MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 515f1994cd7f6a4e2a5e642f6905d9897e22abceaaaf235a2bb3ed7835818874. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 515f1994cd7f6a4e2a5e642f6905d9897e22abceaaaf235a2bb3ed7835818874
SHA3-384 hash: 710d16c09f4eecc54f6a1ecf5140fb95c9c7132c9211d39f7e32ec9576798afb48da03e6f1439e3373b911f5811ead35
SHA1 hash: 3f362779dd26bdc1bed5e1ca546203c02f946cea
MD5 hash: f2af1f1da3870e5c410551dd528d46ec
humanhash: beryllium-alaska-finch-finch
File name:f2af1f1da3870e5c410551dd528d46ec.exe
Download: download sample
Signature Neshta
Create hunting rule
File size:484'864 bytes
First seen:2021-09-26 14:48:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 6144:k98mgPkQNac4hRyu+QO+IjNeiKFoESrDxBDs/t8zJJqxiuum+j7ADLy:FT47O+iN7KFoEMDxBol0JqxIgy
Threatray 9'890 similar samples on MalwareBazaar
TLSH T1B9A4AE12BAC4D870E8A205BD7404E7AA05797D36492BCB5B77C32F4F28743EA9616F13
Reporter abuse_ch
Tags:exe Neshta

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f2af1f1da3870e5c410551dd528d46ec.exe
Verdict:
Malicious activity
Analysis date:
2021-09-26 14:50:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/805c0dc2-01a8-4434-adba-4b358a5a25aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191780/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Dropper.LokiBot-9893731-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the Windows directory
Modifying an executable file
Creating a file
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/12f53e2b-dd43-4a03-a690-00f2b15f5fcc
Result
Threat name:
FormBook Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858435
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 490866 Sample: HYmN4qwdBc.exe Startdate: 26/09/2021 Architecture: WINDOWS Score: 100 37 www.skoba-plast.com 2->37 39 www.rnerfrfw5z3ki.net 2->39 41 www.jdjseshop.com 2->41 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 9 other signatures 2->63 10 HYmN4qwdBc.exe 4 2->10         started        signatures3 process4 file5 29 C:\Windows\svchost.com, PE32 10->29 dropped 31 C:\Users\user\AppData\Local\...\DismHost.exe, PE32 10->31 dropped 33 C:\Users\user\AppData\Local\...\setup.exe, PE32 10->33 dropped 35 118 other malicious files 10->35 dropped 73 Creates an undocumented autostart registry key 10->73 75 Drops PE files with a suspicious file extension 10->75 77 Drops executable to a common third party application directory 10->77 79 Infects executable files (exe, dll, sys, html) 10->79 14 HYmN4qwdBc.exe 1 10->14         started        signatures6 process7 signatures8 81 Maps a DLL or memory area into another process 14->81 83 Tries to detect virtualization through RDTSC time measurements 14->83 17 HYmN4qwdBc.exe 14->17         started        20 conhost.exe 14->20         started        process9 signatures10 49 Modifies the context of a thread in another process (thread injection) 17->49 51 Maps a DLL or memory area into another process 17->51 53 Sample uses process hollowing technique 17->53 55 Queues an APC in another process (thread injection) 17->55 22 explorer.exe 17->22 injected process11 dnsIp12 43 www.profesyonelkampcadiri.net 91.195.240.94, 49844, 80 SEDO-ASDE Germany 22->43 45 www.avosmains.net 51.91.236.193, 49819, 80 OVHFR France 22->45 47 3 other IPs or domains 22->47 65 System process connects to network (likely due to code injection or exploit) 22->65 26 WWAHost.exe 22->26         started        signatures13 process14 signatures15 67 Modifies the context of a thread in another process (thread injection) 26->67 69 Maps a DLL or memory area into another process 26->69 71 Tries to detect virtualization through RDTSC time measurements 26->71
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/515f1994cd7f6a4e2a5e642f6905d9897e22abceaaaf235a2bb3ed7835818874/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2021-09-26 09:51:00 UTC
AV detection:
44 of 45 (97.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kfprtfgnp5ve4ks6mqxwsbozrf7cfk6ovkxsgwrlwpwxqnmbrb2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04e98a900ca361b68ebcfbad6453ddc626d93c8afb13916c18dd0e9648187566
Neshta
1a0e2480076fc22a18ad51c79af447258a2615da953058a46b938d84ca6603a4
Neshta
385f5ca91b0a230a14f5d32c79d061a3af0f5533923ad62e1982d1327ed086a4
Neshta
4e18d364c4fa2db105557cf8105e5e3d77c9d7a06590b4f897051f99014da5be
Neshta
9c8f32833d3c63f139b6ac0c3c7cbfcfbdd0f6a67c78b35bfe44bd8476d6e8b8
Neshta
a2c6a9d6809c3cf2ea1108aae86677aaba31ef7e2f10017331716bedd2a8f91c
Neshta
a7c09392aa26962b20d2fc58398b6425ebd062187b2923fbbb7b1866523f1e26
Neshta
b56e7b2be2bb194db6e8e7c95e9477c49863e0eb8d2818f266f69e8e1a09647b
Neshta
b6f6868af49729ca38d24bae34efc0fb3025b7947b5cbda60251d96755e01725
Neshta
+ 9'880 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:neshta family:xloader campaign:b6a4 loader persistence rat spyware stealer
Link:
https://tria.ge/reports/210926-r61ksafab2/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Xloader Payload
Modifies system executable filetype association
Neshta
Xloader
Malware Config
C2 Extraction:
http://www.helpmovingandstorage.com/b6a4/
Unpacked files
SH256 hash:
515f1994cd7f6a4e2a5e642f6905d9897e22abceaaaf235a2bb3ed7835818874
MD5 hash:
f2af1f1da3870e5c410551dd528d46ec
SHA1 hash:
3f362779dd26bdc1bed5e1ca546203c02f946cea
Link:
https://www.unpac.me/results/dd094e77-ece8-490c-a6df-a151615856b7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.49
Link:
https://yomi.yoroi.company/submissions/515f1994cd7f6a4e2a5e642f6905d9897e22abceaaaf235a2bb3ed7835818874

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

Executable exe 515f1994cd7f6a4e2a5e642f6905d9897e22abceaaaf235a2bb3ed7835818874

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1628619/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1628624/
Cape
Cape
https://www.capesandbox.com/analysis/191780/

Comments