MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37788378096171de3632795ccedd7562dc5f514497394dcdb9fbbea8960cce6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37788378096171de3632795ccedd7562dc5f514497394dcdb9fbbea8960cce6f
SHA3-384 hash: 6078595c1083bfea5a76c6a08ffb34d3cf54a47af90b084ef6631b52763fd7ee51883085eb24c800b3bc3e3c8a300b99
SHA1 hash: d688037eb10c520283c114a5a46730ba18117513
MD5 hash: c05ba4427cd5e20c8a469647e9cb1d92
humanhash: kitten-charlie-red-kansas
File name:20220125 SMH Fiyat Teklifi İste Sipariş-900874.pdf.exe
Download: download sample
Signature Neshta
Create hunting rule
File size:841'728 bytes
First seen:2022-01-25 20:06:10 UTC
Last seen:2022-01-25 22:12:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:Y20qD46kLZOtz2ZpUJSN0ZnKCJeKqZ6YM3aBaSj7EATc/HTtyWM8:J0ak1PpUBZnKCJ2wYMKBaMCH/M8
TLSH T15E05F1277A5ECE31C12817BA44DFC05C03B93E46EE63E74ABDC937DA0E117569A4809B
File icon (PE):PE icon
dhash icon 136d455d6d4d550b (25 x AgentTesla, 9 x Formbook, 5 x Loki)
Reporter abuse_ch
Tags:exe geo Neshta TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
20220125 SMH Fiyat Teklifi İste Sipariş-900874.pdf.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-25 20:16:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bd804785-5a06-494a-88e2-96190e8479f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Neshta
Create hunting rule
Link:
https://www.capesandbox.com/analysis/222736/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38717757.3557.20654.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/61f058698581cbffe0837711/reports/2910665f-20ad-4fbb-83b4-19dc9a83af17/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
HackingTeam
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39ebd262-3744-4c25-a227-85d1b6ed9b19
Result
Threat name:
Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/927283
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Check for presence of sandbox dll SbieDll.dll
Creates an undocumented autostart registry key
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37788378096171de3632795ccedd7562dc5f514497394dcdb9fbbea8960cce6f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-25 03:01:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g54ig6ajmfy54nrspfom5xlvmlof6ukes44u3tnz7o7krfqmzzxq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/220125-yvzbxadhdl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
5c2f2f514b1dcd5912cc87ae5374f21642c2b2208c56cf0ec206bfa4e9e9fc2c
MD5 hash:
d70c6277732d0672ac7404b84349afcf
SHA1 hash:
e4fb9cea34f1cbaff845c224ee7f5d1c65328204
Link:
https://www.unpac.me/results/a1781d29-a6c1-4c24-b522-75ad4da25b64/
SH256 hash:
8325a5cf7942bb46ac528c836b79180c05d71a4e7de108693d303d56bcc5def1
MD5 hash:
efdf2c54a74297c24bc73285376c432b
SHA1 hash:
564f25afb6c5599cdcd5fafaff32c1475e581af4
Link:
https://www.unpac.me/results/a1781d29-a6c1-4c24-b522-75ad4da25b64/
SH256 hash:
601988fc7daae671a0a27b38d9212e6a8fdfd9110dd099153fcf80f826a2d2e1
MD5 hash:
3024a3be79d03af30cb5ef949b1c1d09
SHA1 hash:
2628411c7216202f7d54c8f64a596cc46e465f3f
Detections:
win_neshta_auto
Create hunting rule
Link:
https://www.unpac.me/results/a1781d29-a6c1-4c24-b522-75ad4da25b64/
Parent samples :
70707206bfdc0b86a9494f7780c55829e993a93a7d65d0279bc9c73b97ffc005
a73f2d92c3d48bad18d6a33530cedee50fb1495030c752d406045c113eeabd0a
0f588cc0f351e5a7a82372fb978693bd088484d89d2219267a4fd7f7c52203d8
a1ac7e8549374b66ee31c8ce943790219ab8e70559f7cff6bcb00e658e0f56ec
37788378096171de3632795ccedd7562dc5f514497394dcdb9fbbea8960cce6f
SH256 hash:
37788378096171de3632795ccedd7562dc5f514497394dcdb9fbbea8960cce6f
MD5 hash:
c05ba4427cd5e20c8a469647e9cb1d92
SHA1 hash:
d688037eb10c520283c114a5a46730ba18117513
Link:
https://www.unpac.me/results/a1781d29-a6c1-4c24-b522-75ad4da25b64/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/37788378096171de3632795ccedd7562dc5f514497394dcdb9fbbea8960cce6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neshta

Executable exe 37788378096171de3632795ccedd7562dc5f514497394dcdb9fbbea8960cce6f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/222736/

Comments