General
-
Target
713d0441c4529f0bcadd655fad7e0a1a17788eb9ef89a292caab1446f5e4f135N.exe
-
Size
3.6MB
-
Sample
250122-29tlra1pgr
-
MD5
8fc7c5dc7699dc286c105cc7cdca2320
-
SHA1
9d8af3ef9b38796d6447580c816e9519d465c4eb
-
SHA256
713d0441c4529f0bcadd655fad7e0a1a17788eb9ef89a292caab1446f5e4f135
-
SHA512
6b1075c42afe24e115d9893ee49bcf2ba5ab17cd93a528697aed4eedaebc76abfe672d083173871008a03edd9aee2c158ed8d555f8008392ad63aa4a0fda56c7
-
SSDEEP
98304:6tk87VymQSv/fHRGA25dwK+/0RIEZnk1Afda:6h7LQSfxady/0pZnkmfda
Malware Config
Targets
-
-
Target
713d0441c4529f0bcadd655fad7e0a1a17788eb9ef89a292caab1446f5e4f135N.exe
-
Size
3.6MB
-
MD5
8fc7c5dc7699dc286c105cc7cdca2320
-
SHA1
9d8af3ef9b38796d6447580c816e9519d465c4eb
-
SHA256
713d0441c4529f0bcadd655fad7e0a1a17788eb9ef89a292caab1446f5e4f135
-
SHA512
6b1075c42afe24e115d9893ee49bcf2ba5ab17cd93a528697aed4eedaebc76abfe672d083173871008a03edd9aee2c158ed8d555f8008392ad63aa4a0fda56c7
-
SSDEEP
98304:6tk87VymQSv/fHRGA25dwK+/0RIEZnk1Afda:6h7LQSfxady/0pZnkmfda
Score10/10-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1