MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 477a3cab2eeb1f22add3b35d87badd6bd45d0f9490764fb5c78933f25f9b52df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Neshta

Vendor detections: 18

Intelligence 18 IOCs YARA 13 File information Comments

SHA256 hash:	477a3cab2eeb1f22add3b35d87badd6bd45d0f9490764fb5c78933f25f9b52df
SHA3-384 hash:	ff7d49ec0f033ebf61986630560493e9b8dbc631877dfe32d4bfe8aeedc0a1a16c70045acaf58aad97bbb069ca7a38fc
SHA1 hash:	1303678ba4e3eababc76aa277f8af1530b4b82df
MD5 hash:	91593c7253c5318c19cc05628736c7f0
humanhash:	gee-bulldog-autumn-single
File name:	file
Download:	download sample
Signature	Neshta Create hunting rule
File size:	2'724'352 bytes
First seen:	2025-08-19 15:37:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9f4693fc0c511135129493f2161d1e86 (254 x Neshta, 15 x Formbook, 15 x AgentTesla)
ssdeep	49152:0JFEcHcHfnIpvSUxuB4vkjfCSfil3ObWcrJhxSkm6Fo4Ea0g/I2Pz7citcU7tmL:W2c8gfd87CQgu9xNpW4t/Ic7csd7t0
Threatray	857 similar samples on MalwareBazaar
TLSH	T134C5332251D59132E4F877B4ADEAA6320538F8285B35327BD17E7E8C4C356C2683876F
TrID	93.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.5% (.EXE) Win32 Executable (generic) (4504/4/1) 0.7% (.EXE) Win16/32 Executable Delphi generic (2072/23) 0.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	848c5454baf47474 (2'466 x Adware.Neoreklami, 102 x RedLineStealer, 65 x N-able)
Reporter	jstrosch
Tags:	exe Neshta

jstrosch

Found at hxxp://201.16.194[.]227:9090/client/stage/ext/bin/vcredist_x86.exe by #subcrawl

Intelligence

File Origin

# of uploads :

# of downloads :

424

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

_477a3cab2eeb1f22add3b35d87badd6bd45d0f9490764fb5c78933f25f9b52df.exe

Verdict:

Malicious activity

Analysis date:

2025-08-19 15:39:50 UTC

Tags:

neshta auto-reg

Link:

https://app.any.run/tasks/688abfd8-ca3c-41fd-bccf-0772ea727d4d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Neshta

Link:

https://www.capesandbox.com/analysis/22292/

Detection(s):

Win.Trojan.Neshuta-1

Win.Virus.Neshta-7101689-0

Win.Trojan.Jadtre-5

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a49a79c2f5296a1a28507d

Tags:

dropper neshta virus spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a file in the Windows directory

Modifying an executable file

Creating a window

Launching a process

Сreating synchronization primitives

Searching for synchronization primitives

Sending a custom TCP request

Modifying a system file

Creating a file in the Windows subdirectories

Creating a file in the Program Files subdirectories

Creating a file

Enabling autorun with the shell\open\command registry branches

Infecting executable files

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context borland_delphi fingerprint installer lolbin msiexec neshta obfuscated overlay packed packer_detected rundll32 runonce threat virus

Link:

https://www.filescan.io/uploads/68a49a6ca4bdac9f5b9e9e9e/reports/03fa8b5c-7b4a-4420-8045-858929793c13/overview

Verdict:

Malicious

Labled as:

Neshta.A

Link:

https://www.hybrid-analysis.com/sample/477a3cab2eeb1f22add3b35d87badd6bd45d0f9490764fb5c78933f25f9b52df

Malware family:

Neshta

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/538cee0f-d3be-4702-bd05-cc460bcb54c1

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/477a3cab2eeb1f22add3b35d87badd6bd45d0f9490764fb5c78933f25f9b52df

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/477a3cab2eeb1f22add3b35d87badd6bd45d0f9490764fb5c78933f25f9b52df/

Verdict:

Malicious

Threat:

Family.NESHTA

Link:

https://tip.neiki.dev/file/477a3cab2eeb1f22add3b35d87badd6bd45d0f9490764fb5c78933f25f9b52df

Threat name:

Win32.Virus.Neshta

Status:

Malicious

First seen:

2015-05-17 05:21:30 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

36 of 36 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=i55dzkzo5mpsflotwnoypow5npkf2d4usb3e7nohrez7ex43klpq._file

Verdict:

malicious

Label(s):

neshta

Result

Malware family:

neshta

Score:

10/10

Tags:

family:neshta discovery persistence privilege_escalation ransomware spyware stealer

Link:

https://tria.ge/reports/250819-s28w2avpz6/

Behaviour

Checks SCSI registry key(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Adds Run key to start application

Enumerates connected drives

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Reads user/profile data of web browsers

Detect Neshta payload

Neshta

Neshta family

Verdict:

Malicious

Tags:

trojan neshta Win.Trojan.Neshuta-1

YARA:

EXE_Virus_Neshta_March2024 Windows_Virus_Neshta_2a5a14c8 MAL_Neshta_Generic MALWARE_Win_Neshta

Link:

https://app.threat.zone/submission/cfb06d8b-89d8-4c27-8c66-16c6892a002d

Unpacked files

SH256 hash:

477a3cab2eeb1f22add3b35d87badd6bd45d0f9490764fb5c78933f25f9b52df

MD5 hash:

91593c7253c5318c19cc05628736c7f0

SHA1 hash:

1303678ba4e3eababc76aa277f8af1530b4b82df

Detections:

win_neshta_g0

Neshta

Link:

https://www.unpac.me/results/1b7e7b86-7ebb-46f2-b069-e92d5f8bbfd6/

Malware family:

Turla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/477a3cab2eeb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/477a3cab2eeb1f22add3b35d87badd6bd45d0f9490764fb5c78933f25f9b52df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	detect_Redline_Stealer Create hunting rule
Author:	Varp0s

Rule name:	EXE_Virus_Neshta_March2024 Create hunting rule
Author:	Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	MALWARE_Win_Neshta Create hunting rule
Author:	ditekSHen
Description:	Detects Neshta

Rule name:	MAL_Neshta_Generic Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Neshta malware
Reference:	Internal Research

Rule name:	MAL_Neshta_Generic_RID2DC9 Create hunting rule
Author:	Florian Roth
Description:	Detects Neshta malware
Reference:	Internal Research

Rule name:	neshta_v1 Create hunting rule
Author:	RandomMalware

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Virus_Neshta_2a5a14c8 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

exe 477a3cab2eeb1f22add3b35d87badd6bd45d0f9490764fb5c78933f25f9b52df

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/22292/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
MULTIMEDIA_API	Can Play Multimedia	gdi32.dll::StretchDIBits
SHELL_API	Manipulates System Shell	shell32.dll::ShellExecuteA
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	kernel32.dll::GetDriveTypeA kernel32.dll::GetStartupInfoA kernel32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	kernel32.dll::WinExec
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryA kernel32.dll::CreateFileA kernel32.dll::DeleteFileA kernel32.dll::GetWindowsDirectoryA kernel32.dll::GetFileAttributesA kernel32.dll::FindFirstFileA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA advapi32.dll::RegSetValueExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample