MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a0e2480076fc22a18ad51c79af447258a2615da953058a46b938d84ca6603a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a0e2480076fc22a18ad51c79af447258a2615da953058a46b938d84ca6603a4
SHA3-384 hash: e4bdf7925e8c7e1f1d0e48bb564ace751bc06aaf11a15c129e996a03824f05368d1505760d5cc58a9d23f1af23b10d9d
SHA1 hash: efb5552dcc856c2f27de706764cc860b4b344758
MD5 hash: 790abe77329f408bb3cd8782d0592be0
humanhash: december-dakota-edward-wyoming
File name:790abe77329f408bb3cd8782d0592be0.exe
Download: download sample
Signature Neshta
Create hunting rule
File size:303'052 bytes
First seen:2021-09-26 14:49:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 6144:k98mjyU9avHM2nVm+cTc0xvklLAFz8LxBg5:Q1avsRo0xvkEJ5
Threatray 10'052 similar samples on MalwareBazaar
TLSH T1D1541211BAE14873D1370EF84C37A368F27FBA2816B61A534BF80F6D5D652530D189EA
Reporter abuse_ch
Tags:exe Neshta

Intelligence

File Origin
# of uploads :
1
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
790abe77329f408bb3cd8782d0592be0.exe
Verdict:
Malicious activity
Analysis date:
2021-09-26 14:49:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/64cfa80e-e0c7-4961-b7ec-71db797696f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191782/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the Windows directory
Creating a process from a recently created file
Modifying an executable file
Creating a file
Creating a window
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9c689dbc-a28d-4636-991b-297c80625549
Result
Threat name:
FormBook Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858433
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 490864 Sample: 0yt33vmRtD.exe Startdate: 26/09/2021 Architecture: WINDOWS Score: 100 38 helpmovingandstorage.com 2->38 40 www.thesmartroadtoretirement.com 2->40 42 2 other IPs or domains 2->42 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 9 other signatures 2->64 10 0yt33vmRtD.exe 4 2->10         started        signatures3 process4 file5 28 C:\Windows\svchost.com, PE32 10->28 dropped 30 C:\Users\user\AppData\Local\...\setup.exe, PE32 10->30 dropped 32 C:\Users\user\AppData\...\0yt33vmRtD.exe, PE32 10->32 dropped 34 111 other malicious files 10->34 dropped 74 Creates an undocumented autostart registry key 10->74 76 Drops PE files with a suspicious file extension 10->76 78 Drops executable to a common third party application directory 10->78 80 Infects executable files (exe, dll, sys, html) 10->80 14 0yt33vmRtD.exe 17 10->14         started        signatures6 process7 file8 36 C:\Users\user\AppData\Local\...\tkxaz.dll, PE32 14->36 dropped 82 Detected unpacking (changes PE section rights) 14->82 84 Maps a DLL or memory area into another process 14->84 86 Tries to detect virtualization through RDTSC time measurements 14->86 18 0yt33vmRtD.exe 14->18         started        signatures9 process10 signatures11 50 Modifies the context of a thread in another process (thread injection) 18->50 52 Maps a DLL or memory area into another process 18->52 54 Sample uses process hollowing technique 18->54 56 Queues an APC in another process (thread injection) 18->56 21 explorer.exe 18->21 injected process12 dnsIp13 44 www.norfolkveggiebox.com 94.136.40.51, 49830, 80 GD-EMEA-DC-LD5GB United Kingdom 21->44 46 ghs.googlehosted.com 216.58.215.243, 49838, 80 GOOGLEUS United States 21->46 48 10 other IPs or domains 21->48 66 System process connects to network (likely due to code injection or exploit) 21->66 25 wlanext.exe 21->25         started        signatures14 process15 signatures16 68 Modifies the context of a thread in another process (thread injection) 25->68 70 Maps a DLL or memory area into another process 25->70 72 Tries to detect virtualization through RDTSC time measurements 25->72
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a0e2480076fc22a18ad51c79af447258a2615da953058a46b938d84ca6603a4/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2021-09-26 14:49:06 UTC
AV detection:
44 of 45 (97.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dihcjaahn7bcugfnkhdzv5chewfcmfo2suyfrjdlsogyjstgaosa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04e98a900ca361b68ebcfbad6453ddc626d93c8afb13916c18dd0e9648187566
Neshta
40f8cfeb5f68c1980aaddf36f9915076d613c4c99293f1f6043180fe1006ea78
Neshta
4e18d364c4fa2db105557cf8105e5e3d77c9d7a06590b4f897051f99014da5be
Neshta
4f588080c3618162c1bd0337092af0ba118b7277de6c2043a988562efdb0cbbb
Neshta
503f83e4dea1cb3a70d4c309471ea87756a2465c64533d2ea7103b37bd787788
Neshta
54ab4a1cdce2eb6cac3d05ca5eb317a247a6b5e9164d8c1067f1601953ec8729
Neshta
62df68b2db0b080a2e963f0c082b5df7b15819032e11fbe5e9dfcfb8d143f61e
Neshta
a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564
Neshta
abb1db77386f0eb3cd2c68603ee8817d6d1015287422182845345dad70503564
Neshta
+ 10'042 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:neshta family:xloader campaign:b6a4 loader persistence rat spyware stealer
Link:
https://tria.ge/reports/210926-r624lsfab4/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Xloader Payload
Modifies system executable filetype association
Neshta
Xloader
Malware Config
C2 Extraction:
http://www.helpmovingandstorage.com/b6a4/
Unpacked files
SH256 hash:
1a0e2480076fc22a18ad51c79af447258a2615da953058a46b938d84ca6603a4
MD5 hash:
790abe77329f408bb3cd8782d0592be0
SHA1 hash:
efb5552dcc856c2f27de706764cc860b4b344758
Link:
https://www.unpac.me/results/7979ba91-e5f7-4b9e-9bbf-12a26c27f9b2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.59
Link:
https://yomi.yoroi.company/submissions/1a0e2480076fc22a18ad51c79af447258a2615da953058a46b938d84ca6603a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

Executable exe 1a0e2480076fc22a18ad51c79af447258a2615da953058a46b938d84ca6603a4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1628314/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191782/

Comments