MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afbae06f0ec7939e039a47b7579a98f269eca1be5625e7343267cf4bbb0d5709. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afbae06f0ec7939e039a47b7579a98f269eca1be5625e7343267cf4bbb0d5709
SHA3-384 hash: 0e0ee31276e7a6013e85ec120550abb04f98bdc3957bcfb8cdd3866624cbde5d383c8fd16e575b32c08c518002728037
SHA1 hash: 70a244d771d7cfa61b2fa3d2a0ac386ea2bf0393
MD5 hash: 781932d5e3cf1b9e902ee2ea8c48f572
humanhash: hot-solar-edward-echo
File name:781932d5e3cf1b9e902ee2ea8c48f572
Download: download sample
Signature Neshta
Create hunting rule
File size:240'040 bytes
First seen:2021-10-29 18:46:22 UTC
Last seen:2021-10-29 20:18:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:wBlL/c42BI/9n/DNlCeLwfyYMgKoul0D8nPEAq8G:Ce4X9/bCn0kul0D8nJq8G
Threatray 183 similar samples on MalwareBazaar
TLSH T1413412113AC142FBD8524BB12E37D3F4D3F296184132B7CBAB158F7B1A18BC2945A65B
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe Neshta

Intelligence

File Origin
# of uploads :
2
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
new order sheet 0016.xlsx
Verdict:
Malicious activity
Analysis date:
2021-10-29 17:10:05 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/27f74381-98f3-4ed2-b3d3-23036e90d586

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.1801.3829.3455.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4f0dbf4c-80f3-495b-9d92-44d0c01b8ee5
Result
Threat name:
FormBook Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879564
Signature
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/afbae06f0ec7939e039a47b7579a98f269eca1be5625e7343267cf4bbb0d5709/
Threat name:
Win32.Trojan.Nemesis
Create hunting rule
Status:
Malicious
First seen:
2021-10-29 18:47:04 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
16cb5498c592fb2a32fa882aa0996591f067d77c50eedf69cda4d04ef93cab83
Neshta
21260151f07549ff5e1dc07ca6281d3fa876483f1dd014afde823fa0a0e0a1a2
Neshta
44447e8ee66daa872048fcca50842694d35a78e77cf9d6ac8e8e4979958d46e7
Neshta
511f5c0a9946188ad3dbbb58c2e2e5564402d83dd77379a39c8a17c660a737da
Neshta
6449b0b19510e8c167d7bbc8a8471f81deadda1730c5889147589db21f30cd76
Neshta
6abec81da375b886b6e0fe09360f68980fcc3f51f00dbcdaf3a7945420e73b57
Neshta
99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f
Neshta
bd0eb6fff38b72907c56ad02467144b61744a7d24a054ce14eddf779854180ca
Neshta
+ 173 additional samples on MalwareBazaar
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:neshta persistence spyware stealer
Link:
https://tria.ge/reports/211029-xe7gxadhe9/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Reads user/profile data of web browsers
Detect Neshta Payload
Modifies system executable filetype association
Neshta
Unpacked files
SH256 hash:
afbae06f0ec7939e039a47b7579a98f269eca1be5625e7343267cf4bbb0d5709
MD5 hash:
781932d5e3cf1b9e902ee2ea8c48f572
SHA1 hash:
70a244d771d7cfa61b2fa3d2a0ac386ea2bf0393
Link:
https://www.unpac.me/results/e10c9a2e-f501-4b73-9e33-b651b759ec12/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/afbae06f0ec7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/afbae06f0ec7939e039a47b7579a98f269eca1be5625e7343267cf4bbb0d5709

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

Executable exe afbae06f0ec7939e039a47b7579a98f269eca1be5625e7343267cf4bbb0d5709

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1727759/
  
URLhaus
https://urlhaus.abuse.ch/url/1727763/

Comments


Avatar
zbet commented on 2021-10-29 18:46:23 UTC

url : hxxp://198.23.212.136/0016/vbc.exe