neshta

General

Target

Steam.sfx.exe
Size

1.5MB
Sample

240716-jf93jathqb
MD5

12eb750a2a4ff29b596d97592b219757
SHA1

40aedee5578686295805f9f23363551b8da73ba2
SHA256

ce62a35f91e421ff693bde07a223cd079359f1e7f2d942aca0884dda287d3bf3
SHA512

fdc38207c2715d6a7ce817a0d1929b6f2432a79fb739b16968372fe679c7a4b95fafcfbf6341b1bd0fdfec3256b582ba889c9ffd37d425872005e242766df7ae
SSDEEP

24576:KEeqQq3KZUyJ183CcshguRr5BnzgGa22P+jasRZDQt:KEuq6/1gshguRr5x9jlRZDQt

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:14365

21.ip.gl.ply.gg:14365

Attributes

Install_directory
%Userprofile%
install_file
USB.exe
telegram
https://api.telegram.org/bot7361674811:AAFROegouCfkAWXkfmawgLBPRXpvTed2cWQ/sendMessage?chat_id=2091751136

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

- Target
  
  Steam.sfx.exe
- Size
  
  1.5MB
- MD5
  
  12eb750a2a4ff29b596d97592b219757
- SHA1
  
  40aedee5578686295805f9f23363551b8da73ba2
- SHA256
  
  ce62a35f91e421ff693bde07a223cd079359f1e7f2d942aca0884dda287d3bf3
- SHA512
  
  fdc38207c2715d6a7ce817a0d1929b6f2432a79fb739b16968372fe679c7a4b95fafcfbf6341b1bd0fdfec3256b582ba889c9ffd37d425872005e242766df7ae
- SSDEEP
  
  24576:KEeqQq3KZUyJ183CcshguRr5BnzgGa22P+jasRZDQt:KEuq6/1gshguRr5x9jlRZDQt
Score

10^/10

neshta wannacry xworm defense_evasion discovery execution impact persistence ransomware rat spyware stealer trojan worm
- Detect Neshta payload
- Detect Xworm Payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1