neshta | 3a262200a07c9f446ef95a399919a11960671591b90e56312c61b31c2a39dd3a | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

update.vbs

windows7-x64

update.vbs

windows10-2004-x64

Sharing

General

Target

update.vbs
Size

72KB
Sample

240523-tvy9paha96
MD5

7bc04c5410cd2c7395ba82859240fea6
SHA1

014f8e77cdedd5141c80a316fc91741efdca8586
SHA256

3a262200a07c9f446ef95a399919a11960671591b90e56312c61b31c2a39dd3a
SHA512

dde32bb051839b4d65edafde2189d56cd39489b70950b0ba6c4eaeb538ddac55201159995b41e9a380326cf4ad8d4703b1d25e169d71e64aab4f4ae5d6fdfb64
SSDEEP

1536:b0eys3Ih0nYdMOuImdjnQKOYVDDoUFYtBQBpPz5lEiFG7A:b0E7Y+OXmJnS2/AXQP1xG7A

Score

10^/10

neshta persistence spyware

Static task

static1

Behavioral task

behavioral1

Sample

update.vbs

Resource

win7-20240508-en

neshta persistence spyware

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

update.vbs

Resource

win10v2004-20240426-en

neshta persistence spyware

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  update.vbs
- Size
  
  72KB
- MD5
  
  7bc04c5410cd2c7395ba82859240fea6
- SHA1
  
  014f8e77cdedd5141c80a316fc91741efdca8586
- SHA256
  
  3a262200a07c9f446ef95a399919a11960671591b90e56312c61b31c2a39dd3a
- SHA512
  
  dde32bb051839b4d65edafde2189d56cd39489b70950b0ba6c4eaeb538ddac55201159995b41e9a380326cf4ad8d4703b1d25e169d71e64aab4f4ae5d6fdfb64
- SSDEEP
  
  1536:b0eys3Ih0nYdMOuImdjnQKOYVDDoUFYtBQBpPz5lEiFG7A:b0E7Y+OXmJnS2/AXQP1xG7A
Score

10^/10

neshta persistence spyware
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Change Default File Association

Privilege Escalation

Event Triggered Execution

Change Default File Association

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtapersistencespyware

behavioral2

neshtapersistencespyware

© 2018-2025

Terms | Privacy