MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d9a7c06ad6bdf4b58d325900a940f3bf830862d108c8cf58d3d77982b87f8c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d9a7c06ad6bdf4b58d325900a940f3bf830862d108c8cf58d3d77982b87f8c2
SHA3-384 hash: a9caf63addce2804942b69bf9963321f2f4c67573b66fe5beaf88886b6dce8c783969ccf8887831f84065591112e578e
SHA1 hash: 81ad9e9a3d24242fa7619ad23bb6eed117672a3d
MD5 hash: da7b4c213039524dd2cd661cb20e62ae
humanhash: south-mountain-massachusetts-sixteen
File name:da7b4c213039524dd2cd661cb20e62ae
Download: download sample
Signature Neshta
Create hunting rule
File size:613'376 bytes
First seen:2021-10-14 11:22:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (250 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 12288:QLWnrFLtuNqdc9aK/EJRyFSBlQpFotwgNvVS:UUNtxdo7GBlLttk
Threatray 10'592 similar samples on MalwareBazaar
TLSH T188D4DF1233498272E57B0FB8A023A31943B5BE256EB1DB7D29D13ACF6F37B805214597
File icon (PE):PE icon
dhash icon 71f0e0d8d0e0f0f0 (1 x Neshta)
Reporter zbetcheckin
Tags:32 exe Neshta

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
da7b4c213039524dd2cd661cb20e62ae
Verdict:
Malicious activity
Analysis date:
2021-10-14 11:29:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/62329faf-9e89-41a9-99dd-af0ecb20a2ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Neshta
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197524/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the Windows directory
Creating a process from a recently created file
Modifying an executable file
Creating a window
Creating a file
Launching a process
Delayed writing of the file
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
neshta overlay packed
Link:
https://www.filescan.io/uploads/61681318fd35fe780c3fd944/reports/6baf683d-db90-47e9-8d35-dac159fadcc8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/79101a3f-6595-4d9d-9cdf-08fbb4c13902
Result
Threat name:
FormBook Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/870442
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Found malware configuration
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 502879 Sample: wSH33iCtx0 Startdate: 14/10/2021 Architecture: WINDOWS Score: 100 41 www.whiskeyridgebeef.net 2->41 43 www.techno-delights.com 2->43 45 2 other IPs or domains 2->45 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for dropped file 2->55 57 11 other signatures 2->57 11 wSH33iCtx0.exe 4 2->11         started        signatures3 process4 file5 31 C:\Windows\svchost.com, PE32 11->31 dropped 33 C:\Users\user\AppData\Local\...\setup.exe, PE32 11->33 dropped 35 C:\Users\user\AppData\...\wSH33iCtx0.exe, PE32 11->35 dropped 37 38 other malicious files 11->37 dropped 75 Creates an undocumented autostart registry key 11->75 77 Drops PE files with a suspicious file extension 11->77 79 Drops executable to a common third party application directory 11->79 81 Infects executable files (exe, dll, sys, html) 11->81 15 wSH33iCtx0.exe 3 11->15         started        signatures6 process7 file8 39 C:\Users\user\AppData\...\wSH33iCtx0.exe.log, ASCII 15->39 dropped 47 Tries to detect virtualization through RDTSC time measurements 15->47 49 Injects a PE file into a foreign processes 15->49 19 wSH33iCtx0.exe 15->19         started        signatures9 process10 signatures11 59 Modifies the context of a thread in another process (thread injection) 19->59 61 Maps a DLL or memory area into another process 19->61 63 Sample uses process hollowing technique 19->63 65 Queues an APC in another process (thread injection) 19->65 22 help.exe 19->22         started        25 explorer.exe 19->25 injected process12 signatures13 67 Self deletion via cmd delete 22->67 69 Modifies the context of a thread in another process (thread injection) 22->69 71 Maps a DLL or memory area into another process 22->71 73 Tries to detect virtualization through RDTSC time measurements 22->73 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7d9a7c06ad6bdf4b58d325900a940f3bf830862d108c8cf58d3d77982b87f8c2/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2021-10-14 11:23:05 UTC
AV detection:
28 of 28 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pwnhybvnnppuwwgtewiavfaphp4dbbrnccgiz5mnhv3zqk4h7dba._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
092be1f456b0c24d932d6c4e4c44cfd0c9abc6c0418bf1567e67826cb51aef14
Neshta
16129df384053888782272720ec796ed1e0947d6122bd32823b3ccd03e892664
Neshta
4bb96dffcc0b4cba1f4ee2ed04e32d724e486c88b0e8492b3e5efb1ec0928c0e
Neshta
7a8cd0fb35936203195d49af3fec0140f45e8b8fb75df0203db6b914d4b8d192
Neshta
934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb
Neshta
a1b6ca8644c7908a5ee930558144d794e25a5a6a0bea0637396caa161ea04475
Neshta
b241d39387ebd04a46935432e7abb733d850aa1bbbd4ca686539821f41772e05
Neshta
b499be4b6955eebcf4228039f67a65a38b322f0ca1d58d8071de9a428ced8720
Neshta
dae6ba220bb0a34de731b57965753391343bfe96f9f3fa4fea48102d3377ccf7
Neshta
+ 10'582 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:neshta family:xloader campaign:bntn loader persistence rat spyware stealer
Link:
https://tria.ge/reports/211014-ng5lnahab5/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Xloader Payload
Modifies system executable filetype association
Neshta
Xloader
Malware Config
C2 Extraction:
http://www.forex-fm.online/bntn/
Unpacked files
SH256 hash:
7d9a7c06ad6bdf4b58d325900a940f3bf830862d108c8cf58d3d77982b87f8c2
MD5 hash:
da7b4c213039524dd2cd661cb20e62ae
SHA1 hash:
81ad9e9a3d24242fa7619ad23bb6eed117672a3d
Link:
https://www.unpac.me/results/c2c0e2f9-aeeb-499b-879a-364f6144d86b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7d9a7c06ad6b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Neshta
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d9a7c06ad6bdf4b58d325900a940f3bf830862d108c8cf58d3d77982b87f8c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

Executable exe 7d9a7c06ad6bdf4b58d325900a940f3bf830862d108c8cf58d3d77982b87f8c2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1677137/
Cape
Cape
https://www.capesandbox.com/analysis/197524/

Comments


Avatar
zbet commented on 2021-10-14 11:22:33 UTC

url : hxxp://103.155.82.159/009009/vbc.exe