General

  • Target

    server.exe

  • Size

    149KB

  • Sample

    240828-v53kjaxhph

  • MD5

    6f2e1c1cb75be2e41c2e584ad9519185

  • SHA1

    091930c27a0515907848c3ff639f3f9342584e26

  • SHA256

    540a9949b24402819b69c2e701ac9a28d8a1f2e6c58fbf7abc63bbc1dc5ce53d

  • SHA512

    6c8fc29b79b273785edecefd4fb6f314e9b6780e7c6a7616ff954cab7a1faf47cc5eab2ebdd9df536da45425c9f0249e98a6bda8e65ed5f591de706d82d55a70

  • SSDEEP

    1536:JxqjQ+P04wsmJCDcQlwJdMgxHJaAoHoc2x7bZoYBMHJaAoHoc2x7bZoYBS:sr85CDkPJQITxyYoQITxyY0

Malware Config

Targets

    • Target

      server.exe

    • Size

      149KB

    • MD5

      6f2e1c1cb75be2e41c2e584ad9519185

    • SHA1

      091930c27a0515907848c3ff639f3f9342584e26

    • SHA256

      540a9949b24402819b69c2e701ac9a28d8a1f2e6c58fbf7abc63bbc1dc5ce53d

    • SHA512

      6c8fc29b79b273785edecefd4fb6f314e9b6780e7c6a7616ff954cab7a1faf47cc5eab2ebdd9df536da45425c9f0249e98a6bda8e65ed5f591de706d82d55a70

    • SSDEEP

      1536:JxqjQ+P04wsmJCDcQlwJdMgxHJaAoHoc2x7bZoYBMHJaAoHoc2x7bZoYBS:sr85CDkPJQITxyYoQITxyY0

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • RunningRat

      RunningRat is a remote access trojan first seen in 2018.

    • RunningRat payload

    • Server Software Component: Terminal Services DLL

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks