neshta | 7cfb72fe8399b90bf0480b1ac8865b008e3b96358b8d674565336743689598ad | Triage

Submit
Reports

Overview

overview

Static

static

3

shipping d...01.exe

windows7-x64

shipping d...01.exe

windows10-2004-x64

Sharing

General

Target

7cfb72fe8399b90bf0480b1ac8865b008e3b96358b8d674565336743689598ad
Size

675KB
Sample

240522-ck2hmagh97
MD5

44293cc2f46c547dbdd50b924c9d34e7
SHA1

214d8e2d41c346b100393cbaf3fb9465fad922b1
SHA256

7cfb72fe8399b90bf0480b1ac8865b008e3b96358b8d674565336743689598ad
SHA512

0cb5405bbfd1418982930a54d7810dbcbac8b9a5a070531ebbb19f0dc25569805a69ae3a70de0e8370e225925a7e87c7e9633983a396ea20aeb0de0167454d9e
SSDEEP

12288:Y1WiZTc2Xetso+OX4usdhmpbqKjMFDnKf/2coNqxmOz/F7KM1XX8R0TcF85h:YAia9so+buGc9jM0e67p/cqX

Score

10^/10

neshta persistence spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

shipping docs IG190507601.exe

Resource

win7-20240221-en

neshta persistence spyware stealer

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

shipping docs IG190507601.exe

Resource

win10v2004-20240508-en

neshta persistence spyware stealer

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  shipping docs IG190507601.exe
- Size
  
  698KB
- MD5
  
  08ca3eb4ad279f20ad7bf302b99f8120
- SHA1
  
  8c8873a96f1ac56e6b832761a057dcf5b2b4eda1
- SHA256
  
  320875988ca4badb56a9522936ac4260a3532ebd73b97b048726b15bbe0409e5
- SHA512
  
  9667d4e0cd9bd5d55f49a9657ed9530a09c12f82e5fd45cece9097734493a3583591c00a1ee92f1f4ec6e580638166e21acbfcf5832040def754470de05b7c75
- SSDEEP
  
  12288:6lYifTdTeVso+OX4mAdhrDu7NQ6xM9z6J95q1nKn2GJpKwp/U8WRu9jpX8R0J14+:diuso+bmaVKlxM9mJR2EVU8guvN14Nk
Score

10^/10

neshta persistence spyware stealer
- Detect Neshta payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Change Default File Association

Privilege Escalation

Event Triggered Execution

Change Default File Association

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtapersistencespywarestealer

behavioral2

neshtapersistencespywarestealer

© 2018-2024

Terms | Privacy