neshta

Sharing

Copy URL

Twitter E-mail

General

Target

SpyNotev7.0.zip
Size

20.6MB
Sample

241220-q3nw5swrez
MD5

63abbd78db324c7abc21dc92aee41b00
SHA1

b9bc0a052b5f6d3ec339b824c67b9e9de97fc6e9
SHA256

7c9e308edff467528d167d0e4dfb7e17e61ba96ad413041b66c243869ef18721
SHA512

8e9b185df25be1f2202fe083833dc171aa6c5ec2a54203e0c7d13c87588bb5dad13ba783f23d9097a654a22a59a20ddc9683ef58731a2c4d05b41aaacc8d0496
SSDEEP

393216:iLYBnW9gu2LXzeDpkJU165/LqQ5pxCcYInXVZCkr6020tFcXQPgEEN:iLYg9gZGGJUI5/LzPYjkr60YgPgEa

Score

10^/10

Malware Config

Extracted

Family

spynote

[SPY_NOTE_HOST_OK]:[SPY_NOTE_PORT_OK]

Targets

- Target
  
  DefenderControl.exe
- Size
  
  823KB
- MD5
  
  879e3d30cc1392370ab0eec1601aa1b6
- SHA1
  
  c85e5eb120d860b0a67e3f091d5e7c29a7643bfd
- SHA256
  
  704ebc20fe0c7678a2b73d97ba6ad2945ece3a7d35ba0e0a394b629570af00ca
- SHA512
  
  71a5987a9f2fde213992be76865c0d57a4113027adf53aa515eaaa42c8f02e895297795a3c02f60ff837dcd045fa072814567ea1b65257c8006a0aa5f3e7bd44
- SSDEEP
  
  12288:g1OgLdaiqSqzU7rOv/O6/NH90u9KIyburq6fAdAYmyX:g1OYdaaIO6/LXEYr8dAByX
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  Software Usage Tutorial/DefenderControl.exe
- Size
  
  863KB
- MD5
  
  8d12786d8e9477b36557a4c1e35bbb09
- SHA1
  
  a26c718f62b8b6729a16e35a7b68afee101903c6
- SHA256
  
  4f9a3f74fb2cfa5b9e3cb5f00de44e28a44695ab7244900db2eaa9efc494f06a
- SHA512
  
  232a440f8946e6993f3acc57766f50c2bade37b3dc95f0bbbdaf284b169baf258d92a896d7f9df5ae7f889091772b27b856d93f5db64edbea619e03fa159732e
- SSDEEP
  
  12288:jiqSqzU7rOv/O6/NH90u9KIyburq6fAdAYmyy1OgLdw:jaIO6/LXEYr8dAByy1OYdw
Score

10^/10

neshta discovery persistence spyware stealer
- Detect Neshta payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Neshta family
  neshta
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral3 behavioral4
- Target
  
  Software Usage Tutorial/Software Usage Tutorial.html
- Size
  
  7KB
- MD5
  
  403dacd0bcf0da63ac2ac682039a7f5b
- SHA1
  
  147c374ee4184752556f03cd31b98e343892014c
- SHA256
  
  85e6e28f777587fe4f0d85bacffd90dcb1047c8b0e1851b43d8bc6d6ede37d7d
- SHA512
  
  a19f28339122e019c68d0a302f9b53a8def7e795f681c440aba04616d354ca9eafe4d1b3baa6567179f166ec9b501113332da5940076cda5261c2314c6bdbaa7
- SSDEEP
  
  192:krNeVyhwQLJF2/BZsUMdQ6PbbcUqphd96foL8yo9QQplNR7AJk7IQgHahLKIkPD3:krNeVyhBLJFwBZxMOePhqphd96w4yo9a
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  SpyNote v7.0‌‌/AxInterop.WMPLib.dll
- Size
  
  52KB
- MD5
  
  7825f8fb198952b28e7722e326aa30a1
- SHA1
  
  a4fb88bb7c28516521e350b22867b2c399885c08
- SHA256
  
  a6a9a04b3a9efecc269626fbef345936af9bb50fd4ff86280d14ffcf2e11e56f
- SHA512
  
  6371aa75b70c451f15c3faed4f2b7ddad192c60f285e338aa5bc6cebbe821f9b60fffee94f4307ddc73a7bfa652648e22ed86e28d684bc8fe1e105a05660f0ec
- SSDEEP
  
  768:mTiglqcPGmH+BSITBFo+iRdbBFS1WSbfi5qlD+P2mHvaVhXUWdYQXnI:9gvH+oETfiRnFS1WSbfi5qlsaV2WGII
Score

1^/10
behavioral7 behavioral8
- Target
  
  SpyNote v7.0‌‌/CoreAudioApi.dll
- Size
  
  24KB
- MD5
  
  6a009b7c4b252788d80d4e40adcf51ce
- SHA1
  
  9302cd4f00fa70b768feec2a49505052cd4bd13e
- SHA256
  
  df6115987161ee1238f9564bd10c998d9016f582e5b7b9d23d21a74d6955bdd3
- SHA512
  
  7a27bc38249b293fbfb9389cac3365bf64e9536281c347939192e6b151b4e574bd9743df81721dc4e6beca0ab0a5784436b7f7bff780fdddef4c7c26b02cc354
- SSDEEP
  
  384:JGuIVn86+5zUH4RmcBoZhn9ipvNeFSAucqmPBJGbsw3uiIx5L5gV:CVn86YzgoW0VNeFS0Tbw3up5tgV
Score

1^/10
behavioral10 behavioral9
- Target
  
  SpyNote v7.0‌‌/Interop.WMPLib.dll
- Size
  
  323KB
- MD5
  
  19631c716272ad5b03d2026572608287
- SHA1
  
  057fdc53449360aa154493e36a059d62f4aafb69
- SHA256
  
  099d6dc78473cbb491a3edc97e3f518a19e69a251c52eaaa7c5ac336dbccae53
- SHA512
  
  5eeeea59dffc594d0b62692887a5bc8151c794e59b9618652b084f2c4ea62368075e29aa0e76130f8a6a39be5a19e26c3b01238ac7baaac894574ff2bfb4314f
- SSDEEP
  
  6144:HsJi3gtWLExqLsY9jAaRgHuF07yp4f29sTahwXeVELC5IvmN8jqxAnOlUbSJY/Wl:HsJi3gtWLExqLsY9jAaRgHuF07yp4f2V
Score

1^/10
behavioral11 behavioral12
- Target
  
  SpyNote v7.0‌‌/Resources/Clint.jar
- Size
  
  7KB
- MD5
  
  20d9f58f0e462afdd0abe7727ea2c68f
- SHA1
  
  0de13284b40d40a2442ec067636da6d54ba14a54
- SHA256
  
  84810014bdca1b1715e0b1ca2b267c806a259bcdc554d8d9202cab1ae114d20b
- SHA512
  
  808d9314bc9ac6a074c455a1c4ce4a3be9faa9f04066427db4580c43b5e3d6c826e6c4d3d08d75a09ca6c56eec4adaaab448d38aff04668ab0510e425c8054d0
- SSDEEP
  
  192:lbEPFY6oa9iDw8BkNcGzvpFF/mUSmlAXy:KWGMk8BkNcGFFlN
Score

1^/10
behavioral13 behavioral14
- Target
  
  SpyNote v7.0‌‌/Resources/Imports/Gsm/GSM.dll
- Size
  
  5KB
- MD5
  
  c4ceacedf5310a761b828bed9f7dbc62
- SHA1
  
  f2c4c23d1c04df3899bc0a1e1812eca8f421fbb1
- SHA256
  
  61b0ca29ce7a62932699f33c272fd6d3731a1430ac3455b7a240b01ae461370f
- SHA512
  
  58c42d60a28c6e344060242e77cc841ba1a892cb8b9d5dae02c8f9b2e4c1deeebb599e6a1c401a3c585eb44c28d9c72b2ee56be273169af1d52850e426a1da32
- SSDEEP
  
  96:Vuyz+/KPV+gzlmtrLPfdHOzHFu90rdjF:5z+m9ELPfdHH90H
Score

1^/10
behavioral15 behavioral16
- Target
  
  SpyNote v7.0‌‌/Resources/Imports/Payload/Build.exe
- Size
  
  59KB
- MD5
  
  f677ccdd8c0da08290256c7b0571d95e
- SHA1
  
  e1117cf8d51ca270104da6a8d0769f1e2da4aef3
- SHA256
  
  29039451fb5617504c67396056a08ea3cc44faaba71a1c181fe62086e533a261
- SHA512
  
  25677c0c4a8a7287df275b2ef1819e533d96f52b4592c45c4cae08e372ebd09dcb4c689ddf7ecc8d70445f614493840b581bab80a8f1957c96bc59a3b55001db
- SSDEEP
  
  768:IydG14mNbAEJeXSZncqHqGhMBHjFcHTI19hCkCLIh5YcLIF:bwim6E4XSdHthAZk8hCjWVIF
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  apktool/apktool.bat
- Size
  
  135B
- MD5
  
  b02966b106045115fa8ef94a4e67537b
- SHA1
  
  f901df8bbfe8fe50e560e625a27da1c6c4f0e9b3
- SHA256
  
  3d8108beb40535e68e7f6421a4309408ea5efab91707fa25d862154e3cc9b6df
- SHA512
  
  6274a4568285c74985b095d1dd5649044b61cb7c372dc4653c62a2b92833df477f5a5453be0e598622918b4e6c27064a57e5fba1a657dd064e6d9598fe2f94cc
Score

1^/10
behavioral19 behavioral20
- Target
  
  apktool/apktool.jar
- Size
  
  8.9MB
- MD5
  
  a15507953bd9b89c2d6570f46fb1f774
- SHA1
  
  261a8e68c72b0ebf70894c40b3c35176a66d86fe
- SHA256
  
  0e543660bf2d16fe7c543d4034ef505a6ddccb883416c8aa68d1a1d779b057f2
- SHA512
  
  eb519a94a4aecc1358f4a1cc84e03c772d8b59edf8b5e37956a756f0cc2673c5d9d976ad6796543db74cf187763077b4bbcd0519e7f7be845c0e9874d4862353
- SSDEEP
  
  196608:lIkbXnl3I3rmGQFTbuGzuJVzNfaTWkxQcGhiO:lIw+mGyTNzuJNkTWk0
Score

1^/10
behavioral21 behavioral22
- Target
  
  apktool/signapk.jar
- Size
  
  7KB
- MD5
  
  aec6985fe2314e4d032ba6d192ac4163
- SHA1
  
  b16f006e7bf509add528f4b9a075ca373d531203
- SHA256
  
  b17534e89a5b58d5e343ba54a49da579cf9213988f4beeae24fe4582a0c226bb
- SHA512
  
  5347fb296f87fb71046e0fd261a495485254ed7bd6d68da3aebb346267e5bc14ad8a89aa5496b31b2bf0da35b8c7c4cbbf71ace977443f09ecdbe50e1288bcea
- SSDEEP
  
  192:20AfGZ6TJSM/+Lz2dBM8ZRSvdrGanQRSHFzJ:dj6tof2nMySvldT
Score

1^/10
behavioral23 behavioral24
- Target
  
  SpyNote v7.0‌‌/Resources/Imports/Payload/stub.apk
- Size
  
  730KB
- MD5
  
  0c0290abde03555f3c66c81eba860a3d
- SHA1
  
  939a8e6d0ed4bd8c9f491405ecf069df7bddb7cc
- SHA256
  
  7b20a276931c8625b39ebc46017c7e4d4a7bdf319b9f451231d777b078b0cd6a
- SHA512
  
  441922d41856ec246d1cb29e3b290b62b2d3bc4ca54f896af1df72263e67a320f1b3b85f4d5bd129fa32b4633a1b9f74a63783791f1ea1cb1ca97a8a26b8ea48
- SSDEEP
  
  12288:CJc+EIBvAvcKIth8eGz3zaR9QHqd8gmw+/goe13VvqX:CJc+EIO0K4KeGTzaR+imz/goeHvqX
Score

1^/10
behavioral25 behavioral26 behavioral27
- Target
  
  SpyNote v7.0‌‌/Resources/Imports/PlayerJava/PlayerJava.jar
- Size
  
  3KB
- MD5
  
  d9c23d7574c0d886321dcd029e463f2c
- SHA1
  
  7fad47eb6860a01325c6d526a43d9bbadb66aff7
- SHA256
  
  e22d8a06415f21b900a9a079a6a7928d6c84d2cf33aa07c6ad385dfbbfcd55ed
- SHA512
  
  c32c019fb0bacbd70441cf3ed769bfde9597389f840ff8511db36586756382ef22bd163a7b7cb9e258a4b7a896e5d1a606d92513a141cb2e3c6e421a66ecb316
Score

1^/10
behavioral28 behavioral29
- Target
  
  platform-tools/AdbWinApi.dll
- Size
  
  95KB
- MD5
  
  ed5a809dc0024d83cbab4fb9933d598d
- SHA1
  
  0bc5a82327f8641d9287101e4cc7041af20bad57
- SHA256
  
  d60103a5e99bc9888f786ee916f5d6e45493c3247972cb053833803de7e95cf9
- SHA512
  
  1fdb74ee5912fbdd2c0cba501e998349fecfbef5f4f743c7978c38996aa7e1f38e8ac750f2dc8f84b8094de3dd6fa3f983a29f290b3fa2cdbdaed691748baf17
- SSDEEP
  
  1536:Jwqdq+3pvspmLh8SCykrpTG7kfGHuNezq02XJqo+iFi1yCP:JwqD3L8Tezq0et+ui1y
Score

3^/10

discovery
behavioral30 behavioral31
- Target
  
  platform-tools/AdbWinUsbApi.dll
- Size
  
  61KB
- MD5
  
  0e24119daf1909e398fa1850b6112077
- SHA1
  
  293eedadb3172e756a421790d551e407457e0a8c
- SHA256
  
  25207c506d29c4e8dceb61b4bd50e8669ba26012988a43fbf26a890b1e60fc97
- SHA512
  
  9cbb26e555ab40b019a446337db58770b9a0c9c08316ff1e1909c4b6d99c00bd33522d05890870a91b4b581e20c7dce87488ab0d22fc3c4bbdd7e9b38f164b43
- SSDEEP
  
  1536:l72doFmOiHizFbPlspcsbj5ZsP+YeTs1p:lSSfN9+YeTs1p
Score

3^/10

discovery
behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Neshta payload

Neshta family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Reads user/profile data of web browsers

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32