MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37796a5aed7aa8aebee13255f6e2ee0eabd877bc2d03916cfb709b660cbbf097. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37796a5aed7aa8aebee13255f6e2ee0eabd877bc2d03916cfb709b660cbbf097
SHA3-384 hash: afbb6199c7679e3e0ddcd4537def615fef3eb4360be82d63a1df6ae2b3a9d51a7323349cd7899eead75f9a7da2ea0420
SHA1 hash: 18591c6b347ac9e10665c4330d31df41f258af45
MD5 hash: e6f4b8be6c8a48d519ef8d8957655b99
humanhash: violet-social-johnny-oranges
File name:SwiftBankCopyFile.rar
Download: download sample
Signature Neshta
Create hunting rule
File size:881'507 bytes
First seen:2023-06-19 06:12:49 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 24576:lNp8SKqlr48RI4+hs/RppVrI/FgLC0b6GIzq91MqJ:lNp8Snl4TPhs//ZRbT2s7J
TLSH T17715238D12DDFD49D091ABAC87085E3FBA1BDEB28D4FD8AE9B5948D9CC150148CC3AC5
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:Neshta payment rar SWIFT


Avatar
cocaman
Malicious email (T1566.001)
From: "info <info09@poituox.fr>" (likely spoofed)
Received: "from mail.poituox.fr (unknown [87.121.221.219]) "
Date: "Sat, 17 Jun 2023 17:09:51 -0700"
Subject: "CONFIRMATION OF PAYMENT"
Attachment: "SwiftBankCopyFile.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:E5418BUVjfY7o0V.exe
File size:1'303'040 bytes
SHA256 hash: 792d13b4f3887733a5ca23c9cb7f8f10186a796fb05891b4ff978cb526832ca0
MD5 hash: 306d1e300a8e742341f36303440d8fd2
MIME type:application/x-dosexec
Signature Neshta
Vendor Threat Intelligence
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/37796a5aed7aa8aebee13255f6e2ee0eabd877bc2d03916cfb709b660cbbf097/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gorgon lolbin packed
Link:
https://www.filescan.io/uploads/648ff1ee2e9e66969e6b5fdf/reports/8ef4bed3-3d32-4358-9d46-611eff948def/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/37796a5aed7aa8aebee13255f6e2ee0eabd877bc2d03916cfb709b660cbbf097
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37796a5aed7aa8aebee13255f6e2ee0eabd877bc2d03916cfb709b660cbbf097/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-06-18 03:38:11 UTC
File Type:
Binary (Archive)
Extracted files:
28
AV detection:
9 of 37 (24.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g54wuwxnpkuk5pxbgjk7nyxob2v5q554fubzc3h3ocnwmdf36clq._file
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:neshta persistence spyware stealer
Link:
https://tria.ge/reports/230619-hfrqhscb77/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
Detect Neshta payload
Neshta
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/37796a5aed7aa8aebee13255f6e2ee0eabd877bc2d03916cfb709b660cbbf097

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neshta

rar 37796a5aed7aa8aebee13255f6e2ee0eabd877bc2d03916cfb709b660cbbf097

(this sample)

Neshta

Executable exe 792d13b4f3887733a5ca23c9cb7f8f10186a796fb05891b4ff978cb526832ca0

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 792d13b4f3887733a5ca23c9cb7f8f10186a796fb05891b4ff978cb526832ca0
  
Dropping
MD5 306d1e300a8e742341f36303440d8fd2

Comments