MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 7
| SHA256 hash: | 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb |
|---|---|
| SHA3-384 hash: | d7c93d7fb1f7aad0e168ce1ba7440825c2becaf93cdd367fa15472f2f9b29bfa61658421c1a7386d7ba479800dc40856 |
| SHA1 hash: | 80318081b9ddf19e9d0cfb5d4ab7643d56075f9e |
| MD5 hash: | 3f39c1b5cd9ef1cfd0e3776c9d9af9d5 |
| humanhash: | helium-georgia-eleven-queen |
| File name: | 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb |
| Download: | download sample |
| File size: | 5'617'057 bytes |
| First seen: | 2020-08-28 13:11:45 UTC |
| Last seen: | 2021-05-14 07:43:02 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 9f4693fc0c511135129493f2161d1e86 (250 x Neshta, 15 x Formbook, 14 x AgentTesla) |
| ssdeep | 98304:C/dcHQ18Jd5QgmLuqHTernf4+zo7lkckufeIP7gyA01gNQMB3FurAI6Nx:dHQ+Jd52fTwf4Lxk8P7gyhenFKAIa |
| Threatray | 14 similar samples on MalwareBazaar |
| TLSH | 1A46F171F284ACA2C01701B49C78E6B0256FFF560A3D8A027676760F59BA3D27536F4B |
| Reporter |  JAMESWT_WT |
| Tags: | 185.117.73.222 |
Intelligence
File Origin
# of uploads :
3
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
ObliqueRAT
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Sending a UDP request
Result
Threat name:
Neshta ObliqueRat
Detection:
malicious
Classification:
spre.troj
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Neshta
Yara detected Oblique Rat
Behaviour
Behavior Graph:
Threat name:
Win32.Virus.Neshta
Status:
Malicious
First seen:
2020-02-06 03:45:10 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
46 of 48 (95.83%)
Threat level:
5/5
Verdict:
malicious
Similar samples:
+ 4 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
10/10
Tags:
spyware persistence
Behaviour
Modifies registry class
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Drops file in Program Files directory
Drops file in Windows directory
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Modifies system executable filetype association
Modifies system executable filetype association
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Neshta
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.