MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12a8589297e56fc863c7c37209870ff00bf15dcd21f90be9539e3332727761d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12a8589297e56fc863c7c37209870ff00bf15dcd21f90be9539e3332727761d1
SHA3-384 hash: 10157db17d712044ae5259990b1780bf36e2b5aac4441d8e5f9f474bd721d3aebfb226a12f69d29a8aa442882de9bdc3
SHA1 hash: f18683e26c19e087908d96ad116a73d9b84f26a8
MD5 hash: 8ccd364ce46d6464b67edb7d7b80a4e4
humanhash: orange-indigo-friend-lima
File name:order_list_pdf.exe
Download: download sample
Signature Neshta
Create hunting rule
File size:402'461 bytes
First seen:2021-08-17 14:02:15 UTC
Last seen:2021-08-18 07:59:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f21b9f4ed04fb68076e88d1363ed51e4 (10 x Formbook, 3 x RemcosRAT, 2 x Loki)
ssdeep 12288:fbY5q4FBltDIQywiNc//0Guhs1xzidbg/2b2pHy5:fbOvBbnrD/coRiq/2KpS5
Threatray 11 similar samples on MalwareBazaar
TLSH T1CA84D002A6C18036E8B3183642F95235583C7B36071F4FEF57A949B99F305E27A35A7B
Reporter abuse_ch
Tags:exe Neshta

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
order_list_pdf.exe
Verdict:
No threats detected
Analysis date:
2021-08-17 14:36:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b28bad1f-c93d-4ccc-af50-a9efe0c088ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180028/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Gorgon.4c.29092.405.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c1175e0e-40e5-485d-9dd5-e9584de3fa9e
Result
Threat name:
FormBook Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834490
Signature
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12a8589297e56fc863c7c37209870ff00bf15dcd21f90be9539e3332727761d1/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 14:03:06 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ckufreux4vx4qy6hynzatbyp6af7cxoneh4qx2kttyzte4txmhiq._file
Verdict:
unknown
Similar samples:
10dc7778942ad9eddde8186d0fdcc43d4bcc9c39aa6f5203ebef85729eb02163
Neshta
203754c6e511e0678e98b709deb230b6ee0a7c83e5c368a3c2e3e2bcc692f80b
Neshta
3db4d4a2dc190c6ca349f576eb9e87b828b93e8623df8559a420b981b7a3fa26
Neshta
4a8e92182911cc2ee70ab3c2c869123091d8bef639f97f7bc04d2903bddc78e7
Neshta
6cbce1d82bb769eb1c517c2c54db572614dfce4c858690d77df761572bc98825
Neshta
a2beda57a5e0995d2108071e88e5c70bb171d4434fa2a3c6c788ef066e9d43b5
Neshta
b4918824e1c626c9b8c87be6f1aa34d1672a747e7d0f01d57c232284b62c3061
Neshta
d53bae4b5ce931f64224d180b42eda418516d524ae0623571069c6bc30845fa3
Neshta
ee7768e5b15b6e83c04033a244e19f19cc63aecedbb01786edb6e15318a2a2d2
Neshta
fbb68d8435857838998c6bc25af2854e56916be9e4935106264d06733286aec6
Neshta
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210817-3t7rhm4v42/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Modifies system executable filetype association
Unpacked files
SH256 hash:
12a8589297e56fc863c7c37209870ff00bf15dcd21f90be9539e3332727761d1
MD5 hash:
8ccd364ce46d6464b67edb7d7b80a4e4
SHA1 hash:
f18683e26c19e087908d96ad116a73d9b84f26a8
Link:
https://www.unpac.me/results/54aa1ccb-4374-4b55-9ce6-2b37d17af9c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12a8589297e56fc863c7c37209870ff00bf15dcd21f90be9539e3332727761d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:win_neshta_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neshta

Executable exe 12a8589297e56fc863c7c37209870ff00bf15dcd21f90be9539e3332727761d1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/180028/

Comments