MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bebe5852579772c396331a3593a2f9a2a69ac74e174901e563d8b2a3a4cdfc11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Neshta


Vendor detections: 16


Intelligence 16 IOCs YARA 15 File information Comments

SHA256 hash: bebe5852579772c396331a3593a2f9a2a69ac74e174901e563d8b2a3a4cdfc11
SHA3-384 hash: 8c51cb0a103ddeda89fbbd5782a1a458bcf5d1bc1cc3d139ae9afd469a90c2ac76604a50531a07629c78c1d7593551bf
SHA1 hash: 5f3c9735bc056e6a54fb37feb64a57a6896ed3be
MD5 hash: 5edf93c833ec38276271419693461895
humanhash: lithium-timing-avocado-cup
File name:bebe5852579772c396331a3593a2f9a2a69ac74e174901e563d8b2a3a4cdfc11
Download: download sample
Signature Neshta
File size:163'760 bytes
First seen:2026-07-15 16:29:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (257 x Neshta, 15 x Formbook, 15 x AgentTesla)
ssdeep 1536:JxqjQ+P04wsmJCpwm0PW1IrqJfMtQlD8x89u7FE4ymvG4PDo2DhA3lr1fBY4iKo4:sr85Cpj0PW1IrEfMtyhujnzhQNv48
TLSH T169F3AD27B7F08474E573AE78DAB55E25D7B2B8201871C76F93A1460E0F237A0AD29317
TrID 86.8% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.1% (.EXE) Win64 Executable (generic) (6522/11/2)
1.4% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter JAMESWT_WT
Tags:exe Neshta

Intelligence


File Origin
# of uploads :
1
# of downloads :
163
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.9%
Tags:
downloader dropper neshta virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
borland_delphi explorer fingerprint lolbin neshta overlay packed reconnaissance virus
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-03-22T16:09:00Z UTC
Last seen:
2026-07-16T19:02:00Z UTC
Hits:
~100
Gathering data
Threat name:
Win32.Virus.Neshta
Status:
Malicious
First seen:
2025-04-10 21:22:35 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
Similar samples:
Result
Malware family:
Score:
  10/10
Tags:
family:neshta discovery persistence spyware stealer
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Modifies system executable filetype association
Reads user/profile data of web browsers
Detect Neshta payload
Family: Neshta
Unpacked files
SH256 hash:
bebe5852579772c396331a3593a2f9a2a69ac74e174901e563d8b2a3a4cdfc11
MD5 hash:
5edf93c833ec38276271419693461895
SHA1 hash:
5f3c9735bc056e6a54fb37feb64a57a6896ed3be
Detections:
win_neshta_auto win_neshta_g0 Neshta
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Author:malware-lu
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:EXE_Virus_Neshta_March2024
Author:Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_Neshta
Author:ditekSHen
Description:Detects Neshta
Rule name:MAL_Malware_Imphash_Mar23_1
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:MAL_Neshta_Generic
Author:Florian Roth (Nextron Systems)
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:neshta_v1
Author:RandomMalware
Rule name:pe_detect_tls_callbacks
Rule name:shellcode
Author:nex
Description:Matched shellcode byte patterns
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Virus_Neshta_2a5a14c8
Author:Elastic Security
Rule name:win_neshta_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments