MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27c7af83c87c02b4dc9c0a8d35d42d48f941ff72b2d9ac59971e0127142d084c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27c7af83c87c02b4dc9c0a8d35d42d48f941ff72b2d9ac59971e0127142d084c
SHA3-384 hash: c11c983f23dee9edd30c9b81f283062b67af3d1fb851ea8257ab0a61bf0b9ece681c98eaa4ad72115e53285a0452d6a1
SHA1 hash: a6dae23b1dd5b8c02f17a8a87312325e429740ca
MD5 hash: 120dd0fcdbecf5b37b0f6578fc541323
humanhash: solar-fifteen-papa-spring
File name:120dd0fcdbecf5b37b0f6578fc541323
Download: download sample
Signature Neshta
Create hunting rule
File size:5'377'991 bytes
First seen:2021-06-18 07:39:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 98304:VSi2ojtxkoKCd+EAxgi5l+1fTgcKxkqjMZd9:3taoKi+R1rGE9jMZ/
Threatray 2'079 similar samples on MalwareBazaar
TLSH 024602ABB1E4717EE05F2631C57A839058B76A556C2E4E1A17E0DB0DCF3E0600E3F6A5
Reporter zbetcheckin
Tags:32 exe Neshta

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
120dd0fcdbecf5b37b0f6578fc541323
Verdict:
Suspicious activity
Analysis date:
2021-06-18 07:44:53 UTC
Tags:
installer
Link:
https://app.any.run/tasks/6b38cfa6-df4f-4e3f-84b8-349a6a5dc01b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166787/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a0318627-a6f9-462c-951b-5c55ce70a5bb
Result
Threat name:
Tinynuke / Nukebot Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804187
Signature
Antivirus detection for dropped file
Contains functionality to inject threads in other processes
Creates an undocumented autostart registry key
Detected Tinynuke / Nukebot malware
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found Tor onion address
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
May use the Tor software to hide its network traffic
Modifies Internet Explorer zone settings
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Neshta
Yara detected TinyNuke
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 436612 Sample: B2i1X1m7Mo Startdate: 18/06/2021 Architecture: WINDOWS Score: 100 101 Antivirus detection for dropped file 2->101 103 Multi AV Scanner detection for submitted file 2->103 105 Detected Tinynuke / Nukebot malware 2->105 107 5 other signatures 2->107 12 B2i1X1m7Mo.exe 2 2->12         started        process3 file4 71 C:\Users\user\AppData\...\B2i1X1m7Mo.tmp, PE32 12->71 dropped 15 B2i1X1m7Mo.tmp 5 30 12->15         started        process5 file6 73 C:\Users\user\AppData\Local\...\is-SN69L.tmp, PE32 15->73 dropped 75 C:\Users\user\AppData\Local\...\is-PN4F1.tmp, PE32 15->75 dropped 77 C:\Users\user\AppData\Local\...\is-OES8A.tmp, PE32 15->77 dropped 79 15 other files (none is malicious) 15->79 dropped 18 firefox.exe 1 25 15->18         started        process7 file8 53 C:\Users\user\AppData\Roaming\...\tor.exe, PE32 18->53 dropped 55 C:\Users\user\AppData\Roaming\...\firefox.exe, PE32 18->55 dropped 57 C:\Users\user\AppData\Roaming\...\zlib1.dll, PE32 18->57 dropped 59 15 other files (none is malicious) 18->59 dropped 21 tor.exe 4 18->21         started        25 firefox.exe 3 2 18->25         started        process9 dnsIp10 61 C:\Windows\svchost.com, PE32 21->61 dropped 63 C:\Users\user\Desktop\B2i1X1m7Mo.exe, PE32 21->63 dropped 65 C:\Users\user\AppData\Local\...\firefox.exe, PE32 21->65 dropped 67 83 other files (82 malicious) 21->67 dropped 109 Creates an undocumented autostart registry key 21->109 111 Drops PE files with a suspicious file extension 21->111 113 Drops executable to a common third party application directory 21->113 115 Infects executable files (exe, dll, sys, html) 21->115 28 tor.exe 21->28         started        89 127.0.0.1 unknown unknown 25->89 117 Contains functionality to inject threads in other processes 25->117 119 Modifies Internet Explorer zone settings 25->119 121 Tries to harvest and steal browser information (history, passwords, etc) 25->121 31 tor.exe 3 2 25->31         started        35 tor.exe 25->35         started        file11 signatures12 process13 dnsIp14 91 93.95.227.51, 443, 49751, 49765 THE-1984-ASIS Iceland 28->91 93 51.178.26.103, 443, 49749, 49759 OVHFR France 28->93 95 3 other IPs or domains 28->95 37 conhost.exe 28->37         started        81 C:\Program Files (x86)\...\misc.exe, PE32 31->81 dropped 83 C:\Program Files (x86)\...\lynchtmlconv.exe, PE32 31->83 dropped 85 C:\Program Files (x86)\...\lync99.exe, PE32 31->85 dropped 87 26 other malicious files 31->87 dropped 97 Infects executable files (exe, dll, sys, html) 31->97 39 svchost.com 31->39         started        99 Drops executables to the windows directory (C:\Windows) and starts them 35->99 42 svchost.com 35->42         started        file15 signatures16 process17 file18 123 Sample is not signed and drops a device driver 39->123 45 tor.exe 39->45         started        69 C:\Windows\directx.sys, ASCII 42->69 dropped 47 tor.exe 42->47         started        signatures19 process20 process21 49 conhost.exe 45->49         started        51 conhost.exe 47->51         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27c7af83c87c02b4dc9c0a8d35d42d48f941ff72b2d9ac59971e0127142d084c/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 07:40:19 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
0c7591403c6672c67cd0fbb1a7d4db34a224e5388a81a82a725811999bc49b4e
Neshta
267adb8b92c06ae53186fc26b40caf4d9e1ae4893475b2d1d8f29b040c67d9b4
Neshta
546e5320773891c160621ec99d48fb4d90d6d58bc26ab01d7e5a3f16fec9636c
Neshta
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
Neshta
d1597e584fec8eb356aa5c831045b2ce68531e69fe70436fa3ca0d8dd1d90ca7
Neshta
d81e62102d9b748aaabf4f06bf0c09a66dfaaac7836374016a5f076b6f7ed418
Neshta
e3ac84aeb4c0a6606a5e385327f371c36335954f27ec4151d616fbb73d466e37
Neshta
efa78d9ed272969fb2ac62b355f0b9532d20d26ed47d87e3c2d5f1e4b67bbad3
Neshta
f05d76c071555f48ff240556f6d0d3d895493c3c411e182648d256f83ad657e5
Neshta
f83b0cd39202e7040eae66dac5444eff5f9d878e3bb778613f1525aba2e3c5de
Neshta
+ 2'069 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210618-rl64qmx2cj/
Behaviour
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies system executable filetype association
Unpacked files
SH256 hash:
593a30b3f314f44cc1a71e2257d3a8da7439db3f3bfaee940f68d7c9b158d720
MD5 hash:
15ff3e1137e17f787955e2b0dc421e38
SHA1 hash:
7c209649b1c72e89b49eee7f76cabdd62838e0ad
Link:
https://www.unpac.me/results/8202b0fb-edae-4475-8f47-8893b2c7fd2a/
SH256 hash:
f32b96978e474940c4e8fc8b3c2e5e9b70c146980dea5bb25dc9b5f535a8468a
MD5 hash:
1583aedafbae9cbc29b4dc36a9f81be0
SHA1 hash:
c7594e0808a1b392a81ea470a4a2acd03d26d3b7
Detections:
win_neshta_auto
Create hunting rule
Link:
https://www.unpac.me/results/8202b0fb-edae-4475-8f47-8893b2c7fd2a/
SH256 hash:
bd43aabc5d8433e855a033c54909cb75a939745d7d477c9c5af8a2327f01abfa
MD5 hash:
646e733091d069d63ea6378fd2f5a307
SHA1 hash:
c58c6c69c2bfa98b586c47e23ceba3c3cc0865fd
Link:
https://www.unpac.me/results/8202b0fb-edae-4475-8f47-8893b2c7fd2a/
SH256 hash:
01b2f21667bdc88eef87d526e85e776f291cf94ea9d1c4a10e23011a88edfe67
MD5 hash:
a213c1c41eb7f0e271d87f1fe077bd46
SHA1 hash:
30b6f536e85fddfd5ce9e58e5478909094ca145b
Link:
https://www.unpac.me/results/8202b0fb-edae-4475-8f47-8893b2c7fd2a/
SH256 hash:
b39dd1adca40780f91292319f0a1cc613655b6694b847fbf1d5eb2428d9d1c04
MD5 hash:
e6f0efc324234a7910a9086156449d9d
SHA1 hash:
36754d96ec8b6da3c1dabce46cf39fc1c07afb21
Link:
https://www.unpac.me/results/8202b0fb-edae-4475-8f47-8893b2c7fd2a/
SH256 hash:
5917285086b00f955805911f8cea814a88228bd3607604b77ad5425a8ba74069
MD5 hash:
e395e0826c399b787463910a86602ddc
SHA1 hash:
520a68cb8e21e2f4b0fd033f2cac1239c8ebcc57
Link:
https://www.unpac.me/results/8202b0fb-edae-4475-8f47-8893b2c7fd2a/
SH256 hash:
ad1ac2850cc06c565d7433fbb631a4cb34e460a6d8156b16fdc269d2ecf870e1
MD5 hash:
fc88527c6e6a0f751ff67dc992e8026b
SHA1 hash:
59b481a9cba41d4c0b8756b73dfb59069080b554
Link:
https://www.unpac.me/results/8202b0fb-edae-4475-8f47-8893b2c7fd2a/
SH256 hash:
7785ebdb16359a433118f1be3c71b9cea8228f03619205d5074eb2b9befb532e
MD5 hash:
6be957e89c97d83552fe8c0a453e55c2
SHA1 hash:
99be7c30e87e7ea6a28c057440c5b706915e3205
Link:
https://www.unpac.me/results/8202b0fb-edae-4475-8f47-8893b2c7fd2a/
SH256 hash:
a803208a91ce501179ee42ad0c3d3d66fa1d742297b8b40faede08ec3ef3772f
MD5 hash:
165c2a55ca521a36deea1779b9444394
SHA1 hash:
b264ec0dbb38be8b70e616a5d8eac788d6279349
Link:
https://www.unpac.me/results/8202b0fb-edae-4475-8f47-8893b2c7fd2a/
SH256 hash:
6c7a2f137bcc119ba276c8580ca85fd8ab0e1d29f0116178e580fe2f733a8e69
MD5 hash:
0bb93f129be38b5bad8cb00f13bb4e6a
SHA1 hash:
bed7a1879a023c2199de469c9f9b81935a3e1379
Link:
https://www.unpac.me/results/8202b0fb-edae-4475-8f47-8893b2c7fd2a/
SH256 hash:
077cc4495a6c94a7d296e1919d5224a6c6aaa5f73377e0939dda29a95695ce71
MD5 hash:
ade007778289c6e744f6c2e785faaa19
SHA1 hash:
b957dccb19064e2d98258f8684eb2ac6a18c743e
Detections:
win_tinynuke_g0
Create hunting rule
win_tinynuke_auto
Create hunting rule
Link:
https://www.unpac.me/results/8202b0fb-edae-4475-8f47-8893b2c7fd2a/
SH256 hash:
27c7af83c87c02b4dc9c0a8d35d42d48f941ff72b2d9ac59971e0127142d084c
MD5 hash:
120dd0fcdbecf5b37b0f6578fc541323
SHA1 hash:
a6dae23b1dd5b8c02f17a8a87312325e429740ca
Link:
https://www.unpac.me/results/8202b0fb-edae-4475-8f47-8893b2c7fd2a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27c7af83c87c02b4dc9c0a8d35d42d48f941ff72b2d9ac59971e0127142d084c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_1f3216f428f850be2c66caa056f6d821
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Rooter
Create hunting rule
Author:Seth Hardy
Description:Rooter
Rule name:RooterStrings
Create hunting rule
Author:Seth Hardy
Description:Rooter Identifying Strings
Rule name:win_tinynuke_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

Executable exe 27c7af83c87c02b4dc9c0a8d35d42d48f941ff72b2d9ac59971e0127142d084c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/166787/
  
URLhaus
https://urlhaus.abuse.ch/url/1375341/

Comments