MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8ec3b964de755ffc8988a41f639284b39cd13ef066a6af135995a3045b2ca4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8ec3b964de755ffc8988a41f639284b39cd13ef066a6af135995a3045b2ca4e
SHA3-384 hash: 27abdc2480abd1d018f0e4bb8f7d6bc389f965a0491fff3d56367e68baf07ae446e138ad660dd00f9ef01de3322240e9
SHA1 hash: 4de9c05360d6f7fad66bd6b7b14634fa805fa714
MD5 hash: bf08753c542580f5a5688661bde40ae4
humanhash: wolfram-earth-zulu-quebec
File name:bf08753c542580f5a5688661bde40ae4.exe
Download: download sample
Signature Neshta
Create hunting rule
File size:686'080 bytes
First seen:2021-07-13 13:23:34 UTC
Last seen:2021-07-13 14:01:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:weEDrQ47uELrXJy2Mda/Rb/kOhCQBMNqjASyboICllnh+o3tWGnJTAAo79RU4:wLDE1yr5y2Mda/BkOhCQBMNq0aI6ln4F
Threatray 84 similar samples on MalwareBazaar
TLSH T148E42310F2A39E6CF4578E32A35B0560549E64DF660F9E27364C4B790F12FCA1E8B5B2
Reporter abuse_ch
Tags:exe Neshta

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bf08753c542580f5a5688661bde40ae4.exe
Verdict:
Malicious activity
Analysis date:
2021-07-13 13:30:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fb67c31f-0b7d-42b8-9e93-1d31e74db402

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Neshta
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171430/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.ETY.genEldorado.30726.1617.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8d3e866-be5e-4f3f-9ec2-91927a185684
Result
Threat name:
Remcos Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815641
Signature
Creates an undocumented autostart registry key
Detected Remcos RAT
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Neshta
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8ec3b964de755ffc8988a41f639284b39cd13ef066a6af135995a3045b2ca4e/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2021-07-13 13:24:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
117
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
35781f59dd0d4db4313b493ba0f80606f0f999c904e72a2dd76b0cb111678cde
Neshta
3fa53f6f68e280013eb9651a53a3c40a16fa99f7689d0761b3f95b2de68b22cf
Neshta
412bcb0abe4197be23ae265308d96f9db0f0fd5f96ec0ac053d744d1565e80eb
Neshta
4ba041292881b73bc2cf7842f17b64eeca555b209577f5ea842fbeaa30f05ea0
Neshta
563d0226f3ff043014f86d780778fc6bbae2193e46137271d586ca3d83da34af
Neshta
a73f2d92c3d48bad18d6a33530cedee50fb1495030c752d406045c113eeabd0a
Neshta
b2ae47f62aa239fb6badfb8af83054c008e9c93d6fe1953732ec03029dc474ce
Neshta
b4e70946128b7c45e4e6404714ca40df679ed0b6ac5157533c953196d96daa41
Neshta
cc29d221864706dcc32aff35a4a7a246c310aa7fd8fd4cb254ad36fb415fe3ff
Neshta
e82473f02711056cbcda98d22a858d95c6cf574c17ee77ea62db86e405ff6e77
Neshta
+ 74 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210713-818ckwvmen/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Modifies system executable filetype association
Unpacked files
SH256 hash:
6717b89aeeda0e8c52baac53629b3af88e616201b576506c92959aa33a4b5c2a
MD5 hash:
6d69c825e960844e39bbb0f602254820
SHA1 hash:
bf2c98421b73447da964a8346e3446a515dd3dd2
Detections:
win_neshta_auto
Create hunting rule
Link:
https://www.unpac.me/results/c5519725-1145-4714-a9a6-04a245f81167/
Parent samples :
e945bb8adf04184220759eee4322100778cbe096875c8cb0d21ee7d01d36e457
b8ec3b964de755ffc8988a41f639284b39cd13ef066a6af135995a3045b2ca4e
d021e872a4841ee35b654e3dfb946b8f880f3a598050bde20550899410456321
SH256 hash:
9beff345d4cb9b33ab9fd50a9a0b5ffb54d57f9600bb78b0e7aa970b79f369ca
MD5 hash:
95ed7eb89c2852f4447ceeea2987a7f9
SHA1 hash:
8c8ead688864e2593cfb45bad3a60c3fc277cea0
Link:
https://www.unpac.me/results/c5519725-1145-4714-a9a6-04a245f81167/
SH256 hash:
e2dcd389a1dd080e68a5f6008e96fd7b735bd2dcc685954103939ca1d3d8128e
MD5 hash:
6d23487a1fc71e6f7eeb8308886c800f
SHA1 hash:
570b5e566c36886454405a4cc1c0b9e42acc04f4
Link:
https://www.unpac.me/results/c5519725-1145-4714-a9a6-04a245f81167/
SH256 hash:
b8ec3b964de755ffc8988a41f639284b39cd13ef066a6af135995a3045b2ca4e
MD5 hash:
bf08753c542580f5a5688661bde40ae4
SHA1 hash:
4de9c05360d6f7fad66bd6b7b14634fa805fa714
Link:
https://www.unpac.me/results/c5519725-1145-4714-a9a6-04a245f81167/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/b8ec3b964de755ffc8988a41f639284b39cd13ef066a6af135995a3045b2ca4e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:buerloader_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_neshta_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

Executable exe b8ec3b964de755ffc8988a41f639284b39cd13ef066a6af135995a3045b2ca4e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1398042/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/171430/

Comments