Overview

overview

10

Static

static

3

58c407a6a5...bd.exe

windows7-x64

10

58c407a6a5...bd.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    58c407a6a53b2d1ee2e9212eea536a49ecd87d43b664e460a593a82d92b6d3bd

  • Size

    197KB

  • Sample

    241124-2w8thszpcp

  • MD5

    e905cee0e3d0062d54c79e5a6d273790

  • SHA1

    f3f503694471c653a7ef1509fa9dced980d6f7e3

  • SHA256

    58c407a6a53b2d1ee2e9212eea536a49ecd87d43b664e460a593a82d92b6d3bd

  • SHA512

    1b370b50f41c79cb118e709d8280bd4a1fba99506ba66aa97fbfd26585d1b09f8ddfcda53a05f587fdeaf0d73f742ed287f882b6e0ce92cfddc68e4e82fcdd88

  • SSDEEP

    3072:zr8WDrCaxEufVU0TbTyDDalRC+utxSGKVqoCl/Ygi:PubufVUNDaatVKsLqL

Score
10/10
neshtadiscoveryevasionpersistencespywarestealer

Malware Config

Targets

    • Target

      58c407a6a53b2d1ee2e9212eea536a49ecd87d43b664e460a593a82d92b6d3bd

    • Size

      197KB

    • MD5

      e905cee0e3d0062d54c79e5a6d273790

    • SHA1

      f3f503694471c653a7ef1509fa9dced980d6f7e3

    • SHA256

      58c407a6a53b2d1ee2e9212eea536a49ecd87d43b664e460a593a82d92b6d3bd

    • SHA512

      1b370b50f41c79cb118e709d8280bd4a1fba99506ba66aa97fbfd26585d1b09f8ddfcda53a05f587fdeaf0d73f742ed287f882b6e0ce92cfddc68e4e82fcdd88

    • SSDEEP

      3072:zr8WDrCaxEufVU0TbTyDDalRC+utxSGKVqoCl/Ygi:PubufVUNDaatVKsLqL

    Score
    10/10
    neshtadiscoveryevasionpersistencespywarestealer

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Neshta family

      neshta

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks