MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54ff8bf201c18be4c5685d5e80669d1aa817063c9a4a10d6a880c460fd0adf93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54ff8bf201c18be4c5685d5e80669d1aa817063c9a4a10d6a880c460fd0adf93
SHA3-384 hash: fc59f47b11a742dfb9bb3be1f9b2911a1bc27c1ab6b3b117d55d149544bad53b0bdece8906feaaf7d3e03279783cf2d6
SHA1 hash: 6007cad5ee65a188ea810b769dda1ba72110d51b
MD5 hash: 8d31b19c81964bbfe7c57a5884ace895
humanhash: louisiana-south-moon-earth
File name:download.exe
Download: download sample
Signature Neshta
Create hunting rule
File size:162'304 bytes
First seen:2021-07-01 16:45:31 UTC
Last seen:2021-07-01 17:48:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:s3P1XoZYSOFi6qpESnOAzZfub63WXYmMcJC6Eh+BJVSM8c/j2:WXqFzZGb6GXY8n98cL
Threatray 29 similar samples on MalwareBazaar
TLSH EBF3AF82EB854D57E419B87642B3D64913E3CFB81E07B6072EC8ADBD60DD3D72E98046
Reporter James_inthe_box
Tags:exe Neshta

Intelligence

File Origin
# of uploads :
2
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
download.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-01 16:47:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ce3a4249-78c8-429c-a2cb-99e56d0b045d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169202/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.29.32765.15425.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7ed10c91-fbd1-4593-be1e-cf9c81394dd6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/810708
Signature
.NET source code references suspicious native API functions
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 443119 Sample: download.exe Startdate: 01/07/2021 Architecture: WINDOWS Score: 56 19 .NET source code references suspicious native API functions 2->19 21 Machine Learning detection for sample 2->21 7 download.exe 4 2->7         started        process3 file4 17 C:\Users\user\AppData\...\download.exe.log, ASCII 7->17 dropped 23 Hides threads from debuggers 7->23 25 Contains functionality to hide a thread from the debugger 7->25 11 cmd.exe 1 7->11         started        signatures5 process6 process7 13 conhost.exe 11->13         started        15 timeout.exe 1 11->15         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/54ff8bf201c18be4c5685d5e80669d1aa817063c9a4a10d6a880c460fd0adf93/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-07-01 16:45:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
18ec681c471f185edf3ab8e23b52b4ea2a87162f9957b4d5d10ac0e2bc008405
Neshta
1feda728feb0187e19e099ddfcb542c608b3ec67149592520c1515bc6d3ada03
Neshta
3643b3aebb0d514084a3f14314687e1fb437f8048fc0cca52de70e81cf4b0cc8
Neshta
50050452f22edd51ccd484e785ceabed4990fe67806c1c42fcd7cbe1ee40e779
Neshta
5fd7e3ad5c9088c5b2d86d5751ad2e727006ab32ad9345bf6101bba6610117ee
Neshta
8479820a0aa9a814e532b5b2f6e7e172f3d3dd9f651375b695c37ca75c84d946
Neshta
9e614b7116a337119dc6f8c32722859fc862f485bc0169c66ad958b63744ceaf
Neshta
9f988a3199e626f789a99578c1c69f0ccd3e13d7c0d1033c01270cabf7b61de4
Neshta
a940dd76428496c9d30336bab7130c072333f4482e2aadc30952d3e35a86400c
Neshta
e3e2eb5f82a7580c067c4e4c41edc947a978a9e74ecc39e875fc3093d2c3cb66
Neshta
+ 19 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210701-tgqqwevmg2/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
2372420899c3ec1e1cbc54288538eaa05f39140aad4a173f67db4c1f9e7f0233
MD5 hash:
008bfebdf6256ad33feb401f677467f5
SHA1 hash:
8c3dd4bfcba66cfac57b00c739e792f0cf6a6b5b
Detections:
win_neshta_auto
Create hunting rule
Link:
https://www.unpac.me/results/835d1a8f-1415-4af5-9a3b-f338aebaa383/
SH256 hash:
54ff8bf201c18be4c5685d5e80669d1aa817063c9a4a10d6a880c460fd0adf93
MD5 hash:
8d31b19c81964bbfe7c57a5884ace895
SHA1 hash:
6007cad5ee65a188ea810b769dda1ba72110d51b
Link:
https://www.unpac.me/results/835d1a8f-1415-4af5-9a3b-f338aebaa383/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/54ff8bf201c18be4c5685d5e80669d1aa817063c9a4a10d6a880c460fd0adf93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/169202/

Comments