MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 064c82c9caf9d7ac84081f1a3e7db2f8b53fe0b63b42f950700305cfb61912ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 064c82c9caf9d7ac84081f1a3e7db2f8b53fe0b63b42f950700305cfb61912ac
SHA3-384 hash: a2bb434120fc8bc33ab0af8986174d8f6cea14201e14bb56eab1b867e2f0bd3b860b7156220287d3d3c181bcdea37890
SHA1 hash: 47b96565919b9d8aa6bd895e88834eebe4ef7de8
MD5 hash: fc01898f7ffbc9b547a8e6dc7a881a03
humanhash: floor-magnesium-aspen-oscar
File name:fc01898f7ffbc9b547a8e6dc7a881a03
Download: download sample
Signature Neshta
Create hunting rule
File size:372'736 bytes
First seen:2022-07-14 00:24:40 UTC
Last seen:2022-07-15 03:13:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5877688b4859ffd051f6be3b8e0cd533 (119 x Babadeda, 2 x DCRat, 2 x RedLineStealer)
ssdeep 6144:Tldk1cWQRNTBlFBOY7OuNPmO4a0b7OuIaFSS7:Tcv0NTvFBOda2IoS4
Threatray 2'391 similar samples on MalwareBazaar
TLSH T16284383EF24FF053E1D0F838A0E1A2150AAB5D9D3D8C64B67658B901E576E887A03F57
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 48494acc4c4a2148 (1 x RedLineStealer, 1 x BitRAT, 1 x Neshta)
Reporter zbetcheckin
Tags:32 exe Neshta

Intelligence

File Origin
# of uploads :
4
# of downloads :
290
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fc01898f7ffbc9b547a8e6dc7a881a03
Verdict:
Malicious activity
Analysis date:
2022-07-14 00:32:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/685cb9b7-7c6f-4f01-b17b-e5a783d59b14

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Neshta
Create hunting rule
Link:
https://www.capesandbox.com/analysis/287731/
Detection(s):
SecuriteInfo.com.Malware.AI.392946571.12299.9836.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/25144/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/62cf629d01fde6ede680e70a/reports/3b1f1fc2-ecfb-4827-b141-571865404772/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eac5986e-3732-4ff1-ad0c-7e430e73ca93
Result
Threat name:
AsyncRAT, Babadeda, Neshta, RedLine
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1030815
Signature
Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AsyncRAT
Yara detected Babadeda
Yara detected Neshta
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/064c82c9caf9d7ac84081f1a3e7db2f8b53fe0b63b42f950700305cfb61912ac/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-07-13 04:39:09 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=azgifsok7hl2zbaid4nd47ns7c2t7yfwhnbpsudqamc47nqzckwa._file
Verdict:
malicious
Similar samples:
0ea218366bfa6605657baaa410baa697c1c861cd256159aeb91746a4117fabf6
Neshta
157309f0e70964df3b84f400e2b6f6898bc6e47233ff963deb37a9203c654b32
Neshta
1d1c688d117950a23ae8c39cbe2bfee953030f33a59afe869989b2e9470c464e
Neshta
590e531489556cfb9de022bc52bce2489c3609e693209c59fdce5698c6fc0be3
Neshta
80af29bf7cb3a8b904a8d11d34c13bd5a2dcf5b4798138c16c093b2b8a5a9105
Neshta
993afa5ca786935ff44f01d5495e0583034008d30d93eaac100e6d4325dfb89d
Neshta
b3c03dc87f759a1b0336cb34993bed8d35f9b4e5b28295ff57ebb968875d14e9
Neshta
eaf08f6d20670daa716352b18fbc7801d4dbba9e26f986cec4234947e83bba0e
Neshta
+ 2'381 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220714-aql9sadfdn/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Unpacked files
SH256 hash:
064c82c9caf9d7ac84081f1a3e7db2f8b53fe0b63b42f950700305cfb61912ac
MD5 hash:
fc01898f7ffbc9b547a8e6dc7a881a03
SHA1 hash:
47b96565919b9d8aa6bd895e88834eebe4ef7de8
Link:
https://www.unpac.me/results/95971e28-744e-4cf0-b060-6fcd462ce1b8/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/064c82c9caf9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/064c82c9caf9d7ac84081f1a3e7db2f8b53fe0b63b42f950700305cfb61912ac

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

Executable exe 064c82c9caf9d7ac84081f1a3e7db2f8b53fe0b63b42f950700305cfb61912ac

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/287731/
  
URLhaus
https://urlhaus.abuse.ch/url/2251357/

Comments


Avatar
zbet commented on 2022-07-14 00:24:43 UTC

url : hxxp://judithabusufaitdyg.duckdns.org/Winupdate.exe