Overview

overview

10

Static

static

10

3dd40cca78...cs.exe

windows7-x64

10

3dd40cca78...cs.exe

windows10-2004-x64

10

Darkminer v6.exe

windows7-x64

10

Darkminer v6.exe

windows10-2004-x64

10

server.vbe

windows7-x64

10

server.vbe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3dd40cca786c621b9883bad5ea44257468dba3b2892d78190a09c72c51f38304_NeikiAnalytics.exe

  • Size

    613KB

  • Sample

    240702-gpyprayhrb

  • MD5

    caff8650fca4a33d6f45b68b5450b210

  • SHA1

    7a35c8cbfca8cf6ed70c5368eaf4a3ab1e5a2e2f

  • SHA256

    3dd40cca786c621b9883bad5ea44257468dba3b2892d78190a09c72c51f38304

  • SHA512

    cc9fb18b27efd3361847cc6b4ac31f65395124e69ce331f1aed8cbcec6d04ad860b93a6f5a54268642ca1519099eb6a22b8dd55a78c8ad7e194df2dfc83cc626

  • SSDEEP

    12288:pyjOIcdC2jZ8Fj1tNzyGgUWmms8Zb60v5cvZ2KNBIpKl2DSWAYZ4Vv3ce4:pyj3cP+Fjr5ZGJbIh2KNBIXDSFYy9cr

Score
10/10
neshtapredatorstealercollectiondiscoverypersistencespywarestealer

Malware Config

Extracted

Family

predatorstealer

C2

http://ghostghostcom.000webhostapp.com/

Targets

    • Target

      3dd40cca786c621b9883bad5ea44257468dba3b2892d78190a09c72c51f38304_NeikiAnalytics.exe

    • Size

      613KB

    • MD5

      caff8650fca4a33d6f45b68b5450b210

    • SHA1

      7a35c8cbfca8cf6ed70c5368eaf4a3ab1e5a2e2f

    • SHA256

      3dd40cca786c621b9883bad5ea44257468dba3b2892d78190a09c72c51f38304

    • SHA512

      cc9fb18b27efd3361847cc6b4ac31f65395124e69ce331f1aed8cbcec6d04ad860b93a6f5a54268642ca1519099eb6a22b8dd55a78c8ad7e194df2dfc83cc626

    • SSDEEP

      12288:pyjOIcdC2jZ8Fj1tNzyGgUWmms8Zb60v5cvZ2KNBIpKl2DSWAYZ4Vv3ce4:pyj3cP+Fjr5ZGJbIh2KNBIXDSFYy9cr

    Score
    10/10
    neshtapredatorstealercollectiondiscoverypersistencespywarestealer

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • PredatorStealer

      Predator is a modular stealer written in C#.

      stealerpredatorstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      Darkminer v6.exe

    • Size

      188KB

    • MD5

      82aed2b114642857da21b46ad83fcf21

    • SHA1

      13a6fed33398ebdc352b0b9d62d77c5575cd864e

    • SHA256

      3603803a35881bf623d136b2288fdc68164c351251c2da50c295135264a0e2ab

    • SHA512

      3418491bfca42a4aa1fa52768783b89da67363141992013d4461398c0a7ff44e2822dca60da8d2ebb7c55e82f8d3517c644704b568423ccd20e93e3a1bb6dce3

    • SSDEEP

      3072:sr85CvxacPEMk6/RQAFTWfW8Yj8vbzyQ6Y1YXrbNK+3FX:k9P7RQeTWu8qszAXNK+3FX

    Score
    10/10
    neshtapersistencespywarestealer

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral3behavioral4

    • Target

      server.vbe

    • Size

      1.1MB

    • MD5

      44fb327da402e69994ffac915d1d555c

    • SHA1

      0edfb246b38b2f485ace4b7ea3da444080b486c3

    • SHA256

      30df4612deed312396df9a87b4b1b1c777f4e3fa3d7defebd7947586b7d43806

    • SHA512

      03ac6b1c9a13757e75aab121266eee8a92e0e117c0719a0008a433cb6afa7704f3f0006508f78966bca485958df9cea3e7d9ec4e6230cc9e9a036ac6ccd08727

    • SSDEEP

      24576:xMydSNpU0/rrHAcvg+jiEPBrD5JQo3xF8srpIUTC:xNEZB/C

    Score
    10/10
    neshtapredatorstealercollectiondiscoverypersistencespywarestealer

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • PredatorStealer

      Predator is a modular stealer written in C#.

      stealerpredatorstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks