Extracted

• • Target

    Cryp_RAT.doc

  • Size

    662KB

  • MD5

    1fc2941b70df9dd6cdf4cb82af740fe9

  • SHA1

    e5d18e3487ca2d5037215c0e0ebfaf7ccae1c655

  • SHA256

    44b87df9f68f5a3084c7d80c1c7492ca5209e816a4e83fdbd6e2fcb6f1ff936f

  • SHA512

    d5da156e406093bfd398d78a36962360ed6918d6b96e641843e7eeddbd6fe41c0a1681bf0a4fe9e31be22d7b1e16267e62abafc9c14d1dea223e72f3ef810081

  • SSDEEP

    12288:6NtcndUa0XzmFe4lT+F4qZDGefM4qeF4C:6Oua0XzmFFI+7Z4VT

  Score

  10^/10

  lockbitneshtadefense_evasiondiscoverypersistenceransomwarespywarestealer

  • Detect Neshta payload

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit

  • Lockbit family

    lockbit

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta

  • Neshta family

    neshta

  • Renames multiple (317) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies system executable filetype association

    persistence

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2