MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8397681fb127b7050397870b95f23d310f2e62ee5c2e3a7410d2daeec99e9e06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8397681fb127b7050397870b95f23d310f2e62ee5c2e3a7410d2daeec99e9e06
SHA3-384 hash: 3e9a6cecd118f704704c46e059910ee7ada0f5ff72ee019de41c79cc3ff3b349d5dd1c1f0fd17ee76b0fd8884b440d3e
SHA1 hash: c2abdfefadc76b9f78b500f5b3aba9321a5d42e1
MD5 hash: 8d97ea0aeb6dbb5bfe61a2a45809dd90
humanhash: five-kitten-monkey-echo
File name:8d97ea0aeb6dbb5bfe61a2a45809dd90
Download: download sample
Signature Neshta
Create hunting rule
File size:240'309 bytes
First seen:2021-10-29 18:56:36 UTC
Last seen:2021-10-29 20:18:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:wBlL/cwJvLdNnaLNu0ELLFUH50QsVMxi6KjwBsG14ugTqi77B:Ce0RNv0iZ80Qhxis14Jqi7l
Threatray 181 similar samples on MalwareBazaar
TLSH T1F1342329B9C24AF7F01715316E32BB72A3BB91203670B54B87640FF72E915C7B94825B
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe Neshta

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8d97ea0aeb6dbb5bfe61a2a45809dd90
Verdict:
Malicious activity
Analysis date:
2021-10-29 19:02:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/153e201e-40d5-425e-9f09-5a0681211e5f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Packed2.43592.7495.24639.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/750241f4-acd5-4a53-a14e-62558fcf92c1
Result
Threat name:
FormBook Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879559
Signature
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8397681fb127b7050397870b95f23d310f2e62ee5c2e3a7410d2daeec99e9e06/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-10-29 09:31:00 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
16cb5498c592fb2a32fa882aa0996591f067d77c50eedf69cda4d04ef93cab83
Neshta
21260151f07549ff5e1dc07ca6281d3fa876483f1dd014afde823fa0a0e0a1a2
Neshta
511f5c0a9946188ad3dbbb58c2e2e5564402d83dd77379a39c8a17c660a737da
Neshta
6449b0b19510e8c167d7bbc8a8471f81deadda1730c5889147589db21f30cd76
Neshta
6abec81da375b886b6e0fe09360f68980fcc3f51f00dbcdaf3a7945420e73b57
Neshta
99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f
Neshta
afbae06f0ec7939e039a47b7579a98f269eca1be5625e7343267cf4bbb0d5709
Neshta
bd0eb6fff38b72907c56ad02467144b61744a7d24a054ce14eddf779854180ca
Neshta
+ 171 additional samples on MalwareBazaar
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:neshta persistence spyware stealer
Link:
https://tria.ge/reports/211029-xlxlaaafaj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Reads user/profile data of web browsers
Modifies system executable filetype association
Neshta
Unpacked files
SH256 hash:
8397681fb127b7050397870b95f23d310f2e62ee5c2e3a7410d2daeec99e9e06
MD5 hash:
8d97ea0aeb6dbb5bfe61a2a45809dd90
SHA1 hash:
c2abdfefadc76b9f78b500f5b3aba9321a5d42e1
Link:
https://www.unpac.me/results/d1e472e4-ed4c-4618-a18c-dc4e27e24950/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8397681fb127/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8397681fb127b7050397870b95f23d310f2e62ee5c2e3a7410d2daeec99e9e06

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

Executable exe 8397681fb127b7050397870b95f23d310f2e62ee5c2e3a7410d2daeec99e9e06

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1727756/
  
URLhaus
https://urlhaus.abuse.ch/url/1729161/

Comments


Avatar
zbet commented on 2021-10-29 18:56:37 UTC

url : hxxp://192.227.228.38/0012/vbc.exe