MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49cff73125bdbed98cdda85572228372cecaedc8fa98fd48706fd23e6ad1ad4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Chaos


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49cff73125bdbed98cdda85572228372cecaedc8fa98fd48706fd23e6ad1ad4b
SHA3-384 hash: cf9d22c43555a80bc05be1e844ffd0a64ce6de128c2f2c9e64dce0d46ebd8181db8f5861b3405fee0120d3212c0cade0
SHA1 hash: 1fdd90a0a702447aebbd683e175c85a50acb9715
MD5 hash: 4431e8c03162a470cc1c74edfded4afb
humanhash: salami-august-winner-pennsylvania
File name:2023-02-21_4431e8c03162a470cc1c74edfded4afb_neshta_wannacry
Download: download sample
Signature Chaos
Create hunting rule
File size:2'884'608 bytes
First seen:2023-02-23 05:04:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 24576:BS4lQMNWi3VesNY8106qPN4K3P0QcejoMZLyiTtiFfkOfEC+:BSy6PX3PpM+P5IdF+
Threatray 98 similar samples on MalwareBazaar
TLSH T195D52E3839EA9019F1B3EF7A6FD4B9D7DA9FB7733A0294191081034B4623A81DD9153E
TrID 84.8% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.3% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e8f4b27959b2f4e8 (5 x Chaos, 5 x WannaCry)
Reporter petikvx
Tags:Chaos

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2023-02-21_4431e8c03162a470cc1c74edfded4afb_neshta_wannacry
Verdict:
Malicious activity
Analysis date:
2023-02-23 05:13:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b1c701b8-d501-4035-a63c-a52aae501d1f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Chaos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/369164/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Ransomware.Hydracrypt-9878672-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the Windows directory
Modifying an executable file
Creating a window
Searching for the window
Creating a file
Creating a file in the Program Files subdirectories
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a process with a hidden window
Running batch commands
Launching a service
Unauthorized injection to a recently created process
Enabling autorun with the shell\open\command registry branches
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Deleting volume shadow copies
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gamarue neshta overlay shell32.dll virus winlock
Link:
https://www.filescan.io/uploads/63f6f405b53d126ad265bd5a/reports/f5d6dd85-8947-4554-843c-bb9f6dc16007/overview
Verdict:
Malicious
Labled as:
Virus.Neshta
Link:
https://www.hybrid-analysis.com/sample/49cff73125bdbed98cdda85572228372cecaedc8fa98fd48706fd23e6ad1ad4b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e873f797-c312-4d2d-932c-fd1ba4a69b85
Result
Threat name:
Chaos, Neshta
Create hunting rule
Detection:
malicious
Classification:
rans.spre.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1181073
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Deletes shadow drive data (may be related to ransomware)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Delete shadow copy via WMIC
Tries to harvest and steal browser information (history, passwords, etc)
Uses bcdedit to modify the Windows boot settings
Yara detected Chaos Ransomware
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 813904 Sample: sPhhf6qxTe.exe Startdate: 23/02/2023 Architecture: WINDOWS Score: 100 89 Malicious sample detected (through community Yara rule) 2->89 91 Antivirus detection for dropped file 2->91 93 Antivirus / Scanner detection for submitted sample 2->93 95 8 other signatures 2->95 10 sPhhf6qxTe.exe 4 2->10         started        14 svchost.com 2->14         started        16 svchost.exe 2->16         started        18 8 other processes 2->18 process3 file4 79 C:\Windows\svchost.com, PE32 10->79 dropped 81 C:\Users\user\AppData\...\sPhhf6qxTe.exe, PE32 10->81 dropped 83 C:\ProgramData\...\vcredist_x86.exe, PE32 10->83 dropped 85 11 other malicious files 10->85 dropped 117 Creates an undocumented autostart registry key 10->117 119 Drops PE files with a suspicious file extension 10->119 121 Drops executable to a common third party application directory 10->121 123 Infects executable files (exe, dll, sys, html) 10->123 20 sPhhf6qxTe.exe 5 10->20         started        24 svchost.exe 14->24         started        125 Changes security center settings (notifications, updates, antivirus, firewall) 16->125 26 MpCmdRun.exe 16->26         started        127 Query firmware table information (likely to detect VMs) 18->127 28 svchost.exe 18->28         started        signatures5 process6 file7 71 C:\Users\user\AppData\Roaming\svchost.exe, PE32 20->71 dropped 73 C:\Users\user\AppData\...\sPhhf6qxTe.exe.log, CSV 20->73 dropped 99 Multi AV Scanner detection for dropped file 20->99 101 Drops PE files with benign system names 20->101 30 svchost.exe 4 3 20->30         started        75 C:\Users\user\AppData\...\svchost.exe.1ph8, data 24->75 dropped 103 Deletes shadow drive data (may be related to ransomware) 24->103 105 Drops executables to the windows directory (C:\Windows) and starts them 24->105 107 Uses bcdedit to modify the Windows boot settings 24->107 109 2 other signatures 24->109 33 svchost.com 24->33         started        35 svchost.com 24->35         started        37 svchost.com 24->37         started        39 conhost.exe 26->39         started        signatures8 process9 signatures10 129 Deletes shadow drive data (may be related to ransomware) 30->129 131 Uses bcdedit to modify the Windows boot settings 30->131 41 svchost.com 1 30->41         started        45 cmd.exe 33->45         started        47 cmd.exe 35->47         started        49 cmd.exe 37->49         started        process11 file12 77 C:\Windows\directx.sys, ASCII 41->77 dropped 111 Deletes shadow drive data (may be related to ransomware) 41->111 113 Uses bcdedit to modify the Windows boot settings 41->113 115 Sample is not signed and drops a device driver 41->115 51 cmd.exe 1 41->51         started        54 conhost.exe 45->54         started        56 vssadmin.exe 45->56         started        58 WMIC.exe 45->58         started        60 conhost.exe 47->60         started        62 conhost.exe 49->62         started        signatures13 process14 signatures15 97 Deletes shadow drive data (may be related to ransomware) 51->97 64 WMIC.exe 1 51->64         started        67 conhost.exe 51->67         started        69 vssadmin.exe 1 51->69         started        process16 signatures17 87 Deletes shadow drive data (may be related to ransomware) 64->87
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49cff73125bdbed98cdda85572228372cecaedc8fa98fd48706fd23e6ad1ad4b/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2023-02-21 22:27:23 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 25 (96.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jhh7omjfxw7ntdg5vbkxeiudolhmv3oi7kmp2sdqn7jd42wrvvfq._file
Verdict:
malicious
Similar samples:
101580f357d05a637f15eeab3a11c713a7e19d223209b443ce5d4e62346e2869
Chaos
2cf1affaddac715171d5be89d0c2bfaa3470608efdc12940967fc22fcffde54f
Chaos
4ee95ee6271482c7939ce3b9db210ffb7a73ceebb6500b978fa3e6fe1d6ea168
Chaos
a70171a1bc2a7fba0f4dcc65d2f0458f4e08388fcea7fe880c26341dcaaed413
Chaos
aae66e4930de3e86e7a4095dbba08680278f96f570a0d116e4616c12492a3073
Chaos
c03f0aebf7867cd5195061605cec8e933575787fc59950b15ae2947dc34a2a42
Chaos
+ 88 additional samples on MalwareBazaar
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:chaos family:neshta evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/230223-fqv5ksgg21/
Behaviour
Interacts with shadow copies
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Sets desktop wallpaper using registry
Adds Run key to start application
Drops desktop.ini file(s)
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Modifies extensions of user files
Deletes shadow copies
Chaos
Chaos Ransomware
Detect Neshta payload
Neshta
Unpacked files
SH256 hash:
49cff73125bdbed98cdda85572228372cecaedc8fa98fd48706fd23e6ad1ad4b
MD5 hash:
4431e8c03162a470cc1c74edfded4afb
SHA1 hash:
1fdd90a0a702447aebbd683e175c85a50acb9715
Detections:
win_neshta_g0
Create hunting rule
Link:
https://www.unpac.me/results/9bf29dbf-de14-4c48-800e-2540033daaef/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/49cff73125bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49cff73125bdbed98cdda85572228372cecaedc8fa98fd48706fd23e6ad1ad4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:INDICATOR_SUSPICOUS_EXE_References_VEEAM
Create hunting rule
Author:ditekSHen
Description:Detects executables containing many references to VEEAM. Observed in ransomware
Rule name:MALWARE_Win_Chaos
Create hunting rule
Author:ditekSHen
Description:Detects Chaos ransomware
Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369164/

Comments