MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 451a12082a8324494c238427639638ede5fe7f25b9ab2f522aa6109254320807. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Neshta

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	451a12082a8324494c238427639638ede5fe7f25b9ab2f522aa6109254320807
SHA3-384 hash:	9e6628c9fbb60c4a640eea616eb3af6a0b447c1a5bc7c6fa896b03195db61bb12596b44c4ac92ac3aa1e5eb70f108d2c
SHA1 hash:	9fbdf43901a1d36a914518cf855107b7c875d905
MD5 hash:	9333ef03ffc7b598d3df12e8fc966cab
humanhash:	maine-vermont-cup-island
File name:	netsh.exe
Download:	download sample
Signature	Neshta Create hunting rule
File size:	206'224 bytes
First seen:	2022-02-21 21:37:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep	3072:wr85CQN6XcG1rY15Hf5zgv65dJGuqqqGJuhe:w9QeS5MiJR7qGJuhe
Threatray	233 similar samples on MalwareBazaar
TLSH	T1D7145C6229EC34F1D0E2CBF8DFD18A51733FFA7065208D9BA251024CDD66AC19EA6D35
Reporter	adm1n_usa32
Tags:	exe Neshta

Intelligence

File Origin

# of uploads :

# of downloads :

244

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

netsh.exe

Verdict:

Malicious activity

Analysis date:

2022-02-21 21:35:25 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2914367a-3056-4c8f-9a90-2c9982892f8a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/243054/

Detection(s):

Win.Trojan.Neshuta-1

PUA.Win.Packer.Pequake-4

Win.Virus.Neshta-7101689-0

Win.Trojan.Jadtre-5

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Сreating synchronization primitives

Creating a file in the Windows directory

Modifying an executable file

Creating a file

Creating a file in the Program Files subdirectories

Sending a custom TCP request

Enabling autorun with the shell\open\command registry branches

Infecting executable files

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe fingerprint greyware neshta overlay shell32.dll update.exe virus winlock

Link:

https://www.filescan.io/uploads/62140603875593a3ccfe194b/reports/aacc3641-c3cd-4d83-a6bc-afd11eef98a8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

HackingTeam

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2481769f-8e10-4fa8-b5c2-6a1f3a2bc121

Result

Threat name:

Neshta

Detection:

malicious

Classification:

spre.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/943501

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Creates an undocumented autostart registry key

Drops executable to a common third party application directory

Drops PE files with a suspicious file extension

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Uses netsh to modify the Windows network and firewall settings

Yara detected Neshta

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/451a12082a8324494c238427639638ede5fe7f25b9ab2f522aa6109254320807/

Threat name:

Win32.Virus.Neshta

Status:

Malicious

First seen:

2022-02-13 10:11:53 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

42 of 43 (97.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=iunbecbkqmsestbdqqtwhfry5xs747zfxgvs6urkuyijevbsbadq._file

Verdict:

malicious

Neshta

20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4

Neshta

412bcb0abe4197be23ae265308d96f9db0f0fd5f96ec0ac053d744d1565e80eb

Neshta

53125b8ade45028207dd476148af9011bb4db4aa4c6427ed8fa1d14f90bab2c4

Neshta

5d7566ee48f7c1525a1d0e5cf2e5463929d7ad9fe55519acec2a4fcb19507f7e

Neshta

68bdf2747408e5f948696b4285faf5c9f87aea79272212d96895f1978201270f

Neshta

769e6e12a5443217fd8c5ce510846775b714eb221cc11974969b5ff7442b5484

Neshta

7d9a7c06ad6bdf4b58d325900a940f3bf830862d108c8cf58d3d77982b87f8c2

Neshta

e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c

Neshta

+ 223 additional samples on MalwareBazaar

Result

Malware family:

neshta

Score:

10/10

Tags:

family:neshta persistence spyware stealer

Link:

https://tria.ge/reports/220221-1ggk2sbhhn/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Modifies system executable filetype association

Neshta

Unpacked files

SH256 hash:

451a12082a8324494c238427639638ede5fe7f25b9ab2f522aa6109254320807

MD5 hash:

9333ef03ffc7b598d3df12e8fc966cab

SHA1 hash:

9fbdf43901a1d36a914518cf855107b7c875d905

Detections:

win_neshta_auto

Link:

https://www.unpac.me/results/81f75d32-4455-44fe-922e-da2c339e1f31/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.50

Link:

https://yomi.yoroi.company/submissions/451a12082a8324494c238427639638ede5fe7f25b9ab2f522aa6109254320807

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_Neshta Create hunting rule
Author:	ditekSHen
Description:	Detects Neshta

Rule name:	MAL_Neshta_Generic Create hunting rule
Author:	Florian Roth
Description:	Detects Neshta malware
Reference:	Internal Research

Rule name:	MAL_Neshta_Generic_RID2DC9 Create hunting rule
Author:	Florian Roth
Description:	Detects Neshta malware
Reference:	Internal Research

Rule name:	win_neshta_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/2914367a-3056-4c8f-9a90-2c9982892f8a

Cape

https://www.capesandbox.com/analysis/243054/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample