Overview

overview

10

Static

static

10

Method/Met...in.exe

windows7-x64

10

Method/Met...in.exe

windows10-2004-x64

10

Method/Met...in.exe

windows7-x64

10

Method/Met...in.exe

windows10-2004-x64

10

Method/Met....3.exe

windows7-x64

7

Method/Met....3.exe

windows10-2004-x64

8

Method/Met...UI.exe

windows7-x64

1

Method/Met...UI.exe

windows10-2004-x64

6

Method/Met...UI.exe

windows7-x64

10

Method/Met...UI.exe

windows10-2004-x64

10

Method/Met...te.exe

windows7-x64

10

Method/Met...te.exe

windows10-2004-x64

10

Method/Met...ain.py

windows7-x64

3

Method/Met...ain.py

windows10-2004-x64

3

Method/Met...rt.bat

windows7-x64

3

Method/Met...rt.bat

windows10-2004-x64

3

Method/Met...47.dll

windows7-x64

1

Method/Met...47.dll

windows10-2004-x64

1

Method/Met...on.dll

windows7-x64

1

Method/Met...on.dll

windows10-2004-x64

1

Method/Met...if.dll

windows7-x64

1

Method/Met...if.dll

windows10-2004-x64

1

Method/Met...ns.dll

windows7-x64

1

Method/Met...ns.dll

windows10-2004-x64

1

Method/Met...co.dll

windows7-x64

1

Method/Met...co.dll

windows10-2004-x64

1

Method/Met...eg.dll

windows7-x64

1

Method/Met...eg.dll

windows10-2004-x64

1

Method/Met...vg.dll

windows7-x64

1

Method/Met...vg.dll

windows10-2004-x64

1

Method/Met...ga.dll

windows7-x64

1

Method/Met...ga.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Method.zip

  • Size

    355.2MB

  • Sample

    241201-wph2maxpax

  • MD5

    eaa98fb919ce0219a425694e0b03839e

  • SHA1

    0d8d21e988499e292e78675be4f614f02477fd44

  • SHA256

    1dc4ecb493c5e6319426306929fe0e667c7c5de0326ef29893c7cbb54ee3a370

  • SHA512

    c6c738f75da514a8958fbc5dd495201791b127cc0fac8a9284c90e59cbf38e51b9675c8be7831c984a1adb8ee95b3c5d58c4ca82816ecf7ea97839accac475ce

  • SSDEEP

    6291456:hmjabyvpN+HoKjNgafxL94k31af5kQuM5kdWbRz0uSsbegLMfkF+Fi2bAV:4Foz2afxuk3CkdWb15brMfkF+zAV

Score
10/10
neshtacredential_accessdiscoveryevasionexecutionpersistenceprivilege_escalationpyinstallerspywarestealer

Malware Config

Targets

    • Target

      Method/Method/2. Parameters/Tool/1. Parameter Hq/main.exe

    • Size

      6.9MB

    • MD5

      103094611fd5964a753bded872de235e

    • SHA1

      bc0a0f5b1e975795aa893ee6f0c61927e20389ea

    • SHA256

      3814314e3ac6b9d6854a1e18895cfb30d19dc9dbf9455869624c4182ae9b494f

    • SHA512

      5cdb5b5c110621ab06102094bace1fa260e574cede38129bc64232e77593426e6f0e7abe365461189203d8e6f5867756d61283455414ccfcae8cd47b371fef69

    • SSDEEP

      196608:0sfXWA1HeT39IigFeE9TFa0Z8DOjCdyluomnzbQW7txK:F1+TtIiRY9Z8D8Ccl5KnPxK

    Score
    10/10
    neshtadiscoverypersistencepyinstallerspywarestealer

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Neshta family

      neshta

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

    • Target

      Method/Method/2. Parameters/Tool/2. Clean/main.exe

    • Size

      6.9MB

    • MD5

      98248e7ee72e4768f5c96dc069d02c1b

    • SHA1

      cdcea49f4b97f58649abd40bc8db913db5e78483

    • SHA256

      39e1357bea6cb75722748ecd83524003233b102718f011371841ea7f775abf7f

    • SHA512

      09ef54f66eb8a8f8d442245bf562d36e4e3382d2fc1f4213c71c7ff53bb0fd4485a255c5188866a0d6ff2362bb45359db14dac7a4c7d2b769afa1d139c743348

    • SSDEEP

      196608:0sU2WA1HeT39IigFeE9TFa0Z8DOjCdyluomnzbQW7txB:J1+TtIiRY9Z8D8Ccl5KnPxB

    Score
    10/10
    neshtadiscoverypersistencepyinstallerspywarestealer

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Neshta family

      neshta

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral3behavioral4

    • Target

      Method/Method/MailDumper v1.2.3.exe

    • Size

      14.0MB

    • MD5

      203069c34e0ca0aa5f9989f017183c7d

    • SHA1

      56c8d23005e226fade5bb89e65fcb6cb54f61d55

    • SHA256

      0bc9a0422c1cd4b679b5d827340d902e10916c8612c202ba899faa8becd94fc8

    • SHA512

      f6752eea901b1d45a3595fafc1fd246ae976ee3cf2b4a290c290afd60a5ae02f6092374dcf292710139987beec68d70fb9bf531be262657bc5088da8d19ed5b8

    • SSDEEP

      393216:bSatY8L2Vmd6melh2pOc/e+7G99YPzAr5jEGuKsV:bSai8yVmdKQpOunzseG6

    Score
    8/10
    credential_accessdiscoveryevasionexecutionpersistenceprivilege_escalationspywarestealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Modifies Windows Firewall

      evasion

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

    • Target

      Method/Method/Tool/Mango/MangoKeywordsGUI.exe

    • Size

      15.3MB

    • MD5

      231fa08d0028c22d60bf518bf2e3615b

    • SHA1

      7e0fd503bf320319b9c527c823fdcf5e5d2eef4d

    • SHA256

      07391a3d0e3cd43bf1fce74cc5dc29d95f0774d294abbc63fd8dcd281cecf105

    • SHA512

      593307fa18b04bcd3c673537ea862e9d123550710937b461b620642eb371b67fb0b43bac44930c16ba53b4daa79a0f2b3a07fbe9b22c2811a5934ac2aa502d1e

    • SSDEEP

      98304:xjYwG3AAkPyKDgDVtwxjt8B203CFI19SswqTdVi72XMVQmppPF32aO3QdM3HwAec:xO3PksSUVMVGaOASw/rSka

    Score
    6/10

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral7behavioral8

    • Target

      Method/Method/Tool/Mango/MangoKeywordsTUI.exe

    • Size

      7.8MB

    • MD5

      b06b62fec1ff51c8cdbd9fef72d47cbb

    • SHA1

      f375179cafecc62e0d1161311bd007792a75a75b

    • SHA256

      6c4ae70ec6989012cc3a34c5f5747825917a7164eb38f6daaec3312518df2391

    • SHA512

      77b6af720e8857a49c78269ce55b5072b24531f2768505a24fa46a8bff0342c2a5c3b1a2be283d61184159af3d8e30af7cdf941d9a2a898d4c15eb696d757e82

    • SSDEEP

      98304:X5VYVCHZrtBwwRFqgdExOlYuI0p56Af7ryf:X5VYVAJFvc9ief

    Score
    10/10
    neshtadiscoverypersistencespywarestealer

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Neshta family

      neshta

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral10behavioral9

    • Target

      Method/Method/Tool/SAS/SwissArmySuite.exe

    • Size

      8.2MB

    • MD5

      9b4eaa20d65e945faf09a32e8749b565

    • SHA1

      477df82f9f38d74b5c48a1ff4783b138fd8271d1

    • SHA256

      8fe62d8f4512ee5a8c959aa5f4cc77e3d71c9259e259431523480462c0e68386

    • SHA512

      831de42440f63d5022f180f58b53399013323249845175dd21c0ba17e2dccb610c8d6e9ab576c5e59f831dadefb676a13786c4519e25ce92abf7f7d10aec40aa

    • SSDEEP

      98304:iHLtt8dlKNOM9+0BRvEpSW821Zb0MvwR0mV93P9max5QOsw:i197LW8gNwR0KtwaYNw

    Score
    10/10
    neshtadiscoverypersistencespywarestealer

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Neshta family

      neshta

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral11behavioral12

    • Target

      Method/Method/Tool/Switcher/main.py

    • Size

      2KB

    • MD5

      5da65f42a661539cf6c7b813bacf6b3c

    • SHA1

      3f52e9474f045d9f0a05d75c3f1ff1ef2774ac1f

    • SHA256

      093ae1ee4d93b0d31a7caf7f68da5de8dfad103a6ecef6f63d98f37d3f4b9d35

    • SHA512

      1f832c8134e438d3ff506e8524e09365248dcdefc75eb8a70748e41d034800ba4295b3231978b3bb43c573ec72be0b4aaef6ee4293fe5cbabb75d77a34d67a9f

    Score
    3/10
    discovery
    behavioral13behavioral14

    • Target

      Method/Method/Tool/Switcher/start.bat

    • Size

      7B

    • MD5

      5bc02cefb3ea9e27f1a6776eabd1935d

    • SHA1

      f1bdda93d9a278e358509d498e17d97764c1fb29

    • SHA256

      b10564ab7d2c520cdd0243874879fb0a782862c3c902ab535faabe57d5a505e1

    • SHA512

      f36427d6c7c2e983bea98d274f0bbab92b75f0974f3304461d5e582be348ea70a4b9f33ebfedddc5259aecf1589269f14676138e0ae49cb9f213730938db8c1d

    Score
    3/10
    discovery
    behavioral15behavioral16

    • Target

      Method/Method/Tool/Xdg/D3Dcompiler_47.dll

    • Size

      4.0MB

    • MD5

      b0ae3aa9dd1ebd60bdf51cb94834cd04

    • SHA1

      ee2f5726ac140fb42d17aba033d678afaf8c39c1

    • SHA256

      e994847e01a6f1e4cbdc5a864616ac262f67ee4f14db194984661a8d927ab7f4

    • SHA512

      756ebf4fa49029d4343d1bdb86ea71b2d49e20ada6370fd7582515455635c73d37ad0dbdeef456a10ab353a12412ba827ca4d70080743c86c3b42fa0a3152aa3

    • SSDEEP

      49152:8BfmqCtLI4erBYysLjG/A8McPyCD6hw16JVTW7B3EgvVlQ3LAYmyNOvGJse+aWyb:8eZevVKACOvWYQF

    Score
    1/10
    behavioral17behavioral18

    • Target

      Method/Method/Tool/Xdg/iconengines/qsvgicon.dll

    • Size

      45KB

    • MD5

      ab6fd39be93f7554db273cde12f91bac

    • SHA1

      765200feedca6991cf2c4aba9ee924bacb9116be

    • SHA256

      ff02d120f090be3d33326a663a8c21bd9d178207e15367614e822ba147721dca

    • SHA512

      5525f7efa1840cd3897f4148f8551d176e8a4a7a3eed4a17230a3f3ffc637c703dfac9bd8fc25273e92bf16f8948d8173814bb64e9fb41d24fe49269ebc1d489

    • SSDEEP

      768:sv4XCkdyOhDiosXTNHqmtbzZ4YmQAmYmKqmQ35DXzi4lmzGK:sAp1ET9LAm4Q5i4AN

    Score
    1/10
    behavioral19behavioral20

    • Target

      Method/Method/Tool/Xdg/imageformats/qgif.dll

    • Size

      39KB

    • MD5

      b11749f8761858a81641fce3170d5aaf

    • SHA1

      135655fe8fdb92e7687edeac9672d811f17f9cad

    • SHA256

      52832ac7edc720202373b3b7811ffad571ea732bbfaa7cc0249a61be795cc1d9

    • SHA512

      dee07b86429ac4b19be7b906101b0ccac95ae4c912c884d4922b3b9cada6a2542eb84cd67a71256e756ec38edad0723af55c6e5c4d0cec4dcb1952e5b8835f1d

    • SSDEEP

      768:ZOPWL1Ah3opxwllyL93LfmBqwCblpvJQQiRkhALmzf:ZOO1Ah3oj3qBGblXQQiOhAyT

    Score
    1/10
    behavioral21behavioral22

    • Target

      Method/Method/Tool/Xdg/imageformats/qicns.dll

    • Size

      48KB

    • MD5

      58e3b20e2bcc92d8927aa7e3cd206aa9

    • SHA1

      fb5ad84877d215f43af9bfeb14e1d815f5f99755

    • SHA256

      f2daa31679e4ae74899f51bf352125467b564f95c18fce25f07ae76298a6859a

    • SHA512

      9c5830748dd8c4104063d939257498a11648efd1e57ebe8d9d593852d1fea85eee7c2b1252dc9404b14a0aff0b3745d42df914bfd8baca5661a4519d9c39c867

    • SSDEEP

      768:fUufTa3SGf76X9+PsxyxEv0XYOzSJYRbKjOQvcRmWmzqo:fU467jgxv8XYOmJMQvcRmzf

    Score
    1/10
    behavioral23behavioral24

    • Target

      Method/Method/Tool/Xdg/imageformats/qico.dll

    • Size

      38KB

    • MD5

      8330a318b2747156dab176c3de15121a

    • SHA1

      2c478d94339f7b852f19b64ff768c5bd2c9bab60

    • SHA256

      cbf94011b5309676accd4e498e9bf580639af62b4c35309bb0c3aed8951ca90c

    • SHA512

      39a2fa386762fb6f0356da7f262ad21774ab4cba0525b70e1be971d042b7593a4ef623eca3868722c8b1e123d1fcdeefd84cff6762dd01befef1fb647a869d28

    • SSDEEP

      768:AsLbQ2DUvSAsAqwodfPr5uaeEcQO4QKjEskmzZ:AsLbQ2DUqAstweNpe6QKgsll

    Score
    1/10
    behavioral25behavioral26

    • Target

      Method/Method/Tool/Xdg/imageformats/qjpeg.dll

    • Size

      383KB

    • MD5

      060cfe4c4956a885094a038ab9cc6225

    • SHA1

      c2178ed5255430b313d5a1564148b0d8548a9fe3

    • SHA256

      6a6b7a4960be86d48c446f4066ba5cc9d9b9a2d75cba88883f48a91a63e760c7

    • SHA512

      bf7b234d4c892ff722c7ea8c12079f60daab41206b4c646d28e76b94e708ea66407d87a28cfd53cd2929c166e9de557d0b5a65b1b0d5bcca4b2c06008ef6435d

    • SSDEEP

      6144:Ek1zBFfz/N6MLARlZU/fU32LPjgx1ZVwSLlQI:Ek1zBFgM3rS+m

    Score
    1/10
    behavioral27behavioral28

    • Target

      Method/Method/Tool/Xdg/imageformats/qsvg.dll

    • Size

      32KB

    • MD5

      21a3f5eba98004a67d113e4d6c480245

    • SHA1

      e59aedd5f11352137b4da18b51166d537e4a95e6

    • SHA256

      f94f1fd1c6b6e17cd9968469aea37823a1143a8d995e268f95ba529c5b6a0231

    • SHA512

      c57f5c7dd11205dbb7cc90db8a089aa8921ff65ba565d75632d768b682387770e64e411c7190cb75f18ee60576fb53912da9f59cca9a44bae953e6634d654762

    • SSDEEP

      768:60SNI4RG7aUSqDhNIghidZn/jlil2QNTtPTDmz6/:yNIIUSonhw22QNTtPTqO/

    Score
    1/10
    behavioral29behavioral30

    • Target

      Method/Method/Tool/Xdg/imageformats/qtga.dll

    • Size

      30KB

    • MD5

      4f2fe41c08e3e68c56c04c608079c1dd

    • SHA1

      6f7e0536df401c47e6dfaf61e32b5e5872c818dc

    • SHA256

      ef870460ceb2bf299f324f9878bf9cc2438fdf0ef3e62e5d4f065a44b3991d2c

    • SHA512

      66e2b1d32e02ecf2d3c63f2f9222467d1ca4635de4ef776e1a8a32a7c583d26f5a7986c3111cc1595334017fa1431765817a4459d6423513fe8f35a379d7dc5a

    • SSDEEP

      384:pTOZ54a4le/hEO03PyjgJrPR7btHaZpXlnrIYQbYc+GrH5nfePPLTTjJf:YZqarNi6kpnYVn1Q3xrZmzt

    Score
    1/10
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Netsh Helper DLL

1
T1546.007

Modify Authentication Process

1
T1556

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Authentication Process

1
T1556

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

4
T1012

System Information Discovery

8
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

pyinstallerneshta
Score
10/10

behavioral1

neshtadiscoverypersistencepyinstallerspywarestealer
Score
10/10

behavioral2

neshtadiscoverypersistencepyinstallerspywarestealer
Score
10/10

behavioral3

neshtadiscoverypersistencepyinstallerspywarestealer
Score
10/10

behavioral4

neshtadiscoverypersistencepyinstallerspywarestealer
Score
10/10

behavioral5

Score
7/10

behavioral6

credential_accessdiscoveryevasionexecutionpersistenceprivilege_escalationspywarestealer
Score
8/10

behavioral7

Score
1/10

behavioral8

Score
6/10

behavioral9

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral10

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral11

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral12

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral13

discovery
Score
3/10

behavioral14

Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

Score
3/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10