MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44447e8ee66daa872048fcca50842694d35a78e77cf9d6ac8e8e4979958d46e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44447e8ee66daa872048fcca50842694d35a78e77cf9d6ac8e8e4979958d46e7
SHA3-384 hash: f1541115143f5caceda4f8577b0719624cdcdfc501b807b4449d05878f5495c1bad6627be09783acb517522880050704
SHA1 hash: 7110833f44986cfb84a83ab61ff39ee329104c24
MD5 hash: 33b294581e9bf726febdbeee1b439756
humanhash: green-east-utah-michigan
File name:Swift_pdf.exe
Download: download sample
Signature Neshta
Create hunting rule
File size:477'348 bytes
First seen:2021-08-16 17:27:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 12288:nw8wxL/DKWKYBUu7iE6zQ1qmbGdfvZxOuy5GefM:nCl/nKYq2dqmaBOumGe0
Threatray 126 similar samples on MalwareBazaar
TLSH T1F3A4D012B1E0D031D46205B449F093F9B87CAF30272E55E7E3985A7D9E787D1AE34A2B
Reporter abuse_ch
Tags:exe Neshta

Intelligence

File Origin
# of uploads :
1
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Swift_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-08-16 17:27:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/689da922-803f-4595-8044-11d3ff6edd61

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
neshta
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179657/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file in the Windows directory
Modifying an executable file
Deleting a recently created file
Replacing files
Creating a file
Sending a UDP request
Enabling autorun with the shell\open\command registry branches
Unauthorized injection to a recently created process by context flags manipulation
Infecting executable files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6de0090-63f6-4d67-b461-7d639c8f1d56
Result
Threat name:
FormBook Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833739
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Yara detected FormBook
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 466167 Sample: Swift_pdf.exe Startdate: 16/08/2021 Architecture: WINDOWS Score: 100 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for dropped file 2->75 77 Antivirus / Scanner detection for submitted sample 2->77 79 6 other signatures 2->79 14 Swift_pdf.exe 4 2->14         started        process3 dnsIp4 65 192.168.2.1 unknown unknown 14->65 61 C:\Windows\svchost.com, PE32 14->61 dropped 63 C:\Users\user\AppData\Local\...\Swift_pdf.exe, PE32 14->63 dropped 67 Creates an undocumented autostart registry key 14->67 69 Drops PE files with a suspicious file extension 14->69 71 Drops executable to a common third party application directory 14->71 19 Swift_pdf.exe 1 14->19         started        file5 signatures6 process7 signatures8 81 Maps a DLL or memory area into another process 19->81 22 Swift_pdf.exe 3 2 19->22         started        26 conhost.exe 19->26         started        process9 file10 53 C:\Users\user\AppData\Local\...\setup.exe, PE32 22->53 dropped 55 C:\ProgramData\...\vcredist_x86.exe, PE32 22->55 dropped 57 C:\ProgramData\...\VC_redist.x64.exe, PE32 22->57 dropped 59 108 other malicious files 22->59 dropped 83 Drops executable to a common third party application directory 22->83 85 Infects executable files (exe, dll, sys, html) 22->85 28 svchost.com 1 22->28         started        signatures11 process12 signatures13 91 Sample is not signed and drops a device driver 28->91 31 Swift_pdf.exe 1 28->31         started        process14 signatures15 93 Maps a DLL or memory area into another process 31->93 34 Swift_pdf.exe 1 2 31->34         started        36 conhost.exe 31->36         started        process16 process17 38 svchost.com 34->38         started        process18 40 Swift_pdf.exe 38->40         started        signatures19 87 Maps a DLL or memory area into another process 40->87 43 Swift_pdf.exe 40->43         started        46 conhost.exe 40->46         started        process20 signatures21 89 Drops executables to the windows directory (C:\Windows) and starts them 43->89 48 svchost.com 43->48         started        process22 file23 51 C:\Windows\directx.sys, ASCII 48->51 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44447e8ee66daa872048fcca50842694d35a78e77cf9d6ac8e8e4979958d46e7/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 14:42:56 UTC
AV detection:
43 of 46 (93.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=irch5dxgnwvioici7tffbbbgstjvu6hhpt45nleorzextfmni3tq._file
Verdict:
malicious
Similar samples:
3fb730890c8c04eb09d8b2acff9c376d8054d5d3748898a907099055ec54f2ac
Neshta
412bcb0abe4197be23ae265308d96f9db0f0fd5f96ec0ac053d744d1565e80eb
Neshta
497d83f4debdbc49d2cfb27433de383cd4aac3061bde01e4799d0274a3ef5615
Neshta
5d7566ee48f7c1525a1d0e5cf2e5463929d7ad9fe55519acec2a4fcb19507f7e
Neshta
a0baff0515a6ff0a42b19248dd7823063a25118963fc396c25f5e5cd6af3d59e
Neshta
a2c6a9d6809c3cf2ea1108aae86677aaba31ef7e2f10017331716bedd2a8f91c
Neshta
b2beeab94f7cbc38143e2a050c263476419bb48d2ec37470df5b1ee0da812f50
Neshta
ba852a2b1acc3b7c2bb98e6acbe41948de4e8046bbf6c3a874d7462f23d19f1e
Neshta
e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c
Neshta
+ 116 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210816-xnhvpvt1yx/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies system executable filetype association
Unpacked files
SH256 hash:
44447e8ee66daa872048fcca50842694d35a78e77cf9d6ac8e8e4979958d46e7
MD5 hash:
33b294581e9bf726febdbeee1b439756
SHA1 hash:
7110833f44986cfb84a83ab61ff39ee329104c24
Link:
https://www.unpac.me/results/1f4f1fca-1cac-43b6-89b2-403a7302a95d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/44447e8ee66d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.49
Link:
https://yomi.yoroi.company/submissions/44447e8ee66daa872048fcca50842694d35a78e77cf9d6ac8e8e4979958d46e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:win_neshta_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neshta

Executable exe 44447e8ee66daa872048fcca50842694d35a78e77cf9d6ac8e8e4979958d46e7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/179657/

Comments