MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b3f2d209915f215a7a52f93f9103acdbb0c3164a43076656763e3384a50bdce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Neshta

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	5b3f2d209915f215a7a52f93f9103acdbb0c3164a43076656763e3384a50bdce
SHA3-384 hash:	f4683ccdd93145269a2bf4449b6a8640df0af4a57053a51bfc9209608455bfa133b8af24acc2bcb35affdffdfe818128
SHA1 hash:	ba660d35e0e7f9e0ab84cdb6d869463c5bc77c19
MD5 hash:	f201c71f9389d996a80ce65a17353cbb
humanhash:	alanine-nuts-ink-queen
File name:	ExpServer.exe
Download:	download sample
Signature	Neshta Create hunting rule
File size:	188'928 bytes
First seen:	2022-02-23 12:29:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep	1536:JxqjQ+P04wsmJCH/by0IVSsQp/rpv4oUx1DOOO39e0CIJtZo:sr85Czy0I7QBrpNUxVNotZo
Threatray	254 similar samples on MalwareBazaar
TLSH	T1B704AFB6B8D38431D0266779EC2593EAE12F39103F31D1BE764D2DCB9D392C69938846
Reporter	r3dbU7z
Tags:	exe Neshta

Intelligence

File Origin

# of uploads :

# of downloads :

211

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Neshta

Link:

https://www.capesandbox.com/analysis/243715/

Detection(s):

Win.Trojan.Neshuta-1

PUA.Win.Packer.Pequake-4

Win.Virus.Neshta-7101689-0

Win.Trojan.Jadtre-5

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file in the Windows directory

Modifying an executable file

Creating a file in the Program Files subdirectories

Creating a service

Creating a file

Enabling autorun with the shell\open\command registry branches

Infecting executable files

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/7114/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware neshta overlay shell32.dll

Link:

https://www.filescan.io/uploads/621628d3ac8ad0468b6b8d57/reports/c90f3a23-4fac-45be-8118-f43a66a1a6ac/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Neshta

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6a8cd973-598b-4679-8835-8299107431ac

Result

Threat name:

Neshta

Detection:

malicious

Classification:

spre.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/944768

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to detect sleep reduction / modifications

Creates an undocumented autostart registry key

Drops executable to a common third party application directory

Drops PE files with a suspicious file extension

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking mutex)

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Neshta

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5b3f2d209915f215a7a52f93f9103acdbb0c3164a43076656763e3384a50bdce/

Threat name:

Win32.Virus.Neshta

Status:

Malicious

First seen:

2022-02-23 12:30:14 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 28 (100.00%)

Threat level:

5/5

Verdict:

malicious

Neshta

412bcb0abe4197be23ae265308d96f9db0f0fd5f96ec0ac053d744d1565e80eb

Neshta

451a12082a8324494c238427639638ede5fe7f25b9ab2f522aa6109254320807

Neshta

53125b8ade45028207dd476148af9011bb4db4aa4c6427ed8fa1d14f90bab2c4

Neshta

68bdf2747408e5f948696b4285faf5c9f87aea79272212d96895f1978201270f

Neshta

769e6e12a5443217fd8c5ce510846775b714eb221cc11974969b5ff7442b5484

Neshta

7d9a7c06ad6bdf4b58d325900a940f3bf830862d108c8cf58d3d77982b87f8c2

Neshta

e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c

Neshta

+ 244 additional samples on MalwareBazaar

Result

Malware family:

neshta

Score:

10/10

Tags:

family:neshta persistence spyware stealer

Link:

https://tria.ge/reports/220223-ppkf5abddk/

Behaviour

Modifies registry class

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Modifies system executable filetype association

Neshta

Unpacked files

SH256 hash:

5b3f2d209915f215a7a52f93f9103acdbb0c3164a43076656763e3384a50bdce

MD5 hash:

f201c71f9389d996a80ce65a17353cbb

SHA1 hash:

ba660d35e0e7f9e0ab84cdb6d869463c5bc77c19

Detections:

win_neshta_auto

Link:

https://www.unpac.me/results/2d9c6d26-138f-47ff-b4e5-d7f1db42cec5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.44

Link:

https://yomi.yoroi.company/submissions/5b3f2d209915f215a7a52f93f9103acdbb0c3164a43076656763e3384a50bdce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess Create hunting rule
Author:	ditekSHen
Description:	Detects executables calling ClearMyTracksByProcess

Rule name:	MALWARE_Win_Neshta Create hunting rule
Author:	ditekSHen
Description:	Detects Neshta

Rule name:	MAL_Neshta_Generic Create hunting rule
Author:	Florian Roth
Description:	Detects Neshta malware
Reference:	Internal Research

Rule name:	MAL_Neshta_Generic_RID2DC9 Create hunting rule
Author:	Florian Roth
Description:	Detects Neshta malware
Reference:	Internal Research

Rule name:	win_neshta_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

exe 5b3f2d209915f215a7a52f93f9103acdbb0c3164a43076656763e3384a50bdce

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/243715/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample