MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f
SHA3-384 hash: f50d915f9d236a61d7ae880cae49c062273e87ff10d0cf4a93b81278270cbc70d1114fdc4a3ebed693a8232c2dfd2330
SHA1 hash: 76b5d1eee342b47fe58e2136a067712cbd210351
MD5 hash: df330ab2a2e5aa4ac947315ee3f93992
humanhash: august-dakota-high-mississippi
File name:df330ab2a2e5aa4ac947315ee3f93992.exe
Download: download sample
Signature Neshta
Create hunting rule
File size:235'529 bytes
First seen:2021-10-27 16:53:19 UTC
Last seen:2021-10-27 17:15:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:wBlL/c2HMSZ54elOp0S4jfEpGibIsdpwBQ:Ce2HMSZWeO0S4Mh0gS6
Threatray 185 similar samples on MalwareBazaar
TLSH T19C341276B1C004FBCA9B47B28E77A366C7ABA2AC1624084793C45FBF3C219C7551A1D3
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe Neshta

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/200661/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.1814.4923.9684.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Deleting a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
nemesis overlay packed
Link:
https://www.filescan.io/uploads/6179842c9a5a1e91c5d7a4ea/reports/7530b650-9579-455b-8ec6-21a2bc298db5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/98a75218-1ede-4272-9ecb-a1326f7b1138
Result
Threat name:
FormBook Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/877960
Signature
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-10-27 15:58:17 UTC
AV detection:
10 of 27 (37.04%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
21260151f07549ff5e1dc07ca6281d3fa876483f1dd014afde823fa0a0e0a1a2
Neshta
511f5c0a9946188ad3dbbb58c2e2e5564402d83dd77379a39c8a17c660a737da
Neshta
6449b0b19510e8c167d7bbc8a8471f81deadda1730c5889147589db21f30cd76
Neshta
6abec81da375b886b6e0fe09360f68980fcc3f51f00dbcdaf3a7945420e73b57
Neshta
a73f2d92c3d48bad18d6a33530cedee50fb1495030c752d406045c113eeabd0a
Neshta
b2ae47f62aa239fb6badfb8af83054c008e9c93d6fe1953732ec03029dc474ce
Neshta
bd0eb6fff38b72907c56ad02467144b61744a7d24a054ce14eddf779854180ca
Neshta
e1b0ef4dd27c829683569165d98c902a8ed2f2eaa95b1540c6430f5ea3be0b3f
Neshta
+ 175 additional samples on MalwareBazaar
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:neshta persistence spyware stealer
Link:
https://tria.ge/reports/211027-vejpqsfgc7/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Reads user/profile data of web browsers
Modifies system executable filetype association
Neshta
Unpacked files
SH256 hash:
99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f
MD5 hash:
df330ab2a2e5aa4ac947315ee3f93992
SHA1 hash:
76b5d1eee342b47fe58e2136a067712cbd210351
Link:
https://www.unpac.me/results/d85fb514-285c-4cd4-b454-bd06a07ef28a/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/99a897c5b8f5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

Executable exe 99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1719908/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/200661/

Comments