MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6116018c9a9550c912fdd717f2f3e811339feb4149012f3a15d40a80a492ab8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Neshta

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	6116018c9a9550c912fdd717f2f3e811339feb4149012f3a15d40a80a492ab8e
SHA3-384 hash:	e0de79f6789e2a6ba3a131e3cee4c5a2004a85d330984dfa8282a2e8e89035fa59cb0e9034e3b26e3f2d85fea940c490
SHA1 hash:	315235f234b93804d7545503b43d42b081916b7d
MD5 hash:	b7cc341b80ad3809dac3df076458b677
humanhash:	juliet-sweet-hawaii-hamper
File name:	b7cc341b80ad3809dac3df076458b677.exe
Download:	download sample
Signature	Neshta Create hunting rule
File size:	423'212 bytes
First seen:	2021-07-30 06:14:04 UTC
Last seen:	2021-07-30 06:44:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	05152935bf9d81fb98052085f5eb7148 (2 x Neshta)
ssdeep	6144:SylU4mcDGCt5tZsO4sCz9Xbo0wJ9vhy35g64ER4BUYIngpDS2/0rE0N:ScvqCcxd9XboNQ35g64ER4+IS2+b
Threatray	93 similar samples on MalwareBazaar
TLSH	T11394F133F8E69033CDE819378AE4DA19567EDC50CE066D6F97CC932A0E384A17911D7A
Reporter	abuse_ch
Tags:	exe Neshta

Intelligence

File Origin

# of uploads :

# of downloads :

592

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b7cc341b80ad3809dac3df076458b677.exe

Verdict:

Suspicious activity

Analysis date:

2021-07-30 06:17:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0cbd5629-65c9-4613-92a6-766f4effb6ab

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/175199/

Detection(s):

SecuriteInfo.com.Generic.Cryptor.X.219E2442.18912.4878.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Neshta

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/701f304b-d84a-4460-a30e-b8811fec7baa

Result

Threat name:

Neshta

Detection:

malicious

Classification:

spre.spyw

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/824314

Signature

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Generic Dropper

Yara detected Neshta

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6116018c9a9550c912fdd717f2f3e811339feb4149012f3a15d40a80a492ab8e/

Threat name:

Win32.Ransomware.Cryptor

Status:

Malicious

First seen:

2021-07-30 06:15:05 UTC

AV detection:

11 of 46 (23.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=meladde2svimsex524l7f47icezz722bjeas6oqv2qfibjesvoha._file

Verdict:

malicious

Neshta

1aae387dce8782d2f58887aa73dd970e51656c72ada983fb040989656a6dc47e

Neshta

412bcb0abe4197be23ae265308d96f9db0f0fd5f96ec0ac053d744d1565e80eb

Neshta

a73f2d92c3d48bad18d6a33530cedee50fb1495030c752d406045c113eeabd0a

Neshta

b2ae47f62aa239fb6badfb8af83054c008e9c93d6fe1953732ec03029dc474ce

Neshta

b8ec3b964de755ffc8988a41f639284b39cd13ef066a6af135995a3045b2ca4e

Neshta

d021e872a4841ee35b654e3dfb946b8f880f3a598050bde20550899410456321

Neshta

e82473f02711056cbcda98d22a858d95c6cf574c17ee77ea62db86e405ff6e77

Neshta

fdec06df5406c4ce7396704a8160927a2bdceeac0bb111b702ec310498e9a5ba

Neshta

+ 83 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence spyware stealer

Link:

https://tria.ge/reports/210730-bjxpjch3ex/

Behaviour

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Loads dropped DLL

Reads user/profile data of web browsers

Modifies system executable filetype association

Unpacked files

SH256 hash:

0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

MD5 hash:

15d8ab38054a766318c235ee74ac10e8

SHA1 hash:

836c007d0760f9ba204f73553518004c2d7a6746

Detections:

win_neshta_auto

Link:

https://www.unpac.me/results/a29d1fd1-6c89-48a1-a010-fe1962cf9317/

Parent samples :

c991dbd92d2f3e6f3ff5d1de12016460a2cb557f7482d3322c7b495f0cbe9b89
6116018c9a9550c912fdd717f2f3e811339feb4149012f3a15d40a80a492ab8e
c5e477805f7686cbcef90f9ecaed8aa9a438bd1bac0842d3b11b6fe8bce76356

SH256 hash:

6116018c9a9550c912fdd717f2f3e811339feb4149012f3a15d40a80a492ab8e

MD5 hash:

b7cc341b80ad3809dac3df076458b677

SHA1 hash:

315235f234b93804d7545503b43d42b081916b7d

Link:

https://www.unpac.me/results/a29d1fd1-6c89-48a1-a010-fe1962cf9317/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6116018c9a9550c912fdd717f2f3e811339feb4149012f3a15d40a80a492ab8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Neshta_Generic Create hunting rule
Author:	Florian Roth
Description:	Detects Neshta malware
Reference:	Internal Research

Rule name:	win_neshta_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator