- SHA512
  
  c40cc82349d8c93ba18d7185323848f7f55c19f919fee8f439b1ac30762a940da3438020f6cdf6ffd9bd1ff6ab4f4aafa8dd2ad9af651cd721597eb9bb5d4deb
- SSDEEP
  
  6144:p1I2PbSyXuF4a4gLZRE65J3EvgxxEvMI2uLZBV+UdvrEFp7hKL:pFBTavRh5J8qxEvMI1BjvrEH7s
Score

10^/10

neshta persistence spyware stealer upx
- Detect Neshta payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Downloads MZ/PE file
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Change Default File Association

Privilege Escalation

Event Triggered Execution

Change Default File Association

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

neshtapersistencespywarestealerupx

behavioral2

neshtapersistencespywarestealerupx

© 2018-2025

Terms | Privacy