MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5aa1fa3949badd59b3c1a6f5a838c8eadf639c4199b7238179f0de512383217. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5aa1fa3949badd59b3c1a6f5a838c8eadf639c4199b7238179f0de512383217
SHA3-384 hash: ac297d285bd253f7baec9aa846ad990fe47249445b23a98e9890abfb0222c9de80c4498ad371d5d1909f738bd0511567
SHA1 hash: a0d8b919d49d820b506864493b82fa78228afc3f
MD5 hash: 3db3ee8509e8ce9c12936a1d5b82cca1
humanhash: steak-arkansas-jupiter-kansas
File name:Cyborg ransomware Builder v2.1.bin
Download: download sample
Signature Neshta
Create hunting rule
File size:718'533 bytes
First seen:2023-03-11 04:16:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:dqb8G7YdpkqP9MVLwGM8AMFt35+H16qtVLB/UEtWWIIk9O6dWuhDqWU/PuU6yy8O:dLrPRGM/gt350VVUNlhdWsqW8Piyy805
Threatray 7 similar samples on MalwareBazaar
TLSH T1D1E4E12E3A408F11DA5A2432C0DF422813F0AC936AF2E75EBD99375D0946397BC5ADDD
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0f2e3e38383a2a1 (6 x Cyborg, 2 x RedLineStealer, 1 x Yatron)
Reporter petikvx
Tags:Neshta

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
ramnit
Create hunting rule
ID:
1
File name:
Cyborg.rar
Verdict:
Malicious activity
Analysis date:
2022-08-31 06:27:25 UTC
Tags:
trojan ramnit
Link:
https://app.any.run/tasks/c8160e1f-a14b-4e6c-87b5-8d7b5a63289a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Neshta
Create hunting rule
Link:
https://www.capesandbox.com/analysis/373478/
Detection(s):
SecuriteInfo.com.Heur.Ransom.RTH.1.18877.27532.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Changing a file
Reading critical registry keys
Modifying an executable file
Creating a file in the Windows directory
Creating a process with a hidden window
Creating a file in the Program Files subdirectories
Launching a process
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Moving a recently created file
Creating a file in the mass storage device
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun with the shell\open\command registry branches
Enabling threat expansion on mass storage devices
Encrypting user's files
Infecting executable files
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd.exe cyborg filecoder fuerboos obfuscated overlay packed
Link:
https://www.filescan.io/uploads/640c00bfb65c45d06f737d9d/reports/bc98d8b2-86b8-4b89-9979-6e1b56b201f9/overview
Verdict:
Malicious
Labled as:
Ransom.RTH.Generic
Link:
https://www.hybrid-analysis.com/sample/b5aa1fa3949badd59b3c1a6f5a838c8eadf639c4199b7238179f0de512383217
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Cyborg Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9999bc7-7ecb-413c-825c-6f3a9c56e1f1
Result
Threat name:
Cyborg Builder, Neshta, Ramnit
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1191579
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Creates autorun.inf (USB autostart)
Creates files in the recycle bin to hide itself
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after checking mutex)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample is not signed and drops a device driver
Yara detected Cyborg Builder Ransomware
Yara detected Neshta
Yara detected Ramnit
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 824455 Sample: Cyborg_ransomware_Builder_v... Startdate: 11/03/2023 Architecture: WINDOWS Score: 100 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for dropped file 2->98 100 Antivirus / Scanner detection for submitted sample 2->100 102 7 other signatures 2->102 11 Cyborg_ransomware_Builder_v2.1.bin.exe 2 16 2->11         started        15 svchost.com 2->15         started        17 svchost.com 2->17         started        process3 file4 84 C:\bot.exe, PE32 11->84 dropped 86 C:\Users\user\AppData\Local\Tempspwak.exe, PE32 11->86 dropped 88 C:\Users\user\AppData\...\Tempexplorer.exe, PE32 11->88 dropped 90 5 other malicious files 11->90 dropped 122 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->122 124 Creates autorun.inf (USB autostart) 11->124 126 Modifies existing user documents (likely ransomware behavior) 11->126 19 Tempexplorer.exe 4 11->19         started        23 Tempspwak.exe 4 11->23         started        25 Cyborg_ransomware_Builder_v2.1.bin.exe 15->25         started        27 Cyborg_ransomware_Builder_v2.1.bin.exe 17->27         started        signatures5 process6 file7 60 C:\Windows\svchost.com, PE32 19->60 dropped 62 C:\Users\user\AppData\...\Tempexplorer.exe, PE32 19->62 dropped 64 C:\ProgramData\...\vcredist_x86.exe, PE32 19->64 dropped 66 9 other malicious files 19->66 dropped 104 Multi AV Scanner detection for dropped file 19->104 106 Creates an undocumented autostart registry key 19->106 108 Drops PE files with a suspicious file extension 19->108 110 2 other signatures 19->110 29 Tempexplorer.exe 3 5 19->29         started        34 wscript.exe 146 13 23->34         started        signatures8 process9 dnsIp10 94 192.168.2.1 unknown unknown 29->94 92 C:\Users\user\AppData\...\TempexplorerSrv.exe, PE32 29->92 dropped 128 Multi AV Scanner detection for dropped file 29->128 130 Drops executables to the windows directory (C:\Windows) and starts them 29->130 36 svchost.com 29->36         started        40 TempexplorerSrv.exe 4 29->40         started        file11 signatures12 process13 file14 68 C:\Windows\directx.sys, ASCII 36->68 dropped 112 Multi AV Scanner detection for dropped file 36->112 114 Sample is not signed and drops a device driver 36->114 42 wscript.exe 36->42         started        70 C:\Users\user\...\TempexplorerSrvSrv.exe, PE32 40->70 dropped 72 C:\Program Files (x86)\...\DesktopLayer.exe, PE32 40->72 dropped 116 Found evasive API chain (may stop execution after checking mutex) 40->116 46 TempexplorerSrvSrv.exe 40->46         started        48 DesktopLayer.exe 40->48         started        signatures15 process16 file17 74 setup.exe.Cyborg B... Builder Ransomware, Unicode 42->74 dropped 76 setup.exe.Cyborg B... Builder Ransomware, Unicode 42->76 dropped 78 setup.exe.Cyborg B... Builder Ransomware, Unicode 42->78 dropped 82 6 other malicious files 42->82 dropped 118 Creates files in the recycle bin to hide itself 42->118 120 Multi AV Scanner detection for dropped file 46->120 50 iexplore.exe 46->50         started        80 C:\...\DesktopLayerSrv.exe, PE32 48->80 dropped 52 DesktopLayerSrv.exe 48->52         started        54 iexplore.exe 48->54         started        signatures18 process19 process20 56 iexplore.exe 50->56         started        58 iexplore.exe 52->58         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5aa1fa3949badd59b3c1a6f5a838c8eadf639c4199b7238179f0de512383217/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-08-31 09:45:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
29 of 39 (74.36%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wwvb7i4utow5lgz4djxvva4mr2w7mooedgnxeoaxt4g6kerygilq._file
Verdict:
malicious
Similar samples:
33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52
Neshta
493c63489f594c10e1f5aace2dd833f3fddaac2800d3603498d2b4abe4bd7e0c
Neshta
93e0a3cbd07c8c1e99fea9e05a7a2bd7a312cf92d3b407be37db43774827ca09
Neshta
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3
Neshta
f09ec41136e8e5e5076ca495192d9326e5581c748148fa877412d466db26112d
Neshta
Result
Malware family:
ramnit
Create hunting rule
Score:
  10/10
Tags:
family:neshta family:ramnit banker persistence ransomware spyware stealer trojan upx worm
Link:
https://tria.ge/reports/230311-ewc1hsac2w/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops autorun.inf file
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
UPX packed file
Modifies extensions of user files
Detect Neshta payload
Neshta
Ramnit
Unpacked files
SH256 hash:
c6a8e06a283e412c7d425a6785e8a6e795f26ec9d0c6540c3eaad38a26582059
MD5 hash:
bae9769fbff973228d21c7b37a50ee77
SHA1 hash:
d336e83505e37f9d7b86dd1eaa12018b1042262f
Detections:
win_koadic_auto
Create hunting rule
Link:
https://www.unpac.me/results/fc4b308b-b5dd-48fb-b618-051a339fa4b5/
SH256 hash:
6057d87753daee3c71eb8c0d3cb8582ea88d6e56f02864019db9fd7af3fb4a9f
MD5 hash:
651defc532f0e72be60621696aa97972
SHA1 hash:
43176a96322202fc8fd8901c213fde820d005871
Detections:
win_ramnit_auto
Create hunting rule
win_ramnit_g1
Create hunting rule
Link:
https://www.unpac.me/results/fc4b308b-b5dd-48fb-b618-051a339fa4b5/
Parent samples :
3aae149445e6ae7d5dff0a830abcd1bb26b868e4e7c8cf8bc625a9e46795d96b
4f71eb9c8a80ea511ade6a4ea951cd642c7046f3a97c7b965fdc732314bb3224
712902f16ad8e9570dc1e25dba5f4219f3fdd497d727f08dd98f1c6baa78335b
21077824b7eea56bdfe182de863fe599286c70fd067744faf6fa850da7342db3
3eabf4e909e889bfcb994a36d041ced30c30a377a6a0d6057eda4b8f35f4ca0e
1d448335a3b897166b49488a43f72689a054cd464ad5b5b148d57454d0515f50
680e418e349d611812a6afd357c39fa4fe3baf32cd95012f9b0632a364f2f349
bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90
f158a9650580dcf9a875b153192a86e20798c7f01b4a458b668704661e2cc89c
b8e40ed3d1f01fd75f0f43d4784d92aaa9596f289f23c35969af1a4c1e149c30
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
4e707c27c365409032b8081092276d83498149589fa42c52271febbc5682bc81
0df97a0e5fe6fa55e4e8d20b0478a80dfb6d080bca66e630e9f80ed4838facee
06f2fef10fedbb774853c71cc9c923cd56d49d6165a6476fa7e5445550b0a6dc
81b64a354103b21b8d7f2bebb62923b5c2bc4f7f9cba5197fc24b5d869c032be
33b4058adaed65e17b07ee1c11af2c1a53e65dbd98f86cdfc72d841529160c14
aa7c68bbb7a270aede803fb6d767aaec5794724cb2711a34c15eac54cfd9a88f
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3
493c63489f594c10e1f5aace2dd833f3fddaac2800d3603498d2b4abe4bd7e0c
f09ec41136e8e5e5076ca495192d9326e5581c748148fa877412d466db26112d
33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52
973c7137d6a2921d75eb42cb09ef9270a60ca23f25457bb5803a604effd14eb4
93e0a3cbd07c8c1e99fea9e05a7a2bd7a312cf92d3b407be37db43774827ca09
876c5cea11bbbcbe4089a3d0e8f95244cf855d3668e9bf06a97d8e20c1ff237c
b5aa1fa3949badd59b3c1a6f5a838c8eadf639c4199b7238179f0de512383217
60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117
87c160843bc0bdcd754a151c288f899763494385830016c299245f1fe9354b54
daa4efd6ea62d68ce47d73ee57d12cacb07d84ed87e7b4d680c20a715e29e519
ab41d83fb3c5aedecd6fbb3c54ce1c3a58d73d9969fc9c76d01c1c3f2b8c8cc2
f2574f6588e32a3d97988edb359a4f0a9a2df8f36caf8a0e2597d46bb2551985
482991b76849008ad700cf7e29ddd2b3d00d7d40d69377650154dca3adfde791
be4f04a6cb1df55610f461e3e05d81daebe75cbab021746e0cbf6b05389ff02b
ceeed21fc6b040b57c17d0b94c3af9597abde599a37192f40730656e48633b51
d0265e42d4f24fa518f631540cd3e29d9f1086448400de348c300c63bf6aa35f
8a9e221015ab7127c650f6fe81ef3e062ae7ebe00f88ba04717189099862c7d7
d0df8fac2089608a6b5dee7132981e88ab3b98178aff1d3fe7e003d388541e24
ee9378542050d13b1028b443f214d363dac7d11c1229e7e9054efde251d3e36b
c1ebd4c1595fa80d6521320a9500d22b55693bd7ce20af58492a1018b8ccf18e
90dd057ac1bdec6b27174681b857af28e2ddd05f84b7536eecd28cf6cc1a1189
cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f
08e00ccaa704c210e5841227e0db6b5c911ad675f3eaf48f5a629877c0ac3de1
250f05b7b22f886df69550d87c9f0139c0ddfb7dc85b6c6c7e12d1ae3b71d1e7
990357fe141b7e0ef376eb3d71279a6d160f8bbbd3e6d25e269c34af50e6ef04
4bb178da0a560d36af39e243dda93fe45446907a00009210abd6ba1a036a600c
2c3804853d63043067a602c9b5271831d7c8b7b9bc91e39a061e28135588b6b3
SH256 hash:
c1d1301b2678d1cc83aa2adfb84fde62dcdd5f2faf1284e5ee137a0eb254c0b8
MD5 hash:
535d252e9846d9c5d737b194321d0981
SHA1 hash:
b6000f14caadd360af8040762361267098a30697
Link:
https://www.unpac.me/results/fc4b308b-b5dd-48fb-b618-051a339fa4b5/
SH256 hash:
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
MD5 hash:
36fd5e09c417c767a952b4609d73a54b
SHA1 hash:
299399c5a2403080a5bf67fb46faec210025b36d
Detections:
win_neshta_auto
Create hunting rule
win_neshta_g0
Create hunting rule
Link:
https://www.unpac.me/results/fc4b308b-b5dd-48fb-b618-051a339fa4b5/
Parent samples :
6f7a133591129c585c8f2e64f359c6b19158e1772c7ce2a8e49b4ebe672a86cb
6c698bf3490ab6453d37400d05324e2186754ec6b22d7a62fa424d5793599d4b
ac9a8babed0c6938fc6a4218376339223faad8ce24cb38497b6377664867b2a0
d5e739d5b929d725d105c7f3f86cc7fb6466a909d44dabfcec4cece348f985c4
a39d375b4498174ca49f07d6bc5a152d34bbb3b7681b209125f2a1c7a8b01185
29fcb7e81428cb4cd932ccaf2ed0f61ef9d47853605c153a6de503d54009f11a
19a595917039b249ebebe0e98a532a61585b0a4189bdb44a28c73523feed14da
6ffd13100e26b005774349e84e514bc84391682d9a20e1a46862a3e7599bad7a
4b9c39b0624ed5da7d8ffeb5b8de89562a0ba2db40e4899160fdd1e51efa63ea
9ba99db4c643c7b335b73fd5c52062f25f1699cda426b09710db4e0337360e97
563d0226f3ff043014f86d780778fc6bbae2193e46137271d586ca3d83da34af
b4e70946128b7c45e4e6404714ca40df679ed0b6ac5157533c953196d96daa41
cc29d221864706dcc32aff35a4a7a246c310aa7fd8fd4cb254ad36fb415fe3ff
e82473f02711056cbcda98d22a858d95c6cf574c17ee77ea62db86e405ff6e77
3ba615a4d99b560c58bed9e63c8ecd2c20dbc71560ec1fe51ca2b78a6b8309e6
1aae387dce8782d2f58887aa73dd970e51656c72ada983fb040989656a6dc47e
a89bc5bfb93026e56434c1354508dfa0a66821d35f522429582067fc7f9200cc
e1b0ef4dd27c829683569165d98c902a8ed2f2eaa95b1540c6430f5ea3be0b3f
de544199796705d18dad9dcf238c7c96de3fc8c793057cad94e319527af9c7bd
b8344e9c1ee03f949c70959828a08e1f73f198d58e6721b95676d54a7e6cb6be
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08
ab9f07758d73614eb4b307ffe5f88e28c62ffdb94a011874dcc2e992fd0e2ca0
5597878b9d511ad8a3e93423174ce90b689523fb00912e93bc704db788539ec8
0fb3c7511c6494252676592eea6db4da4bc89977c066a5e4f7ea599c3c9ad8d5
42b3efec41088a0afd2cc17e038169dd572baa116aa734a427012d39917f4107
b0bd95ea0aa5de9849e555fc8a62f51e1406c6b4dc890ce9a63c9807184d9f0b
d02c7e238675ed340d700e865360567a92cece2754486e033a7957f7f0b33a22
d48ba61686bed9bcd76c92cca9e720d9afd6695b4ac2e62b5772af8367fff20f
4547a55c5799f4434e76b02424f0b4af53ddcf29969771247b75fcf8e90575c2
3597bda69b3968446d1b4be9472f97f89c0243f129fa2a98cbd5683d4002197d
2a0d6ebfcca611f4249d12ea9fbf3b8bf44729d9db9ecfd0f43c72946febca24
36755da9fd84d9bd9f02f1c36bdfd5d1ba1fd28c748e337b7abc30421fd44fb4
b50f7c365160c6134ce71e97e646d8245761687aa431a31a12423daf6cf33012
889c2ec3e88c2a47de4bcc6d88cb74d21a01088330fb240788c81968ba16155b
909ce4ede18938d21f1c4477be2798c4d985fb045ca3be6201f01d43dc2ca6f2
a5b2cf3be1088ad8088d4ef2919e5fe672ce85b89c7c94f17b0fe2240836aec8
abbda703c3fba08e50f339b1b449ec85382c224772d0e95e9ed4bfa8e6a2106a
5d24735ea4e2f2b2359092ab77bf69477ace086f2ed8de754931e3024fc94eac
b5aa1fa3949badd59b3c1a6f5a838c8eadf639c4199b7238179f0de512383217
6b21b5a3b4624e1ad6ac6a8a28d21bf16131fdec95341fa2ac04ea9824b50d75
f8d91c8bc33c75ab7794e0c0a8498110cf03403daed2caf77a47975402be2e48
aefd458ffd4dd6fd5e7e713cc025439012265d4d8bab169c42d2daf98d8afcd9
46ca293c1bc89688a030ebdcac400a501551743160d99dbc919f800e41577e09
bb741e7ac48085e964e7fdfbd19b97a7376712b09c540a95c9a5f1872034908b
393d94791809b4059141bd1d6de789b431a71eb544bc7f7b0d7a1700c042ece5
f94903b0a50cc5c472b19dbceefb98e9f433f1e8fa9cb0a6f98ffca8dc609d5e
792d13b4f3887733a5ca23c9cb7f8f10186a796fb05891b4ff978cb526832ca0
4edbfbe670bdb8f0b1d0f8deebf86c5bb3444fde69fbfb743ee56fbef2ac5d7d
e8a9d29b01c2dde67df8e2ea6aba968af3ff2a7a1adc151c8773615fd6dc9ed0
24d0e610a636a4c010111cc724c2c5df4923885a02356fdeb22f5e13a5485b6c
449885db82a87d3151e04067039b2d07d8a844e0670842a2f739d493ebe6d1b1
950754e261538834ac3563cd3d382b5f1ed40acdcbb17b775ee158e10c827d5b
f8d79678441dd167be899e3b07fff98b7f39985c73e1207ae0a5dc855edb8344
8dba5c25c8f19e2be8aed3c06fd0fc679abeec44bd70c96f7193b04a5196bda8
7cf16fa9b84052ebac0f1752fd4cb2a9ffc8ffafc757f785376f2bde6fb554a5
995a51be969ea8a589668c591764d0675368c72f46539744babd58722a4c73c9
9de15a5c7e9cdefb9a48de4039027de8687838849d9588434564a343d15a9355
a867eb46763ccee8962f882a1cb2cdca5bb654881c4e2c4a20bd88713ba8818a
83a4b6cd0fa89d77f39c1ac7e3ecf5260bd7bffa07ab30fc6c7ab17e87525e39
73538ff2e8e3a4243c071eb7007086eea884c19db8e6bb92f6889eede28134d7
b63557e2a7e7fd2c0fc2e0d5084da08d62586963b22ad22e6b683fb9ee2934c5
68244f7b16e355e88f752ab26bd7290c019fad11d862754e9b5789ca15c263f1
ac5cec58b7bf1c35c562556c984e15b057ba8b3224559f1cc523ea9b70b53354
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
331d7e76582739e0f13e1405aced8b89f977a595c80c2e481ae74b4189141760
425f76eb82d3accf2865ff9f455a49675c2ca3f273ade57fd865c8fec5163f1e
a5c3adbc3170961645549d41320184a231c0eef43e2c5eea71f235bb4e273d89
377e4f1424a442481aaf05cc99550f80ca5a889bd904f44e04963244274eaaec
2c39793aee8f8966937d52468306f422151978e4b43d665a09f78e5c91fe5401
f9c6d61e21bab262adb55358862e97b2c0cd9b13a6a73129510f24a917558911
0737b4a17fda7c3b5ffe49d1f33da4b1789d0f3b7c77a54113d6136f1672782a
b68cdf9834d06557781bf09a5b3d4dabc3d6d2e1aa18aa42b1a0d42545e8a3d9
b17caccff755c664135937e36fdb567dbae543833983b6168bedbd827c99a9e1
201cffe8bf2c15a804167c67d2a095ff655829395cb54b5c3d3c4d038efde920
dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532
aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109
849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a
fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a
179e9673e3cbfd035d528f744f3eb88c65583089bb78d744f2c380be3bf3540a
75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9
6dd5d1309948dac371cf1cc1083f758ea313161d8658d9d3842e3f908bd280d5
1dbfb91bb378374fbc436b301cc481f6b32c53cfcb5dd3c3ab1eee2460e4bafe
d2fe22f934f6a5445d64e90c88d01a21793f80b0756d520e2d5744cd081193e1
083f671bdfa7b080edff7dc531e68b5179f0adf3109bc5509952209d4c6bffd1
a09effbe070813fd8998f3d09fa1211860faf38f174f3505b0325a9cfae303a5
35845d281a91dae79912a7238697c8b1d074bbff2785b621e0836f7c01d80b6e
5ba9c0369672e2fc6bfe9a4ab55d9c472338990d852c174329200b9771fa1093
cc08d15b67fcc5ed8b92f3360e06e9cf229da6ecb0a887f9ae90243e3288692f
d4f4ad6ea2e448166edde53a24011ddc5c4e870f7c571f9dd5e390e582ca3d33
fc6e2360ec42b0162ca6c115a87359ddb884735669a408df62d03a695554d934
9fad5596477c55d73ef0cedfa3211853f95418dc465c11c14cc3182ceaa1527b
91712842d53fd2c6b1e8f6aafec4a738c6f5a91ecc6849d813c857245a709682
15a7845256801920c72d8eb0b8be091fc8e6bc2461bf1cc53db2cf2b3c76b315
8734c94b5ebc9260065d6ac359500b8f17f290be6c74bb72b9c0cacccf9b7d63
a9d818bc38d2a84ff40e54a062a9fba01a0648300fb1a892432547bc5b85e158
4d934eff240fdf3c222505a546d8fb8c682a3affb70e4a85c635f607a47d8b1a
aead1f538ae65044f17554b188d4d1f88d7c4840bb554f3d70a2fe3ab86f6abf
e273e5e8948330a86519152bc6124971886a15758419d97953187b92b930fbb7
c1d59d4290604980ef30e6b5635108258a206354814ab0b447a2c70f9c7b9cd7
SH256 hash:
b5aa1fa3949badd59b3c1a6f5a838c8eadf639c4199b7238179f0de512383217
MD5 hash:
3db3ee8509e8ce9c12936a1d5b82cca1
SHA1 hash:
a0d8b919d49d820b506864493b82fa78228afc3f
Link:
https://www.unpac.me/results/fc4b308b-b5dd-48fb-b618-051a339fa4b5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b5aa1fa3949b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5aa1fa3949badd59b3c1a6f5a838c8eadf639c4199b7238179f0de512383217

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:NETDIC208_NOCEX_NOREACTOR
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_neshta_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/373478/

Comments