neshta | bd319265bfa4719bf0a3d682a047a1163e876f4a2733742c4a4893b0ce97619a

Sharing

Copy URL Twitter E-mail

General

Target

bd319265bfa4719bf0a3d682a047a1163e876f4a2733742c4a4893b0ce97619a
Size

1.4MB
MD5

3e7d62dbf49f202c5ddb8bd7a61edd33
SHA1

b10349f2bc36273d25fba5ae315b835103967b19
SHA256

bd319265bfa4719bf0a3d682a047a1163e876f4a2733742c4a4893b0ce97619a
SHA512

f02f8219dbcf593ec943be809ed2e75ed206286d7580290db7c3a7816b56f6826c089b59d48587e8e0584f616569c56046ffacf97fc647d4339a350533d52b88
SSDEEP

24576:dgZqq2DuU4HmOfiJ2MEJckTySKoxvGeodbx:3X4G0iJ2MEJu9oxvGeO

Score

10^/10

neshta

Malware Config

Signatures

Detect Neshta payload 1 IoCs

resource	yara_rule
sample	family_neshta

Neshta family
neshta

Files

bd319265bfa4719bf0a3d682a047a1163e876f4a2733742c4a4893b0ce97619a
.exe windows:5 windows x86 arch:x86

c3c382927f4a4a54ce2beccc48603492

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

34:4e:d5:57:20:d5:ed:ec:49:f4:2f:ce:37:db:2b:6d
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

17/11/2006, 00:00

Not After

16/07/2036, 23:59

Subject

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

71:a0:b7:36:95:dd:b1:af:c2:3b:2b:9a:18:ee:54:cb
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=thawte SHA256 Code Signing CA,O=thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

21:93:dd:63:bb:4f:d5:75:f4:a8:ad:48:16:b0:56:50
Certificate

Issuer

CN=thawte SHA256 Code Signing CA,O=thawte\, Inc.,C=US

Not Before

28/03/2018, 00:00

Not After

27/04/2019, 23:59

Subject

CN=N Media Platform Co.\, LTD,OU=IT Team,O=N Media Platform Co.\, LTD,L=Seongnam-si,ST=Gyeonggi-do,C=KR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

Signer

Actual PE Digest

Digest Algorithm

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\00_솔루션개발팀\00_프로젝트\00_Getogold\00_trunk\0416\Source\UltraVNC\winvnc\Release\ActRemoteAgent.pdb

Imports

ws2_32

gethostname
inet_ntoa
getsockname
send
getpeername
WSAIoctl
select
WSAGetLastError
gethostbyname
shutdown
setsockopt
WSACleanup
bind
__WSAFDIsSet
getsockopt
listen
accept
connect
WSAStartup
inet_addr
htonl
htons
recv
socket
closesocket

winmm

timeSetEvent
PlaySoundA
timeGetTime
timeKillEvent

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

userenv

ExpandEnvironmentStringsForUserA
CreateEnvironmentBlock
DestroyEnvironmentBlock

kernel32

Process32First
SetEvent
WaitNamedPipeW
WriteFile
GetSystemDirectoryW
LoadLibraryW
Sleep
CreateEventA
GetExitCodeProcess
ReadFile
CreateFileW
Process32Next
OpenEventA
WaitForMultipleObjects
lstrcatW
CreateToolhelp32Snapshot
OutputDebugStringA
GetVersionExA
GetCurrentProcessId
GetEnvironmentVariableA
SetCurrentDirectoryA
SetFileAttributesA
ResumeThread
CreateThread
CreateFileA
GetFileSize
CompareFileTime
GetFileTime
SetFilePointer
MoveFileExA
SetEndOfFile
SetErrorMode
SystemTimeToFileTime
FlushFileBuffers
GetSystemTime
GetCurrentThread
VirtualFreeEx
ReadProcessMemory
CreateProcessA
TerminateProcess
SetThreadPriority
VirtualAllocEx
SetProcessShutdownParameters
TerminateThread
ResetEvent
FindResourceA
ReleaseMutex
SizeofResource
LockResource
SetLastError
FormatMessageA
GetStdHandle
WriteConsoleA
GlobalDeleteAtom
GlobalGetAtomNameA
GlobalAddAtomA
GetCPInfo
InterlockedIncrement
InterlockedDecrement
RtlUnwind
SetEnvironmentVariableA
GetStartupInfoW
HeapSetInformation
GetCommandLineA
InitializeCriticalSectionAndSpinCount
SetStdHandle
ExitProcess
GetModuleHandleW
EncodePointer
DecodePointer
TlsFree
TlsAlloc
DuplicateHandle
ReleaseSemaphore
CreateSemaphoreA
TlsSetValue
TlsGetValue
HeapFree
HeapAlloc
GetFileType
AllocConsole
OpenFileMappingA
GetTimeZoneInformation
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
CreateMutexA
CreateFileMappingA
WaitForSingleObject
UnmapViewOfFile
MapViewOfFile
CloseHandle
GetPrivateProfileStructA
WritePrivateProfileStringA
GetPrivateProfileStringA
GetConsoleMode
GetPrivateProfileIntA
OpenProcess
WritePrivateProfileSectionA
WritePrivateProfileStructA
WinExec
GetLastError
GetComputerNameA
GetVersion
GetSystemInfo
lstrlenA
DeleteFileA
GetTempPathA
FindNextFileA
FindClose
FindFirstFileA
FreeLibrary
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetProcessTimes
InitializeCriticalSection
GetSystemTimeAsFileTime
GetTickCount
GetCurrentProcess
GlobalFree
GlobalUnlock
MultiByteToWideChar
WideCharToMultiByte
GlobalAlloc
GlobalLock
GlobalSize
GetCurrentThreadId
GetModuleHandleA
GetModuleFileNameA
LoadLibraryA
GetProcAddress
IsProcessorFeaturePresent
GetModuleFileNameW
RaiseException
HeapSize
GetACP
GetOEMCP
IsValidCodePage
LCMapStringW
GetStringTypeW
HeapCreate
SetHandleCount
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
WriteConsoleW
CompareStringW
HeapReAlloc
ExitThread
GetConsoleCP
LoadResource

user32

TrackPopupMenu
GetSubMenu
LoadMenuA
EnableMenuItem
RemoveMenu
SetMenuDefaultItem
DestroyMenu
CheckMenuItem
EnableWindow
ToAscii
GetKeyState
GetAsyncKeyState
MapVirtualKeyA
VkKeyScanA
IsIconic
PostThreadMessageA
SendNotifyMessageA
WaitMessage
PeekMessageA
ChangeClipboardChain
SetClipboardViewer
GetClipboardOwner
EnumDesktopWindows
GetClassNameA
OpenDesktopA
FillRect
DrawTextA
WaitForInputIdle
FindWindowExA
WindowFromPoint
RegisterWindowMessageA
EnumWindows
GetIconInfo
IsDlgButtonChecked
SetRect
IsWindow
IsWindowVisible
DrawIconEx
GetUpdateRect
IntersectRect
DestroyIcon
keybd_event
GetKeyboardState
mouse_event
SetActiveWindow
MessageBeep
FlashWindow
ChangeDisplaySettingsExA
EnumDisplaySettingsA
ScreenToClient
GetWindowRect
SendDlgItemMessageA
SetForegroundWindow
LoadStringA
SetFocus
GetScrollInfo
ReleaseDC
GetDlgItem
EndDialog
GetCursorPos
PostMessageA
SetWindowTextA
CheckDlgButton
SetDlgItemInt
GetDlgItemInt
GetProcessWindowStation
GetWindowTextA
GetDlgItemTextA
DialogBoxParamA
SetDlgItemTextA
MoveWindow
EndPaint
DestroyWindow
GetClientRect
BeginPaint
ExitWindowsEx
GetDesktopWindow
wsprintfA
FindWindowA
GetWindowThreadProcessId
SystemParametersInfoA
GetForegroundWindow
MessageBoxA
SendMessageA
CloseClipboard
IsClipboardFormatAvailable
RegisterClipboardFormatA
GetClipboardData
EmptyClipboard
OpenClipboard
SetClipboardData
GetMessageA
GetUserObjectInformationA
SetTimer
RegisterClassExA
PostQuitMessage
GetThreadDesktop
KillTimer
LoadIconA
OpenInputDesktop
CloseDesktop
TranslateMessage
SetWindowLongA
GetWindowLongA
CreateWindowExA
DefWindowProcA
SetWindowPos
ShowWindow
SetThreadDesktop
DispatchMessageA
GetSystemMetrics
LoadImageA
AdjustWindowRect
LoadCursorA
IsRectEmpty
GetDC
InvalidateRect

gdi32

SetBkColor
SetTextColor
GetBitmapBits
SetDIBColorTable
GdiFlush
CreatePalette
SelectPalette
CreateFontIndirectA
ExtEscape
GetSystemPaletteEntries
GetObjectA
GetRgnBox
GetRegionData
SetRectRgn
PtInRegion
CombineRgn
OffsetRgn
CreateRectRgn
PatBlt
StretchBlt
CreateDCA
SetBkMode
GetClipBox
GetStockObject
CreateSolidBrush
BitBlt
DeleteDC
CreateDIBSection
GetDeviceCaps
GetDIBits
DeleteObject
SelectObject
CreateCompatibleDC
RealizePalette
GetPixel
CreateCompatibleBitmap

advapi32

RegCreateKeyA
SetServiceStatus
RegDeleteValueA
QueryServiceStatus
RegCreateKeyExA
RegDeleteKeyA
CreateServiceA
RegisterServiceCtrlHandlerA
DeleteService
StartServiceCtrlDispatcherA
AdjustTokenPrivileges
DuplicateTokenEx
LookupPrivilegeValueA
SetTokenInformation
FreeSid
RevertToSelf
AllocateAndInitializeSid
ImpersonateLoggedOnUser
EqualSid
GetTokenInformation
OpenProcessToken
CreateProcessAsUserA
RegSetValueExA
OpenSCManagerA
CloseServiceHandle
OpenServiceA
GetUserNameA
LookupAccountSidA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA

shell32

SHAppBarMessage
ShellExecuteExA
ShellExecuteA
Shell_NotifyIconA

ole32

CoUninitialize
CoInitialize
CoCreateInstance

imm32

ImmGetDefaultIMEWnd

Sections

.text
Size: 609KB - Virtual size: 609KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 113KB - Virtual size: 113KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 381KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 574KB - Virtual size: 573KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c3c382927f4a4a54ce2beccc48603492

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

34:4e:d5:57:20:d5:ed:ec:49:f4:2f:ce:37:db:2b:6dCertificate

Key Usages

71:a0:b7:36:95:dd:b1:af:c2:3b:2b:9a:18:ee:54:cbCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

21:93:dd:63:bb:4f:d5:75:f4:a8:ad:48:16:b0:56:50Certificate

Extended Key Usages

Key Usages

Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ws2_32

winmm

version

userenv

kernel32

user32

gdi32

advapi32

shell32

ole32

imm32

Sections

.text Size: 609KB - Virtual size: 609KB

.rdata Size: 113KB - Virtual size: 113KB

.data Size: 14KB - Virtual size: 381KB

.rsrc Size: 574KB - Virtual size: 573KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

34:4e:d5:57:20:d5:ed:ec:49:f4:2f:ce:37:db:2b:6d
Certificate

71:a0:b7:36:95:dd:b1:af:c2:3b:2b:9a:18:ee:54:cb
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

21:93:dd:63:bb:4f:d5:75:f4:a8:ad:48:16:b0:56:50
Certificate

.text
Size: 609KB - Virtual size: 609KB

.rdata
Size: 113KB - Virtual size: 113KB

.data
Size: 14KB - Virtual size: 381KB

.rsrc
Size: 574KB - Virtual size: 573KB