MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb
SHA3-384 hash: 9ce573827be9baefb92a116b6b491e6593c0e316285c7e9f5ffd0b15c63e9d64f2806f08280ff7021efd8d36975deeba
SHA1 hash: d68079d495932ef242efc76e96fe6d75a1ab8dc0
MD5 hash: 5ecdf9607af624d3ec1ed2bc9f0e9146
humanhash: beer-queen-enemy-ten
File name:5ecdf9607af624d3ec1ed2bc9f0e9146.exe
Download: download sample
Signature Neshta
Create hunting rule
File size:347'329 bytes
First seen:2021-10-07 09:00:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 6144:k9cJrv0zlkc8PbinRR2Nciu3WcHcdu9FYlIRVFAyC7RoCadesoWqJh8LxBs3T:1Jr85mPbWiu39uRIRcHFxxv1j
Threatray 9'991 similar samples on MalwareBazaar
TLSH T1A3741296FBE0C4B2E0211E74CD26D7B4E637BA2698141743EBB85D6EEC793C18E0C615
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe Neshta

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5ecdf9607af624d3ec1ed2bc9f0e9146.exe
Verdict:
Malicious activity
Analysis date:
2021-10-07 09:03:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3cd3ba7d-edd8-47b0-b33b-e25150be752f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Neshta
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195735/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the Windows directory
Creating a process from a recently created file
Modifying an executable file
Creating a file
Creating a window
Enabling autorun with the shell\open\command registry branches
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Infecting executable files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
neshta overlay packed
Link:
https://www.filescan.io/uploads/615eb754e3d213d202b9a0e6/reports/f6cabd2c-50cf-4e1a-9d9f-6f5bb9f66836/overview
Result
Threat name:
FormBook Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866298
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Found malware configuration
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 498728 Sample: 8VNALsC90G.exe Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 10 other signatures 2->61 11 8VNALsC90G.exe 4 2->11         started        process3 file4 33 C:\Windows\svchost.com, PE32 11->33 dropped 35 C:\Users\user\AppData\Local\...\setup.exe, PE32 11->35 dropped 37 C:\Users\user\AppData\...\8VNALsC90G.exe, PE32 11->37 dropped 39 111 other malicious files 11->39 dropped 81 Creates an undocumented autostart registry key 11->81 83 Drops PE files with a suspicious file extension 11->83 85 Drops executable to a common third party application directory 11->85 87 Infects executable files (exe, dll, sys, html) 11->87 15 8VNALsC90G.exe 17 11->15         started        signatures5 process6 file7 41 C:\Users\user\AppData\Local\...\xkbzkendk.dll, PE32 15->41 dropped 49 Detected unpacking (changes PE section rights) 15->49 51 Tries to detect virtualization through RDTSC time measurements 15->51 53 Injects a PE file into a foreign processes 15->53 19 8VNALsC90G.exe 15->19         started        signatures8 process9 signatures10 63 Modifies the context of a thread in another process (thread injection) 19->63 65 Maps a DLL or memory area into another process 19->65 67 Sample uses process hollowing technique 19->67 69 Queues an APC in another process (thread injection) 19->69 22 explorer.exe 19->22 injected process11 dnsIp12 43 shops.myshopify.com 23.227.38.74, 49823, 80 CLOUDFLARENETUS Canada 22->43 45 www.110cy.top 156.241.132.45, 49824, 80 ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK Seychelles 22->45 47 4 other IPs or domains 22->47 71 System process connects to network (likely due to code injection or exploit) 22->71 26 colorcpl.exe 22->26         started        signatures13 process14 signatures15 73 Self deletion via cmd delete 26->73 75 Modifies the context of a thread in another process (thread injection) 26->75 77 Maps a DLL or memory area into another process 26->77 79 Tries to detect virtualization through RDTSC time measurements 26->79 29 cmd.exe 1 26->29         started        process16 process17 31 conhost.exe 29->31         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 14:04:21 UTC
AV detection:
28 of 28 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sndblppesxkmxp6qc6gg52sgqbgldgsepwy2q6a3wq6ftbqbfs5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
21350c749a15b06efda33cae533086eab02ef83685d539556407633676de94bb
Neshta
4217bf1cf710804c6b4a7b6a7d03974aaa655e512e3bf854c193feb7b2a8d422
Neshta
64c00be3d0bc5f000ee6d2d6d49e72c9e9f36090f19b7f9620ff0993a0e84025
Neshta
75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6
Neshta
7a8cd0fb35936203195d49af3fec0140f45e8b8fb75df0203db6b914d4b8d192
Neshta
87f8905d999f293634fddf1bff47a614041bdfaa2f07ef19fe70e5296a7b086e
Neshta
9c558e9f026119bab2580c1e38533870d351b1e01e65341427194504e2cdf490
Neshta
bf8bfab0557ff010ee03db046d493da9b0deeaa5e5fb55d9e5750f280a0289ac
Neshta
dae6ba220bb0a34de731b57965753391343bfe96f9f3fa4fea48102d3377ccf7
Neshta
e6cde5c1b614549613d30761b34c899f4ff69d7e6e3147c21d68bedd64f8fe25
Neshta
+ 9'981 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:neshta family:xloader campaign:p08r loader persistence rat spyware stealer
Link:
https://tria.ge/reports/211007-kyw43acdbp/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Xloader Payload
Modifies system executable filetype association
Neshta
Xloader
Malware Config
C2 Extraction:
http://www.puremicrodosing.com/p08r/
Unpacked files
SH256 hash:
934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb
MD5 hash:
5ecdf9607af624d3ec1ed2bc9f0e9146
SHA1 hash:
d68079d495932ef242efc76e96fe6d75a1ab8dc0
Link:
https://www.unpac.me/results/b790c92e-45c6-423f-ae1e-b406acfed701/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/934615bde495/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.59
Link:
https://yomi.yoroi.company/submissions/934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

Executable exe 934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1655364/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1655453/
Cape
Cape
https://www.capesandbox.com/analysis/195735/

Comments