MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Neshta

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117
SHA3-384 hash:	8cd53c300ae4621eede3d52b41bbaadae50fd2f9177dd2f20c37ad5cb8b576a94b7fd4358c7de784cf0af5c5b8ef529a
SHA1 hash:	dd803910c9b65427bd658c859cc8b5a3bb5ffc2c
MD5 hash:	9b7c249034a5e5ab4f3cdd45c42bf65f
humanhash:	angel-india-social-white
File name:	krutilka.exe
Download:	download sample
Signature	Neshta Create hunting rule
File size:	290'816 bytes
First seen:	2023-05-13 22:52:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:IekEbFTBhqoJe4ixZVhXD7OsMq8Q2k9vlc0HvMziZ:IcBhqx4ixjhT8qj2k9i8vM2Z
TLSH	T19654CD1D1B62CE10D035732F2CA3D7A43D09BCFEA879AE669269C9375673470EE60943
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	JaffaCakes118
Tags:	Neshta

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

krutilka.exe

Verdict:

Malicious activity

Analysis date:

2023-05-13 23:55:51 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fb57a741-912e-4f7b-aa41-dbed2860b7e4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Neshta

Link:

https://www.capesandbox.com/analysis/389103/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Creating a file in the Windows directory

Modifying an executable file

Creating a file in the Program Files subdirectories

Launching a process

Creating a process with a hidden window

Sending a custom TCP request

Searching for the window

Searching for the browser window

Creating a file in the Program Files directory

Unauthorized injection to a recently created process

Enabling autorun with the shell\open\command registry branches

Infecting executable files

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

clipbanker comodo darkkomet packed

Link:

https://www.filescan.io/uploads/646014ecc71f37d4b4a27764/reports/c037e599-3104-4255-a765-75bc76d16b68/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ramnit

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c3598df4-dfef-4122-879d-cf417b087e4b

Result

Threat name:

Neshta, Ramnit, XWorm

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1232482

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to capture screen (.Net source)

Creates an undocumented autostart registry key

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Drops PE files with a suspicious file extension

Found malware configuration

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample is not signed and drops a device driver

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Neshta

Yara detected Ramnit

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117/

Threat name:

ByteCode-MSIL.Trojan.AsyncRAT

Status:

Malicious

First seen:

2023-05-09 11:13:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 37 (64.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=maus427j2dk6l6bkgobojnu7zumtmk2mgcqyff4h37douvdcuelq._file

Result

Malware family:

ramnit

Score:

10/10

Tags:

family:neshta family:ramnit banker persistence spyware stealer trojan upx worm

Link:

https://tria.ge/reports/230513-2t2bnaca7t/

Behaviour

Creates scheduled task(s)

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Reads user/profile data of web browsers

UPX packed file

Detect Neshta payload

Neshta

Ramnit

Unpacked files

SH256 hash:

876c5cea11bbbcbe4089a3d0e8f95244cf855d3668e9bf06a97d8e20c1ff237c

MD5 hash:

44e92c4b5f440b756f8fb0c9eeb460b2

SHA1 hash:

ed5bf6e6e4f2b71ba1e0f73381ee64155f9722c2

Link:

https://www.unpac.me/results/b35bd56e-4cf4-4a16-b005-6fdf36c02eff/

SH256 hash:

6057d87753daee3c71eb8c0d3cb8582ea88d6e56f02864019db9fd7af3fb4a9f

MD5 hash:

651defc532f0e72be60621696aa97972

SHA1 hash:

43176a96322202fc8fd8901c213fde820d005871

Detections:

win_ramnit_auto

win_ramnit_g1

Link:

https://www.unpac.me/results/b35bd56e-4cf4-4a16-b005-6fdf36c02eff/

Parent samples :

3aae149445e6ae7d5dff0a830abcd1bb26b868e4e7c8cf8bc625a9e46795d96b
4f71eb9c8a80ea511ade6a4ea951cd642c7046f3a97c7b965fdc732314bb3224
712902f16ad8e9570dc1e25dba5f4219f3fdd497d727f08dd98f1c6baa78335b
21077824b7eea56bdfe182de863fe599286c70fd067744faf6fa850da7342db3
3eabf4e909e889bfcb994a36d041ced30c30a377a6a0d6057eda4b8f35f4ca0e
1d448335a3b897166b49488a43f72689a054cd464ad5b5b148d57454d0515f50
680e418e349d611812a6afd357c39fa4fe3baf32cd95012f9b0632a364f2f349
bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90
f158a9650580dcf9a875b153192a86e20798c7f01b4a458b668704661e2cc89c
b8e40ed3d1f01fd75f0f43d4784d92aaa9596f289f23c35969af1a4c1e149c30
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
4e707c27c365409032b8081092276d83498149589fa42c52271febbc5682bc81
0df97a0e5fe6fa55e4e8d20b0478a80dfb6d080bca66e630e9f80ed4838facee
06f2fef10fedbb774853c71cc9c923cd56d49d6165a6476fa7e5445550b0a6dc
81b64a354103b21b8d7f2bebb62923b5c2bc4f7f9cba5197fc24b5d869c032be
33b4058adaed65e17b07ee1c11af2c1a53e65dbd98f86cdfc72d841529160c14
aa7c68bbb7a270aede803fb6d767aaec5794724cb2711a34c15eac54cfd9a88f
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3
493c63489f594c10e1f5aace2dd833f3fddaac2800d3603498d2b4abe4bd7e0c
f09ec41136e8e5e5076ca495192d9326e5581c748148fa877412d466db26112d
33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52
973c7137d6a2921d75eb42cb09ef9270a60ca23f25457bb5803a604effd14eb4
93e0a3cbd07c8c1e99fea9e05a7a2bd7a312cf92d3b407be37db43774827ca09
876c5cea11bbbcbe4089a3d0e8f95244cf855d3668e9bf06a97d8e20c1ff237c
b5aa1fa3949badd59b3c1a6f5a838c8eadf639c4199b7238179f0de512383217
60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117
87c160843bc0bdcd754a151c288f899763494385830016c299245f1fe9354b54
daa4efd6ea62d68ce47d73ee57d12cacb07d84ed87e7b4d680c20a715e29e519
ab41d83fb3c5aedecd6fbb3c54ce1c3a58d73d9969fc9c76d01c1c3f2b8c8cc2
f2574f6588e32a3d97988edb359a4f0a9a2df8f36caf8a0e2597d46bb2551985
482991b76849008ad700cf7e29ddd2b3d00d7d40d69377650154dca3adfde791
be4f04a6cb1df55610f461e3e05d81daebe75cbab021746e0cbf6b05389ff02b
ceeed21fc6b040b57c17d0b94c3af9597abde599a37192f40730656e48633b51
d0265e42d4f24fa518f631540cd3e29d9f1086448400de348c300c63bf6aa35f
8a9e221015ab7127c650f6fe81ef3e062ae7ebe00f88ba04717189099862c7d7
d0df8fac2089608a6b5dee7132981e88ab3b98178aff1d3fe7e003d388541e24
ee9378542050d13b1028b443f214d363dac7d11c1229e7e9054efde251d3e36b
c1ebd4c1595fa80d6521320a9500d22b55693bd7ce20af58492a1018b8ccf18e
90dd057ac1bdec6b27174681b857af28e2ddd05f84b7536eecd28cf6cc1a1189
cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f
08e00ccaa704c210e5841227e0db6b5c911ad675f3eaf48f5a629877c0ac3de1
250f05b7b22f886df69550d87c9f0139c0ddfb7dc85b6c6c7e12d1ae3b71d1e7
990357fe141b7e0ef376eb3d71279a6d160f8bbbd3e6d25e269c34af50e6ef04
4bb178da0a560d36af39e243dda93fe45446907a00009210abd6ba1a036a600c
2c3804853d63043067a602c9b5271831d7c8b7b9bc91e39a061e28135588b6b3

SH256 hash:

d5ece52a71f0de749b31eb99c506c8b9147f2b690b1f85a88c1ad0357540a6a9

MD5 hash:

b01db2780c5a1bbeb3b76e97eb5ea754

SHA1 hash:

c75b2d4e0c81fb42ccf8b6d7da6e3134b480c7dc

Detections:

win_neshta_auto

win_neshta_g0

Link:

https://www.unpac.me/results/b35bd56e-4cf4-4a16-b005-6fdf36c02eff/

Parent samples :

811d169ec93c76795798353e6fdf509271d61d3424acb7d709c34cc83511b0f9
cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470
4dcd84003dc7b4d627193ce18034c71a3ee35980495d755d9bcf80a672eb544e
2e5b9ebfb2b81c5e512248e2e9224d1054defc4b027c0108fc10d268312ce290
68652defc71770065997b7d60a64a3959446a114a2ee17a443a15ae8b767f150
640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce
4608c3c211744ce283dac6c36cb7a2c0fd584ee440fa4f671bc270f1bc737ff0
c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937
cd23680ab97a8fa8c459690061e90ea0d48d19975900f1a0ee41ffcd76bbb311
313cabf464e7edf69744f94c3ea234fbb5d7b99daf2aff5492131a4ca9d08e00
60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117
ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29
a8df709495ab9ea938880b1ebe744b33bc163b2fe576ce7e585caef7c846b718
a6077288d1353daaab0bf9092c357cd7f0712537def3ff3be60fa68da4e436ac

SH256 hash:

689c91e49a55cf066fbd7499fce797f2e8085bea8860937f27b718916fe6c6c0

MD5 hash:

4379f35f2ed9fa2192d0a416cf457cb6

SHA1 hash:

5fdd7b7f2648a5ac602a4438cad6f14c72a2809c

Link:

https://www.unpac.me/results/b35bd56e-4cf4-4a16-b005-6fdf36c02eff/

SH256 hash:

e9b89d91b5a306982074f720203ca9b116e34b7c6c7093aedba8640b79335355

MD5 hash:

dc0ade951718b83291957306bd09d9bb

SHA1 hash:

ce9dd18a0da9c8b4d01afbd5a9839fec82888b3f

Link:

https://www.unpac.me/results/b35bd56e-4cf4-4a16-b005-6fdf36c02eff/

SH256 hash:

60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117

MD5 hash:

9b7c249034a5e5ab4f3cdd45c42bf65f

SHA1 hash:

dd803910c9b65427bd658c859cc8b5a3bb5ffc2c

Link:

https://www.unpac.me/results/b35bd56e-4cf4-4a16-b005-6fdf36c02eff/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/389103/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample