MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0
SHA3-384 hash: 9e4f6196c36752c0bd33584ece1de80d5cbcc4103b01a5ceb3ed0d79304eaffc7a720f11c55cd389948b1bd696da652f
SHA1 hash: 7385b57e89da35b3aa2c3bbe26623c4179fc1abc
MD5 hash: 3fb887b5886aaf9b3b5103d868c56c84
humanhash: idaho-beer-solar-tennis
File name:3fb887b5886aaf9b3b5103d868c56c84
Download: download sample
Signature Neshta
Create hunting rule
File size:1'137'552 bytes
First seen:2021-06-10 16:12:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (251 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 24576:yBu2XV04jnHW8VwBYcOa3sM6zlYzLhQ0zJ68VQWWRWqMOoU:qu4jHmScOcsvWkq3+
Threatray 61 similar samples on MalwareBazaar
TLSH 7935CF12F9D184B2F0430972453AE73BBE35B7016925CE87E7D05D680AB6290EA3F79D
Reporter zbetcheckin
Tags:exe Neshta

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://107.173.219.35/cd/svch.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-10 11:39:29 UTC
Tags:
installer
Link:
https://app.any.run/tasks/92b4782e-a5a1-4fa5-97b0-e465d4022048

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Neshta
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165920/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file in the Windows directory
Modifying an executable file
Creating a file
Creating a window
Reading critical registry keys
Sending a UDP request
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Neshta
Create hunting rule
Detection:
malicious
Classification:
spre
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/800357
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2020-07-08 23:30:25 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
45 of 46 (97.83%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e
Neshta
33eaead056bc761caee6ebc9de4251e1488aaafc202d04c0d4863ad29f793ad8
Neshta
5493074b52dab5b859bb7bf54fdccf45ac005c3f9a2adafc52ac42891ca84793
Neshta
71de2b61471beff0873fb7ef010f79c8155013450784dd4a409dbb0ea90cb587
Neshta
94cea10956f43a889c8714c742cb10e57b44919a05c2c4703d3111acc5d6aafc
Neshta
c1c24ae77d5605d4fa7c779ca4d720869a66bf3832bcca3c8bb4f3bf20b97575
Neshta
c714016a86e00deb18aa9c8a9f786b69e5bfcc2e341218d51946b722522cab37
Neshta
cd68f767521571e7cf8acfe5671f15ee164f5f0f075b32448ffddaddd5c6351e
Neshta
d0463bdb7762bbf95edd76625d958df8066f95b53d9e548da60c19c7438a05cf
Neshta
e7749ed05d9e095480dec62c2189564c1609d561668f81bef821ca2aaa1097e0
Neshta
+ 51 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210610-5pvdncq7t6/
Behaviour
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies system executable filetype association
Unpacked files
SH256 hash:
564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0
MD5 hash:
3fb887b5886aaf9b3b5103d868c56c84
SHA1 hash:
7385b57e89da35b3aa2c3bbe26623c4179fc1abc
Link:
https://www.unpac.me/results/b3f2cb53-e60a-480d-998b-37894b9f2da3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Neshta
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

Executable exe 564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1101035/
  
URLhaus
https://urlhaus.abuse.ch/url/1339484/
  
URLhaus
https://urlhaus.abuse.ch/url/1349259/
Cape
Cape
https://www.capesandbox.com/analysis/165920/

Comments