MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6eae5f256537af00c1f53ee711d0bdd9ff1e9ccf771234f74c9fc58bfb63c8fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6eae5f256537af00c1f53ee711d0bdd9ff1e9ccf771234f74c9fc58bfb63c8fa
SHA3-384 hash: d6bfb4964de3339755dca707dd3a68a7c3de8a768100b163bb05b53a34eb8ccce4a7daa7720206e502d669efadcb2bc1
SHA1 hash: 1b08c26e4ce976c8996eab6ffd4fe804aec450a8
MD5 hash: 5b49af016047721af7f57345d67e221e
humanhash: five-fix-berlin-earth
File name:6eae5f256537af00c1f53ee711d0bdd9ff1e9ccf771234f74c9fc58bfb63c8fa
Download: download sample
Signature Neshta
Create hunting rule
File size:553'472 bytes
First seen:2022-10-03 19:31:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 12288:/Lk70Tnvjcu/BhPdB2BhtaVBNeH6j+vMd2g3hk:zk70TrcUBhlB2GBNeH6GG2h
Threatray 1'102 similar samples on MalwareBazaar
TLSH T1B9C40220B1C1C173C872067888D9C7399A757531173A97C7B7E91BBA5F223E1663A2CE
TrID 92.2% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
1.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
0.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter petikvx
Tags:exe Neshta Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
560
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316225/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the Windows directory
Modifying an executable file
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the Program Files subdirectories
Sending a custom TCP request
Creating a file in the Program Files directory
Using the Windows Management Instrumentation requests
Launching the process to change the firewall settings
Launching the process to change network settings
Searching for synchronization primitives
Launching a service
Enabling autorun with the shell\open\command registry branches
Deleting volume shadow copies
Blocking the Windows Defender launch
Enabling autorun for a service
Creating a file in the mass storage device
Infecting executable files
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/40918/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware neshta overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/633b38b4d5955f6f49d5d25f/reports/c387c045-3279-4604-8cf0-77d897d19ca7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9deed22d-36c3-42ae-8646-ba1dbae0b80d
Result
Threat name:
Neshta, RedLine, TrojanRansom, Voidcrypt
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1082779
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Deletes shadow drive data (may be related to ransomware)
Disables the windows firewall (over ALG)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Drops script or batch files to the startup folder
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Delete shadow copy via WMIC
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Drops script at startup location
Sigma detected: Schedule system process
Uses bcdedit to modify the Windows boot settings
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Neshta
Yara detected RansomwareGeneric
Yara detected RedLine Stealer
Yara detected TrojanRansom
Yara detected Voidcrypt Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715334 Sample: XeRMI8F3nJ.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 100 105 Malicious sample detected (through community Yara rule) 2->105 107 Antivirus detection for dropped file 2->107 109 Antivirus / Scanner detection for submitted sample 2->109 111 16 other signatures 2->111 8 XeRMI8F3nJ.exe 4 2->8         started        12 svchost.com 2->12         started        14 winlogon.exe 1 14 2->14         started        16 cmd.exe 2->16         started        process3 file4 81 C:\Windows\svchost.com, PE32 8->81 dropped 83 C:\Users\user\AppData\Local\...\DismHost.exe, PE32 8->83 dropped 85 C:\Users\user\AppData\Local\...\setup.exe, PE32 8->85 dropped 95 18 other malicious files 8->95 dropped 121 Creates an undocumented autostart registry key 8->121 123 Drops PE files with a suspicious file extension 8->123 125 Drops executable to a common third party application directory 8->125 18 XeRMI8F3nJ.exe 8 48 8->18         started        87 C:\ProgramData\Adobe\...\AdobeARMHelper.exe, PE32 12->87 dropped 89 C:\ProgramData\Adobe\...\AdobeARMHelper.exe, PE32 12->89 dropped 127 Multi AV Scanner detection for dropped file 12->127 129 Infects executable files (exe, dll, sys, html) 12->129 23 winlogon.exe 12->23         started        91 C:\Windows\SysWOW64\winlogon.exe, PE32 14->91 dropped 93 C:\Windows\SysWOW64\config\...\winlogon.exe, PE32 14->93 dropped 25 csc.exe 14->25         started        27 cmd.exe 14->27         started        29 conhost.exe 16->29         started        31 reg.exe 16->31         started        signatures5 process6 dnsIp7 97 application-api.xyz 94.242.61.186, 50458, 80 FISHNET-ASRU Russian Federation 18->97 71 C:\Windows\winlogon.exe, PE32 18->71 dropped 73 [GreenMonkey@onion...jpg.BlackBit (copy), DOS 18->73 dropped 75 C:\Users\user\Documents\RAYHIWGKDI.jpg, DOS 18->75 dropped 79 28 other malicious files 18->79 dropped 113 Multi AV Scanner detection for dropped file 18->113 115 Drops script or batch files to the startup folder 18->115 117 Performs DNS queries to domains with low reputation 18->117 119 8 other signatures 18->119 33 cmd.exe 1 18->33         started        36 cmd.exe 18->36         started        38 cmd.exe 18->38         started        48 7 other processes 18->48 77 C:\ProgramData\stb0m5uh.exe, PE32 25->77 dropped 40 conhost.exe 25->40         started        42 cvtres.exe 25->42         started        44 conhost.exe 27->44         started        46 schtasks.exe 27->46         started        file8 signatures9 process10 file11 99 Deletes shadow drive data (may be related to ransomware) 33->99 101 Uses schtasks.exe or at.exe to add and modify task schedules 33->101 103 Uses netsh to modify the Windows network and firewall settings 33->103 51 conhost.exe 33->51         started        53 schtasks.exe 1 33->53         started        55 conhost.exe 36->55         started        57 vssadmin.exe 36->57         started        65 2 other processes 38->65 69 C:\ProgramData\txkbh4ar.exe, PE32 48->69 dropped 59 conhost.exe 48->59         started        61 cvtres.exe 48->61         started        63 conhost.exe 48->63         started        67 7 other processes 48->67 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6eae5f256537af00c1f53ee711d0bdd9ff1e9ccf771234f74c9fc58bfb63c8fa/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2022-09-29 12:27:03 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
37 of 39 (94.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n2xf6jlfg6xqbqpvh3trduf53h7r5hgpo4jdj52mt7cyx63dzd5a._file
Verdict:
malicious
Similar samples:
0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e
Neshta
063817e1dd27051592df38b2bc5b1284d873f37d398b383a9ef5d1aa929ee887
Neshta
a70171a1bc2a7fba0f4dcc65d2f0458f4e08388fcea7fe880c26341dcaaed413
Neshta
cd6a8e6b17a1ecb5aafb24ef4f7ec0ba0be44508ea10dbde551e0037220571f8
Neshta
ce87832b753df5480849c61df4e05bfd2bfbd72af88ad52093a54555f3d96f0e
Neshta
fd8ecb99ecee0d54565a781a729ee7ad19203a5105820981d5e818c45d09f82f
Neshta
+ 1'092 additional samples on MalwareBazaar
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:neshta evasion persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/221003-x8x6bscfd2/
Behaviour
Creates scheduled task(s)
Interacts with shadow copies
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops desktop.ini file(s)
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Windows Firewall
Modifies extensions of user files
Deletes shadow copies
Detect Neshta payload
Modifies Windows Defender Real-time Protection settings
Modifies system executable filetype association
Neshta
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/371b1cc8-e9ce-4e73-9d3c-680ea1f52619
Unpacked files
SH256 hash:
6eae5f256537af00c1f53ee711d0bdd9ff1e9ccf771234f74c9fc58bfb63c8fa
MD5 hash:
5b49af016047721af7f57345d67e221e
SHA1 hash:
1b08c26e4ce976c8996eab6ffd4fe804aec450a8
Detections:
win_neshta_g0
Create hunting rule
Link:
https://www.unpac.me/results/e7a9343d-0176-4b86-b385-3c69a73db538/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6eae5f256537/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6eae5f256537af00c1f53ee711d0bdd9ff1e9ccf771234f74c9fc58bfb63c8fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316225/

Comments