Overview

overview

10

Static

static

10

3d0ad1ac33...0N.exe

windows7-x64

10

3d0ad1ac33...0N.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3d0ad1ac336e0e5dae9508e097e10b8c53e115f110ee61f056ad022307778f90N.exe

  • Size

    2.4MB

  • Sample

    241226-wk3v8stmer

  • MD5

    be421ee30d09c5bc82b952bc54dc0b50

  • SHA1

    f0be117bbd25aae332953253bedae494bef1d19e

  • SHA256

    3d0ad1ac336e0e5dae9508e097e10b8c53e115f110ee61f056ad022307778f90

  • SHA512

    b313acd92586f735e26d34b5ba828395c8d73cd93ad5f4ab77b90da32f73f52469f4f61a6e6e09a80844a5bd9cb17e89efe198a0c5c3bb08c3ab55ce2306f0ea

  • SSDEEP

    49152:0tYXi3IycP5PTiwp5wWTtNSJzIchrFwAdezfSliOg0MTqQDJVz9YLO:0tQiXcP5POwEGnwz0zfSSnTqQ1VpYLO

Score
10/10
neshtadiscoveryevasionpersistencespywarestealer

Malware Config

Targets

    • Target

      3d0ad1ac336e0e5dae9508e097e10b8c53e115f110ee61f056ad022307778f90N.exe

    • Size

      2.4MB

    • MD5

      be421ee30d09c5bc82b952bc54dc0b50

    • SHA1

      f0be117bbd25aae332953253bedae494bef1d19e

    • SHA256

      3d0ad1ac336e0e5dae9508e097e10b8c53e115f110ee61f056ad022307778f90

    • SHA512

      b313acd92586f735e26d34b5ba828395c8d73cd93ad5f4ab77b90da32f73f52469f4f61a6e6e09a80844a5bd9cb17e89efe198a0c5c3bb08c3ab55ce2306f0ea

    • SSDEEP

      49152:0tYXi3IycP5PTiwp5wWTtNSJzIchrFwAdezfSliOg0MTqQDJVz9YLO:0tQiXcP5POwEGnwz0zfSSnTqQ1VpYLO

    Score
    10/10
    neshtadiscoveryevasionpersistencespywarestealer

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Neshta family

      neshta

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks