MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 17


Intelligence 17 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f
SHA3-384 hash: 8b25ef391becc1a33c31ae69c534a3b7e75a7677772180c88549b7512876ac21dc369aa3085e68266ac63e6d8a046cbd
SHA1 hash: 154e852c206379e4a6a02d4981f2c4d8be1319c5
MD5 hash: 2f6f4f9674c6721b5ea8319ed90a8f20
humanhash: sierra-winner-paris-july
File name:Build.exe
Download: download sample
Signature Neshta
Create hunting rule
File size:841'216 bytes
First seen:2024-07-02 04:49:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 12288:UpJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9j9DXMS9:QJ39LyjbJkQFMhmC+6GD9j1n9
TLSH T187057D22F6D18437D1321A3D9C5BB3A5982ABF512E38354A7BF91E4C9F3D68138252D3
TrID 44.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
30.2% (.EXE) Win32 Executable Borland Delphi 5 (451463/56/28)
17.5% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
3.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
0.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
dhash icon 41675d5161c5c460 (1 x Neshta)
Reporter lontze7
Tags:exe Neshta xred

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
Verdict:
Malicious activity
Analysis date:
2024-07-02 05:29:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/81462d0b-d55f-4e51-80db-c83a61806d67

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

Win.Trojan.Emotet-9850453-0
Create hunting rule

Win.Trojan.Generic-9936029-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Win.Trojan.Neshta-157
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6683874abe8570b8fa890d20win10vpnfull_triage
Tags:
Encryption Generic Infostealer Network Spreading Static Stealth Trojan Neshta
Result
Verdict:
Malware
Maliciousness:

Behaviour
Moving a recently created file
Creating a file in the %AppData% directory
Creating a process with a hidden window
DNS request
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Creating a file in the Program Files subdirectories
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the Windows directory
Modifying an executable file
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Enabling autorun with the shell\open\command registry branches
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Infecting executable files
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1db010b3-8a35-46de-a76d-7a600f95e4ef
Result
Threat name:
DBatLoader, Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1465839
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Uses dynamic DNS services
Yara detected DBatLoader
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465839 Sample: Build.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 76 freedns.afraid.org 2->76 78 xred.mooo.com 2->78 80 4 other IPs or domains 2->80 92 Snort IDS alert for network traffic 2->92 94 Multi AV Scanner detection for domain / URL 2->94 96 Antivirus detection for URL or domain 2->96 100 9 other signatures 2->100 10 Build.exe 4 2->10         started        14 EXCEL.EXE 2->14         started        17 svchost.com 2->17         started        19 3 other processes 2->19 signatures3 98 Uses dynamic DNS services 76->98 process4 dnsIp5 66 C:\Windows\svchost.com, PE32 10->66 dropped 68 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 10->68 dropped 70 C:\Users\user\AppData\Local\...\Build.exe, PE32 10->70 dropped 72 172 other malicious files 10->72 dropped 106 Creates an undocumented autostart registry key 10->106 108 Drops PE files with a suspicious file extension 10->108 110 Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS) 10->110 112 2 other signatures 10->112 21 Build.exe 1 5 10->21         started        88 s-part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 50018, 50019 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->88 24 splwow64.exe 14->24         started        26 Synaptics.exe 17->26         started        28 AdobeART.exe 19->28         started        30 AdobeART.exe 19->30         started        32 AdobeART.exe 19->32         started        file6 signatures7 process8 file9 60 C:\Users\user\Desktop\._cache_Build.exe, PE32 21->60 dropped 62 C:\ProgramData\Synaptics\Synaptics.exe, PE32 21->62 dropped 64 C:\ProgramData\Synaptics\RCX78E4.tmp, PE32 21->64 dropped 34 Synaptics.exe 572 21->34         started        39 ._cache_Build.exe 3 2 21->39         started        process10 dnsIp11 82 freedns.afraid.org 69.42.215.252, 49721, 80 AWKNET-LLCUS United States 34->82 84 xred.mooo.com 34->84 86 2 other IPs or domains 34->86 50 C:\Users\user\Documents\IPKGELNTQY\~$cache1, PE32 34->50 dropped 52 C:\Users\user\AppData\Local\...\juAmr74o.exe, PE32 34->52 dropped 54 C:\Users\user\AppData\Local\...\RCX8113.tmp, PE32 34->54 dropped 56 C:\Users\user\AppData\Local\...\RCX8066.tmp, PE32 34->56 dropped 102 Drops PE files to the document folder of the user 34->102 41 WerFault.exe 34->41         started        58 C:\Users\user\AppData\Roaming\AdobeART.exe, PE32 39->58 dropped 104 Drops executables to the windows directory (C:\Windows) and starts them 39->104 43 svchost.com 39->43         started        file12 signatures13 process14 file15 74 C:\Windows\directx.sys, ASCII 43->74 dropped 114 Sample is not signed and drops a device driver 43->114 47 AdobeART.exe 43->47         started        signatures16 process17 dnsIp18 90 45.141.26.232, 1337, 49710, 49722 SPECTRAIPSpectraIPBVNL Netherlands 47->90
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f/
Threat name:
Win32.Virus.Neshuta
Create hunting rule
Status:
Malicious
First seen:
2024-07-02 04:50:05 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ncrhwvmho6thpeqprcr4gqrg47x3bod4sde77ekdzgjmtcci6ohq._file
Verdict:
malicious
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:neshta persistence spyware stealer trojan
Link:
https://tria.ge/reports/240702-ff9j8azgrn/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
ModiLoader Second Stage
ModiLoader, DBatLoader
Neshta
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/73429484-9bb8-463a-bcfc-af3f6d5838b6
Unpacked files
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/d1db8bab-64a6-4ec2-a039-d93daa527c4d/
SH256 hash:
81d622108a3bd126a2ac9f101dcb37bc160141585e3f9e1e1ab7905ee6bc5e07
MD5 hash:
0fd492912e95d20941f96a49d493da9c
SHA1 hash:
3336bf0f29bde762b36b876488ddf3c562174462
Detections:
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/d1db8bab-64a6-4ec2-a039-d93daa527c4d/
SH256 hash:
68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f
MD5 hash:
2f6f4f9674c6721b5ea8319ed90a8f20
SHA1 hash:
154e852c206379e4a6a02d4981f2c4d8be1319c5
Detections:
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MAL_Neshta_Generic
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
mal_xred_backdoor
Create hunting rule
Link:
https://www.unpac.me/results/d1db8bab-64a6-4ec2-a039-d93daa527c4d/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/68a27b558777/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:D1S1Gv11betaD1N
Create hunting rule
Author:malware-lu
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

Executable exe 68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2917693/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2918462/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play Multimediagdi32.dll::StretchDIBits
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::GetDriveTypeA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WinExec
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::FindFirstFileA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA

Comments