MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Neshta

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4
SHA3-384 hash:	7c40526f0b2640a0c47660c0b1220fbacd15463e484235ef592c743112ed5b16998d57a6af9d70d84dfc759baf501ea3
SHA1 hash:	c9661ff48f2eaa2718a46b23a70a02a8461715be
MD5 hash:	36ca5751b0b2d9321215f223a18aefbf
humanhash:	utah-undress-twenty-pip
File name:	36ca5751b0b2d9321215f223a18aefbf.exe
Download:	download sample
Signature	Neshta Create hunting rule
File size:	332'340 bytes
First seen:	2021-11-03 19:19:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9f4693fc0c511135129493f2161d1e86 (250 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep	6144:k9p1/VSGV0YGiZTkGpO1ttI0nv4DmW04tJgmYGGOqX8BlL/c0RU:kNSLY9TkAGI0MqezYOqGeh
Threatray	9'438 similar samples on MalwareBazaar
TLSH	T140640211B6E1C973C0251BB9DC2FAB74D2B9AD166831156333F02E6DEC797D3A90A04B
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe Neshta

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Inquiry docs_00345.xlsx

Verdict:

Malicious activity

Analysis date:

2021-11-03 19:24:22 UTC

Tags:

encrypted trojan opendir exploit CVE-2017-11882 loader formbook stealer

Link:

https://app.any.run/tasks/6b99fb74-951d-4608-822b-55c4af0bb58d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/202002/

Detection(s):

Win.Trojan.Neshuta-1

PUA.Win.Packer.Pequake-4

Win.Virus.Neshta-7101689-0

Win.Trojan.Jadtre-5

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a file in the Windows directory

Creating a process from a recently created file

Modifying an executable file

Creating a file

Creating a window

Enabling autorun with the shell\open\command registry branches

Infecting executable files

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

neshta overlay packed

Link:

https://www.filescan.io/uploads/6182e0ea1c62c3566081828f/reports/027af9de-2ca4-400c-8325-123356bf73e7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/943cfefc-de5e-4f0e-a556-fbe4333d4de7

Result

Threat name:

FormBook Neshta

Detection:

malicious

Classification:

spre.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/882669

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Drops executable to a common third party application directory

Drops PE files with a suspicious file extension

Found malware configuration

Infects executable files (exe, dll, sys, html)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Yara detected Neshta

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4/

Threat name:

Win32.Virus.Neshta

Status:

Malicious

First seen:

2021-11-03 18:55:36 UTC

AV detection:

28 of 28 (100.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mawegjwkbkqkab5raja5pwxd7w7po4c6cqrrxkc6qy2vpdh5wdka._file

Verdict:

malicious

Label(s):

formbook

Neshta

5264dba5e023d5b63d57197b4efc1d105083c9b4d84d754ea5a4d1f5823c9cb6

Neshta

5e39768c8fd6bb7644322000828b9bd1c34d25c3be1a9a712761ba834910fcf0

Neshta

5ee2ae88f934642edb29747732a0168ba8bcb981fcc6945a9a9a37b530ffb4b7

Neshta

64964b0f5fc8246845fa84482e015a5dbc465533e016c34eb015d29cfbda626b

Neshta

7d9a7c06ad6bdf4b58d325900a940f3bf830862d108c8cf58d3d77982b87f8c2

Neshta

934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb

Neshta

d78094f3b6eac87e2d4249671bdc4e044afb31e2e78aac8f2db7186c6d5b6db1

Neshta

+ 9'428 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:neshta family:xloader campaign:ga6b loader persistence rat spyware stealer

Link:

https://tria.ge/reports/211103-x17pssbgan/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

NSIS installer

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Xloader Payload

Modifies system executable filetype association

Neshta

Xloader

Malware Config

C2 Extraction:

http://www.egyptian-museum.com/ga6b/

Unpacked files

SH256 hash:

602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4

MD5 hash:

36ca5751b0b2d9321215f223a18aefbf

SHA1 hash:

c9661ff48f2eaa2718a46b23a70a02a8461715be

Link:

https://www.unpac.me/results/235e2c25-2a0f-4be9-8cba-3794b63064a7/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/602c4326ca0a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.59

Link:

https://yomi.yoroi.company/submissions/602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_Neshta Create hunting rule
Author:	ditekSHen
Description:	Detects Neshta

Rule name:	MAL_Neshta_Generic Create hunting rule
Author:	Florian Roth
Description:	Detects Neshta malware
Reference:	Internal Research

Rule name:	MAL_Neshta_Generic_RID2DC9 Create hunting rule
Author:	Florian Roth
Description:	Detects Neshta malware
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

exe 602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4

(this sample)

Cape

https://www.capesandbox.com/analysis/202002/

URLhaus

https://urlhaus.abuse.ch/url/1722925/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample