MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4533b5392f6e49cf20ee0821b4c8b6b74b8af274995646791ec7fe48a2615425. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4533b5392f6e49cf20ee0821b4c8b6b74b8af274995646791ec7fe48a2615425
SHA3-384 hash: b4787e5ac25033b4b534a757d069cfd8b87197c5fc8d28adf8b3f2ba50f7d85653ddb15bcf790691bd4ea406abf58d85
SHA1 hash: 5d93f741ef6e06902612f7f851cd96fa73d25d74
MD5 hash: 02598e164be5eaeee2effe4fdf4c3e6b
humanhash: eleven-nevada-quiet-texas
File name:IGBGIKWXSNZXJLZRAVDPQV.vbs
Download: download sample
Signature Neshta
Create hunting rule
File size:1'153 bytes
First seen:2022-08-17 16:04:11 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:mFgbdC0dEoDj89ldzydYF0dxnvOcFs8gbkoCj802sdKj4dDdhHmdn3p6oRe1+I/+:8gIoDs7vFwv1FP92tyAyUuRZ3v+omUR+
Threatray 2'741 similar samples on MalwareBazaar
TLSH T1A321AD5A043EF8CD7E48180ACB848C5DA1AE51EB6C3166BA88724544672CEE13AD42F2
Reporter pr0xylife
Tags:Neshta vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299347/
Detection(s):
SecuriteInfo.com.VBS.Obfus-178.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Result
Threat name:
Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1053192
Signature
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Creates processes via WMI
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Obfuscated command line found
PowerShell case anomaly found
Uses cmd line tools excessively to alter registry or file data
Very long command line found
Writes to foreign memory regions
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 685709 Sample: IGBGIKWXSNZXJLZRAVDPQV.vbs Startdate: 17/08/2022 Architecture: WINDOWS Score: 100 89 Malicious sample detected (through community Yara rule) 2->89 91 Yara detected Neshta 2->91 93 Obfuscated command line found 2->93 95 2 other signatures 2->95 11 powershell.exe 8 2->11         started        13 powershell.exe 2->13         started        16 powershell.exe 14 25 2->16         started        20 3 other processes 2->20 process3 dnsIp4 22 cmd.exe 11->22         started        25 conhost.exe 11->25         started        81 192.168.2.1 unknown unknown 13->81 27 cmd.exe 13->27         started        29 conhost.exe 13->29         started        65 C:\ProgramData\...\PJZOQJABALOVPZTQQYCGNX.ps1, ASCII 16->65 dropped 67 C:\ProgramData\...\BZRBREFWSYPSVCVDZOLAFR.ps1, ASCII 16->67 dropped 85 Bypasses PowerShell execution policy 16->85 31 powershell.exe 36 16->31         started        33 conhost.exe 16->33         started        83 tradeguru.com.pk 104.255.169.179, 49713, 49714, 80 H4Y-TECHNOLOGIESUS United States 20->83 87 Creates processes via WMI 20->87 file5 signatures6 process7 signatures8 103 Uses cmd line tools excessively to alter registry or file data 22->103 105 PowerShell case anomaly found 22->105 35 cmd.exe 22->35         started        38 reg.exe 22->38         started        40 reg.exe 22->40         started        42 cmd.exe 27->42         started        44 reg.exe 27->44         started        46 reg.exe 27->46         started        48 wscript.exe 31->48         started        process9 signatures10 101 PowerShell case anomaly found 35->101 50 powershell.exe 35->50         started        53 powershell.exe 42->53         started        process11 signatures12 97 Writes to foreign memory regions 50->97 99 Injects a PE file into a foreign processes 50->99 55 aspnet_compiler.exe 50->55         started        59 aspnet_compiler.exe 53->59         started        process13 file14 69 C:\Windows\svchost.com, PE32 55->69 dropped 71 C:\Users\user\AppData\Local\...\DismHost.exe, PE32 55->71 dropped 73 C:\Users\user\AppData\Local\...\setup.exe, PE32 55->73 dropped 79 75 other files (74 malicious) 55->79 dropped 107 Creates an undocumented autostart registry key 55->107 109 Drops PE files with a suspicious file extension 55->109 111 Drops executable to a common third party application directory 55->111 75 C:\ProgramData\Adobe\...\AdobeARMHelper.exe, PE32 59->75 dropped 77 C:\ProgramData\Adobe\...\AdobeARMHelper.exe, PE32 59->77 dropped 113 Drops executables to the windows directory (C:\Windows) and starts them 59->113 115 Infects executable files (exe, dll, sys, html) 59->115 61 svchost.com 59->61         started        signatures15 process16 process17 63 conhost.exe 61->63         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4533b5392f6e49cf20ee0821b4c8b6b74b8af274995646791ec7fe48a2615425/
Threat name:
Script-JS.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-08-17 16:05:07 UTC
File Type:
Text (VBS)
AV detection:
6 of 40 (15.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iuz3kojpnze46ihobaq3jsfww5fyv4tutflem6i6y77eritbkqsq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0f0807cdcb400a718656d3ec845ad57ffef9e25232d50044bb8d7a5d9d2a0a98
Neshta
4b4bcdcc293f734c7504ef54fbc90c4399210a0617a8f25e5c660d5735b1d7dd
Neshta
6c02cd3294f998736222c255ddd163b9d5e72dfbf3492bfdd43519a46ed609de
Neshta
b3562016293d5dad923e804f2439ce6d216d88cc3e8f8ce6d3e3bb1288f3089d
Neshta
b70bf50f4cc4a807027feeb9704c420199fc40d818bcd23d1c72d81af2fd88a5
Neshta
b91e521a864bd5aabc0bf30b8f983adac9a873f16a7f20a8faa3e93f13fb435f
Neshta
ba543220fcfe6a8e29078795c5bb5dabe392df29c149a811d2a346cf3a12bab1
Neshta
bb91ab5b5db4ac2b50ff6ee4309b304d9e41e00c1d162a0daa8071bed04dd2ba
Neshta
c6fc9524fec2a6e2d2954d11b67a4d86a3c4a5672f21c388b1ab555e6fd09888
Neshta
e4fdf5ead09b850c4e9de74f0a4bc7816e57a6ae1f8334f3222d46b0ac9bff15
Neshta
+ 2'731 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220817-tjg62ahgdm/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Drops file in System32 directory
Blocklisted process makes network request
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://tradeguru.com.pk/enc1.txt
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4533b5392f6e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/4533b5392f6e49cf20ee0821b4c8b6b74b8af274995646791ec7fe48a2615425

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/299347/

Comments