neshta

General

Target

c6b616f1e523cf0164abfdf61bed202e1b063ac7114966adb4e3dc6ff31f3234.exe
Size

2.0MB
Sample

241121-atyf8awrbt
MD5

ffaa2795cdbb9b9a2fb8f64ae59ab785
SHA1

5ed394f8cce0ef5a915756e2990c314bb5d9aa84
SHA256

c6b616f1e523cf0164abfdf61bed202e1b063ac7114966adb4e3dc6ff31f3234
SHA512

a3d34b0bf5e4ff6ac4ca7a048b2520abbe9263bb26baaacb3e812372d4a15e072ef0718598d5d2b68deee408ce6dffe42f2754db151516d4c8d98fe996fbe6d3
SSDEEP

49152:o96NRteryADpCW2G7CqreesNLsaisNeX7hwgqXn8D4E0fhbLUOu:o4NRIpcGCq/sqaisG7Vr0fh8Ou

Score

10^/10

Malware Config

Targets

- Target
  
  c6b616f1e523cf0164abfdf61bed202e1b063ac7114966adb4e3dc6ff31f3234.exe
- Size
  
  2.0MB
- MD5
  
  ffaa2795cdbb9b9a2fb8f64ae59ab785
- SHA1
  
  5ed394f8cce0ef5a915756e2990c314bb5d9aa84
- SHA256
  
  c6b616f1e523cf0164abfdf61bed202e1b063ac7114966adb4e3dc6ff31f3234
- SHA512
  
  a3d34b0bf5e4ff6ac4ca7a048b2520abbe9263bb26baaacb3e812372d4a15e072ef0718598d5d2b68deee408ce6dffe42f2754db151516d4c8d98fe996fbe6d3
- SSDEEP
  
  49152:o96NRteryADpCW2G7CqreesNLsaisNeX7hwgqXn8D4E0fhbLUOu:o4NRIpcGCq/sqaisG7Vr0fh8Ou
Score

10^/10

neshta discovery evasion persistence spyware stealer trojan
- Detect Neshta payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Neshta family
  neshta
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2