General
-
Target
Ödeme Bildirimi.tgz
-
Size
1.5MB
-
Sample
241111-kzypaazqhp
-
MD5
cbabad84d89b83dd5c6d32d324019792
-
SHA1
7290b712bc8771d94d7f5f8b0f5c405d6f0ed890
-
SHA256
45962d0cd966db377597088be22d1c9824ca603993969ff08c8405f362e9869d
-
SHA512
3f9a742024ffb8645bccdc3630c3961267a25c1f635ed4d2cb85c8444d1d5c99027a338fb8a9ff83fedecd03d3e4f873b2aad172a7931c3075bc2309fe07eb39
-
SSDEEP
24576:BKuc4XODcJXnsJfXAME+O9BadN6t+rjG6Px:EuPODAXncIh+2BQvZ5
Malware Config
Targets
-
-
Target
Ödeme Bildirimi.exe
-
Size
810.6MB
-
MD5
a50c233309fce547730f8c7f2277e84a
-
SHA1
66e083c2d7e3bc02b509f3574ead4f70917f8cf4
-
SHA256
cdc7a8459646b81c8922b54e0b555a8f3bf336064a752822e053d278746d01d5
-
SHA512
eac158fe946814ccf28e45af0784fd31090e68f3de5544a6b43cf5b8faa526df9b5830c3f09d64ccc3bbc98d4779c18f87b958027dddcab76ee6da1176ece476
-
SSDEEP
24576:4MvDamiIIpODOJ/j0VfNAMa+cJBaVksf4/1EV8VgRl:HeDHOD6/jI+Z+SB5FVV
Score10/10-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1