MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b54934cb8e1ff68d2c4306e5a6eb0f9e649ad1680960253c0cfa0c35a6c4d313. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b54934cb8e1ff68d2c4306e5a6eb0f9e649ad1680960253c0cfa0c35a6c4d313
SHA3-384 hash: 55b56d0a2bf689f02bd1beba2daf731b2e7d8eef167e69212c4bb5623a84a62d59119bcd4ea02cdd08aeab216b5d043a
SHA1 hash: ebc2a18781d087ed9fd7e43467f0da354c17d8c3
MD5 hash: 5c777e4901a8f4175342bca7978ee3d5
humanhash: utah-friend-earth-july
File name:PO#7A68D20.exe
Download: download sample
Signature Neshta
Create hunting rule
File size:787'456 bytes
First seen:2020-07-09 04:21:50 UTC
Last seen:2020-07-09 05:02:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:0jD/sL8XVKChu+QsyyqxLTESRJIOgGUfRBw+7hb7/Jo5:ojswXVKChu+QsyyqxLwSwIUfRBt7hxo5
Threatray 1'079 similar samples on MalwareBazaar
TLSH 84F4F13573A09D06C73E4F3AD9B150004FB1ED6B5A17F38B6EC42AEE589BB494902B17
Reporter cocaman
Tags:exe Neshta

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23373/
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.ENWJ.14289.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b54934cb8e1ff68d2c4306e5a6eb0f9e649ad1680960253c0cfa0c35a6c4d313/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 04:12:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wvetjs4od73i2lcda3s2n2yptzsjvulibfqckpam7igdljwe2mjq._file
Verdict:
malicious
Similar samples:
118526be5d5274a41815a7eca29e751da7378908acea6bb29dcf21460a74c5e1
Neshta
2e6c9cf68a8bcca1eb368038a06f47566eb7fd3eb6ea6919bcbd293dbadf1e11
Neshta
306f60a415f3935c8eb3e3d13fa6957f8ab8161e0818fc93850d54f0f69d0b3f
Neshta
3e5ee9e4d00a17bd606a38740500770ddc552e664e3b02770d9897b3ba4423b3
Neshta
6969a5c42b29f9bcb30766e666b617523fe8515b71affd16bfc0874f75c660c2
Neshta
6fa490f0cd759d3f124106c12c8136d6eb4546964eeadf613d4c56b88ff6cd62
Neshta
943cfd0d793dc383dfa4672bf1d2b6b67d4e4dd75b3de9fefcbbdf1f33027f8c
Neshta
a2a8e595abb9d14bf0a84f49b0f81725925b19f14f0b06da5ab01b6eb4b9e7e9
Neshta
bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57
Neshta
d3585150a0d7118b7d4dd19bb781d4eee5887fa56bdd61a337181a9ff24f023f
Neshta
+ 1'069 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200709-5xnyftkdre/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
Modifies registry class
Drops file in Program Files directory
Drops file in Program Files directory
Drops file in Windows directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Loads dropped DLL
Reads user/profile data of web browsers
Modifies system executable filetype association
Modifies system executable filetype association
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_neshta_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_neshta_g0
Create hunting rule
Author:gpalazolo
Description:This rule identifies Neshta Malware.
Reference:https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neshta

zip 2f6ab8e020a5d8bec45b8b0968c38a145c78d4165a115f41f6c295c2bd5845a8

Neshta

Executable exe b54934cb8e1ff68d2c4306e5a6eb0f9e649ad1680960253c0cfa0c35a6c4d313

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 2f6ab8e020a5d8bec45b8b0968c38a145c78d4165a115f41f6c295c2bd5845a8
Cape
Cape
https://www.capesandbox.com/analysis/23373/

Comments