neshta | 9215eeb668f93639affdeff2945d69c6980c54959ebb71c8a360962b22369f53 | Triage

Submit
Reports

Overview

overview

Static

static

d33d2595b7...cs.exe

windows7-x64

d33d2595b7...cs.exe

windows10-2004-x64

Sharing

General

Target

d33d2595b78d26cb42955a9e9cf2b9d0_NeikiAnalytics.exe
Size

2.1MB
Sample

240517-jmhxmage24
MD5

d33d2595b78d26cb42955a9e9cf2b9d0
SHA1

5b8c3d19ba327731b7c50109bd8e4b1947061d47
SHA256

9215eeb668f93639affdeff2945d69c6980c54959ebb71c8a360962b22369f53
SHA512

5f50db78ab4c82fa0851842ed0febe38f20b2dda864112ef32b431acc4caf7b6e9dcf119cc65623f368da43e0bb3de91c13b1dbd72bcbca7633108f797cb22b1
SSDEEP

49152:CnmaHDtym/gdycQBj0D4mcC9NIykMz5iug9:CnmTm/gdycQyHlZzIv9

Score

10^/10

neshta bootkit persistence spyware stealer upx

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

d33d2595b78d26cb42955a9e9cf2b9d0_NeikiAnalytics.exe

Resource

win7-20240508-en

neshta bootkit persistence spyware stealer upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

d33d2595b78d26cb42955a9e9cf2b9d0_NeikiAnalytics.exe

Resource

win10v2004-20240426-en

neshta bootkit persistence spyware stealer upx

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  d33d2595b78d26cb42955a9e9cf2b9d0_NeikiAnalytics.exe
- Size
  
  2.1MB
- MD5
  
  d33d2595b78d26cb42955a9e9cf2b9d0
- SHA1
  
  5b8c3d19ba327731b7c50109bd8e4b1947061d47
- SHA256
  
  9215eeb668f93639affdeff2945d69c6980c54959ebb71c8a360962b22369f53
- SHA512
  
  5f50db78ab4c82fa0851842ed0febe38f20b2dda864112ef32b431acc4caf7b6e9dcf119cc65623f368da43e0bb3de91c13b1dbd72bcbca7633108f797cb22b1
- SSDEEP
  
  49152:CnmaHDtym/gdycQBj0D4mcC9NIykMz5iug9:CnmTm/gdycQyHlZzIv9
Score

10^/10

neshta bootkit persistence spyware stealer upx
- Detect Neshta payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

Change Default File Association

Pre-OS Boot

Bootkit

Privilege Escalation

Event Triggered Execution

Change Default File Association

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

neshtabootkitpersistencespywarestealerupx

behavioral2

neshtabootkitpersistencespywarestealerupx

© 2018-2024

Terms | Privacy