neshta | kdmapper[.]exe | Triage

Sharing

General

Target

kdmapper.exe
Size

254KB
MD5

dcfdbaa3781a119c895bbbe8bcdff46f
SHA1

8e659d9d374c760b154e164acf2ae3b06fc63710
SHA256

a8d80919d86fec3e163f03f55f10fc0597d1605c230c44d5b39d93c7f35fbb5c
SHA512

72c279f4d1bb22e203fb0686fd08c52e09c1cf3a6a069a65ff2be61e4bdfc0ba58bca3777cf5c3a48527eaedf9e719bc8ebfe1a64c223a3854ff62688e7d6f78
SSDEEP

6144:k9G5JrD89A32tvPHilDRfc8t0hVkPn9TsNwAJQ:7JrD89akvm9f5OVkFAN9JQ

Score

10^/10

neshta

Malware Config

Signatures

Detect Neshta payload 1 IoCs

Processes:

resource yara_rule

sample family_neshta
Neshta family
neshta
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

kdmapper.exe

Files

kdmapper.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 1024B - Virtual size: 536B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 42KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 8B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ