MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83f6c309f411e1aebbdf75c62f67f163231f1b0ee065936230741272cda1cb9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83f6c309f411e1aebbdf75c62f67f163231f1b0ee065936230741272cda1cb9a
SHA3-384 hash: 0b701b6458dcc7915a914adca9840caed2c43fba1aaaf0ec74449bb5e876aa602639bd3b5eb09b5b4eaf9540c0604130
SHA1 hash: 0ebeee908c33b86e9259eb6302c69252d87cb059
MD5 hash: 6ae2ef57f43da55a7de23f317fa94bad
humanhash: beryllium-august-high-bluebird
File name:RFQ-20511-MACHINE QUOTATION.exe
Download: download sample
Signature Neshta
Create hunting rule
File size:989'696 bytes
First seen:2022-03-06 13:59:40 UTC
Last seen:2022-03-06 15:35:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:k1huLhTOgPkH5gEdZv6+n/K+o4LTRUu3lBzELBoFoYfDBUNqtS5ClEYI:MuROgWHv6+k4BUYlsoziqiOa
Threatray 325 similar samples on MalwareBazaar
TLSH T10E25AE3D369617A6D17D4F3858A928FD0EB113B23F367F6A1D492EC14A237006712DEA
File icon (PE):PE icon
dhash icon 851a98b4909864c4 (58 x AgentTesla, 43 x Formbook, 34 x RedLineStealer)
Reporter GovCERT_CH
Tags:exe Neshta

Intelligence

File Origin
# of uploads :
2
# of downloads :
372
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247680/
Detection(s):
SecuriteInfo.com.generic.ml.31271.13893.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Adding an access-denied ACE
Searching for the browser window
Searching for the window
DNS request
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
HackingTeam
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13d45bcf-351a-4632-bdc3-47b1c9ce85d0
Result
Threat name:
Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/951422
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Sigma detected: Windows Shell File Write to Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Neshta
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 583903 Sample: RFQ-20511-MACHINE QUOTATION.exe Startdate: 06/03/2022 Architecture: WINDOWS Score: 100 29 www.google.com 2->29 31 us-u.openx.net 2->31 33 10 other IPs or domains 2->33 45 Malicious sample detected (through community Yara rule) 2->45 47 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->47 49 Yara detected UAC Bypass using CMSTP 2->49 51 10 other signatures 2->51 8 RFQ-20511-MACHINE QUOTATION.exe 15 2->8         started        signatures3 process4 signatures5 53 Writes to foreign memory regions 8->53 55 Injects a PE file into a foreign processes 8->55 11 schtasks.exe 4 8->11         started        15 chrome.exe 16 388 8->15         started        process6 dnsIp7 21 C:\Windows\svchost.com, PE32 11->21 dropped 23 C:\Users\user\AppData\Local\...\setup.exe, PE32 11->23 dropped 25 C:\ProgramData\...\vcredist_x86.exe, PE32 11->25 dropped 27 9 other malicious files 11->27 dropped 57 Creates an undocumented autostart registry key 11->57 59 Drops PE files with a suspicious file extension 11->59 61 Drops executable to a common third party application directory 11->61 63 Infects executable files (exe, dll, sys, html) 11->63 41 192.168.2.1 unknown unknown 15->41 43 239.255.255.250 unknown Reserved 15->43 18 chrome.exe 38 15->18         started        file8 signatures9 process10 dnsIp11 35 global.px.quantserve.com 91.228.74.133, 443, 49801, 49802 QUANTCASTUS United Kingdom 18->35 37 aragorn-prod-uk-lb.inbake.com 18.168.192.124, 443, 49806 MIT-GATEWAYSUS United States 18->37 39 53 other IPs or domains 18->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83f6c309f411e1aebbdf75c62f67f163231f1b0ee065936230741272cda1cb9a/
Threat name:
ByteCode-MSIL.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2022-03-06 14:00:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qp3mgcpuchq25o67oxdc6z7rmmrr6gyo4bszgyrqoqjhftnbzona._file
Verdict:
malicious
Similar samples:
05cf0030cb0f2737e80489e3a524e13d1c26bc21d7bf0162602251db76ebe8f6
Neshta
390127392e918e364a87a02ef80465150a85cba2d9c870c6c339706e1058fee3
Neshta
6dd535cb334ca75f6dca60301843d21b1eb63b8a46409a32b48b899b0c4ff7ea
Neshta
7eb60b42eb8755d31d411c32b45f7431eb9e084fb0749d92c83ffe2598b6564c
Neshta
9810ab66c158dd9b0a7ca2a298c2cd00d1d682d146499b0854f41e92d7e709ae
Neshta
a87d2b3d626e786b0d90d2d4c90bee942d7f5f018607565bc6d522f5af20db9a
Neshta
b3973d753b858ddefa96863b00a6b52a56d1966b7a716a7ccd63205596ef1034
Neshta
+ 315 additional samples on MalwareBazaar
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:neshta persistence spyware
Link:
https://tria.ge/reports/220306-ra3p9sbae5/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies system executable filetype association
Neshta
Unpacked files
SH256 hash:
1cde282f542ec4a9bae1d43b62b836f69a390156fe96bf058e5c01641dba41eb
MD5 hash:
233b60381edf900221ea99fdb236c2ae
SHA1 hash:
6bee2827950256e366324cbbf44980b94dee1f98
Link:
https://www.unpac.me/results/3c60351a-46f7-4037-babf-f5ce4da435d1/
SH256 hash:
cdf7b85eef3a1961779e6c38a6a1a46b98eea5c0c5f69b99d88ea9e547e9a9db
MD5 hash:
2c7bd8ba2b9bbec708d2adafc16f8b9f
SHA1 hash:
f0a0f73df1203f53ed0963dad9f260452b8569a3
Link:
https://www.unpac.me/results/3c60351a-46f7-4037-babf-f5ce4da435d1/
SH256 hash:
82b43951b6bad6194ff651ae9b6116f453c903630dc919219cade949815957d1
MD5 hash:
d464d64b82edb9d927418e231bc630f3
SHA1 hash:
dbb1ad2d534bfd5b4f59d6c9f2cd922393536dae
Detections:
win_neshta_auto
Create hunting rule
Link:
https://www.unpac.me/results/3c60351a-46f7-4037-babf-f5ce4da435d1/
SH256 hash:
32db552f8510f65cd14c5bcb455c4faf274ed0074ccc4ed18c2d9be7aa212354
MD5 hash:
9d54410aeccde131574d846e9123b037
SHA1 hash:
4a3152a8117f0d61218b73c5fbcd44a6cfae0ff2
Link:
https://www.unpac.me/results/3c60351a-46f7-4037-babf-f5ce4da435d1/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/3c60351a-46f7-4037-babf-f5ce4da435d1/
SH256 hash:
83f6c309f411e1aebbdf75c62f67f163231f1b0ee065936230741272cda1cb9a
MD5 hash:
6ae2ef57f43da55a7de23f317fa94bad
SHA1 hash:
0ebeee908c33b86e9259eb6302c69252d87cb059
Link:
https://www.unpac.me/results/3c60351a-46f7-4037-babf-f5ce4da435d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/83f6c309f411e1aebbdf75c62f67f163231f1b0ee065936230741272cda1cb9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_neshta_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neshta

Executable exe 83f6c309f411e1aebbdf75c62f67f163231f1b0ee065936230741272cda1cb9a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/247680/

Comments