MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 213018b120fa8dc907187cf834fd4222bf527a990a17886cd6d82c206230ae63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 213018b120fa8dc907187cf834fd4222bf527a990a17886cd6d82c206230ae63
SHA3-384 hash: 1a91a5446bad36f94d3828a087960ec9a94bbe3cd53b0191050e42413832974abd3a892d205a7f22ce6dc802b5e310a1
SHA1 hash: ad11a17cd389cae55707b9eb60060b3a8c56e7c1
MD5 hash: e4bcce4c94c10795d54eb574fd27bb1a
humanhash: chicken-delta-winter-nitrogen
File name:IMAGE003.EXE
Download: download sample
Signature Neshta
Create hunting rule
File size:56'832 bytes
First seen:2024-02-20 13:43:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 768:C9XlExMfct/DXHILCwXl+pYdC8gF0edZIo6VVQULZ5:C96ifE/D30CzpoFO0eduTVVNP
Threatray 8 similar samples on MalwareBazaar
TLSH T106438E49DB5D032BCC1D04B9849210C03769D381B3E7FFBA948792782947B74BA76EE9
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter cocaman
Tags:exe Neshta Shipping

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/477062/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.98.8239.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Blocking the User Account Control
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/65d4aca926f1ddc579a20961/reports/45f5eb81-d09b-4332-b078-5421c37d3a99/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/213018b120fa8dc907187cf834fd4222bf527a990a17886cd6d82c206230ae63
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41ebde0c-49a7-413a-9482-b00c0d42b3d1
Result
Threat name:
AgentTesla, Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1395293
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Disables UAC (registry)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Found malware configuration
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schedule system process
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Neshta
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1395293 Sample: IMAGE003.EXE.exe Startdate: 20/02/2024 Architecture: WINDOWS Score: 100 85 heygirlisheeverythingyouwantedinaman.com 2->85 91 Snort IDS alert for network traffic 2->91 93 Found malware configuration 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 19 other signatures 2->97 11 IMAGE003.EXE.exe 16 7 2->11         started        16 svchost.exe 16 4 2->16         started        18 svchost.exe 1 1 2->18         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 87 heygirlisheeverythingyouwantedinaman.com 172.67.190.93, 443, 49743, 49745 CLOUDFLARENETUS United States 11->87 83 C:\Users\user\AppData\Roaming\svchost.exe, PE32 11->83 dropped 123 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->123 125 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->125 127 Drops PE files with benign system names 11->127 22 cmd.exe 1 11->22         started        24 cmd.exe 1 11->24         started        129 Adds extensions / path to Windows Defender exclusion list (Registry) 16->129 131 Adds a directory exclusion to Windows Defender 16->131 133 Disables UAC (registry) 16->133 27 InstallUtil.exe 16->27         started        30 powershell.exe 16->30         started        32 CasPol.exe 16->32         started        34 AddInProcess32.exe 16->34         started        89 127.0.0.1 unknown unknown 18->89 36 conhost.exe 20->36         started        38 conhost.exe 20->38         started        file6 signatures7 process8 file9 40 svchost.exe 3 3 22->40         started        43 conhost.exe 22->43         started        45 timeout.exe 1 22->45         started        99 Uses schtasks.exe or at.exe to add and modify task schedules 24->99 47 conhost.exe 24->47         started        49 schtasks.exe 1 24->49         started        75 C:\Windows\svchost.com, PE32 27->75 dropped 77 C:\...\MicrosoftEdgeUpdateSetup.exe, PE32 27->77 dropped 79 C:\...\MicrosoftEdgeUpdateOnDemand.exe, PE32 27->79 dropped 81 59 other malicious files 27->81 dropped 101 Creates an undocumented autostart registry key 27->101 103 Drops PE files with a suspicious file extension 27->103 105 Drops executable to a common third party application directory 27->105 107 Infects executable files (exe, dll, sys, html) 27->107 51 conhost.exe 30->51         started        53 WmiPrvSE.exe 30->53         started        signatures10 process11 signatures12 109 System process connects to network (likely due to code injection or exploit) 40->109 111 Writes to foreign memory regions 40->111 113 Allocates memory in foreign processes 40->113 115 2 other signatures 40->115 55 CasPol.exe 40->55         started        59 svchost.com 40->59         started        process13 file14 67 C:\Users\user\Desktop\IMAGE003.EXE.exe, PE32 55->67 dropped 69 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 55->69 dropped 71 C:\ProgramData\...\VC_redist.x64.exe, PE32 55->71 dropped 73 88 other malicious files 55->73 dropped 117 Drops executables to the windows directory (C:\Windows) and starts them 55->117 119 Drops executable to a common third party application directory 55->119 121 Infects executable files (exe, dll, sys, html) 55->121 61 svchost.com 55->61         started        63 conhost.exe 59->63         started        signatures15 process16 process17 65 conhost.exe 61->65         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/213018b120fa8dc907187cf834fd4222bf527a990a17886cd6d82c206230ae63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/213018b120fa8dc907187cf834fd4222bf527a990a17886cd6d82c206230ae63/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-02-19 17:10:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eeybrmja7kg4sbyypt4dj7kcek7ve6uzbilyq3gw3awcayrqvzrq._file
Verdict:
unknown
Similar samples:
198ad08263da7ea050003bb7c98d9d4ec0951da98432f3ef2ed1f2cf208b8aab
Neshta
2d5b681c72ec342d041fccca1bba191dc4bd69e91cd8d56c8298ae3cc0bd8148
Neshta
9c1d9d9cf94affb2508f6d01c7ae3f1e8ffb73c0954fa73d42ff3fd0eff989b4
Neshta
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:neshta evasion persistence spyware trojan
Link:
https://tria.ge/reports/240220-q1s33shb2x/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Windows security modification
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Neshta
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
213018b120fa8dc907187cf834fd4222bf527a990a17886cd6d82c206230ae63
MD5 hash:
e4bcce4c94c10795d54eb574fd27bb1a
SHA1 hash:
ad11a17cd389cae55707b9eb60060b3a8c56e7c1
Link:
https://www.unpac.me/results/a4265266-daa6-44de-ba01-89221d19a93d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/213018b120fa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/213018b120fa8dc907187cf834fd4222bf527a990a17886cd6d82c206230ae63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neshta

img 83e4f6a296e4924df4b47b0601c40c9e9778a40191d88a0b8a280cb031958934

Neshta

Executable exe 213018b120fa8dc907187cf834fd4222bf527a990a17886cd6d82c206230ae63

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 83e4f6a296e4924df4b47b0601c40c9e9778a40191d88a0b8a280cb031958934
Cape
Cape
https://www.capesandbox.com/analysis/477062/
  
Dropped by
MD5 465162a41168051248ec92711e827a26

Comments