Analysis

  • max time kernel
    103s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2025, 06:23

General

  • Target

    2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe

  • Size

    89KB

  • MD5

    1c21dbc3aa0864488303168e24db8ba7

  • SHA1

    052124c121140f240204fa7c3025da5a9cf00d9e

  • SHA256

    1197f99c0b319efb603d7b490a633af12462bb42fae2989b9208ba26e2b39d76

  • SHA512

    ab9ac9c39b4f1d6930c41aacc55fb5f5a7eeee85833335063611b9f79e9f5f5bf3f0d66064b3783746b3624efaffb7801018d55892bbb15b6621a74a0605d5c2

  • SSDEEP

    1536:wU1kyTJdf408UHKIn5Vqn40x9kOkNpjWZP1h:wdy1df40qIn5sVkOk2B

Malware Config

Signatures

  • Detect Neshta payload 4 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Neshta family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3216
    • C:\Users\Admin\AppData\Local\Temp\3582-490\2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2044

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

          Filesize

          86KB

          MD5

          57c043c9a246261b1dedbdefdbcddc56

          SHA1

          9c9461a01a7546781107d1675c72988f69d47378

          SHA256

          1f74fb4cc77bd7546d08989c34536279a815f0622cfcad2c0401e5f80d6c2ab5

          SHA512

          8b39aceaa8d2116c9ff236dc248da9f784ecd77efbabd44b02cd4b4b2c193383aa30afa747c28b7faa38264f20da26a753452d18619db23d71724995827afdc8

        • C:\Users\Admin\AppData\Local\Temp\3582-490\2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe

          Filesize

          48KB

          MD5

          0657e06b0a5ca2bc285d481d37073885

          SHA1

          240277dac9cc16c654f7037ee0d318c6b160f09a

          SHA256

          b75675a3ce734f1530814b764623a0682710f0ac8d2c8fa3ce32a84b32e129a5

          SHA512

          59804cc48f26f23d22d30bc036ddf1f78281c1b5f3629723babc299c66f907d90eb6d9910106d11f0b624348780912f632e257ae7102418f0c60bac1679c4f92

        • memory/3216-0-0x0000000000400000-0x000000000102C000-memory.dmp

          Filesize

          12.2MB

        • memory/3216-131-0x0000000000400000-0x000000000102C000-memory.dmp

          Filesize

          12.2MB

        • memory/3216-132-0x0000000000400000-0x000000000102C000-memory.dmp

          Filesize

          12.2MB

        • memory/3216-133-0x0000000000400000-0x000000000102C000-memory.dmp

          Filesize

          12.2MB

        • memory/3216-135-0x0000000000400000-0x000000000102C000-memory.dmp

          Filesize

          12.2MB