MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c16ebbbebe01f0fee4eb7f658bb25770eb0601cc850d0225097c0157d12df0e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Neshta


Vendor detections: 16


Intelligence 16 IOCs YARA 28 File information Comments

SHA256 hash: c16ebbbebe01f0fee4eb7f658bb25770eb0601cc850d0225097c0157d12df0e7
SHA3-384 hash: cb7b0b2d237c088d42ae8904e95e8ae4e0dbc7cb9c8507bcae99d4e8877d2ff8a11f338a9fcf25801b2bb27175377636
SHA1 hash: b26a0f4fff71202b4183619cd360a8d88dae5158
MD5 hash: 37cd426b36fc4ee517cef319cf14076f
humanhash: bulldog-asparagus-mobile-six
File name:c16ebbbebe01f0fee4eb7f658bb25770eb0601cc850d0225097c0157d12df0e7
Download: download sample
Signature Neshta
File size:5'815'448 bytes
First seen:2026-07-15 16:28:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (257 x Neshta, 15 x Formbook, 15 x AgentTesla)
ssdeep 98304:/m+ZqQDrTU61ENWPDKIvCFNyE3oYGbiCv:+Aq4U60WPDKI6FNB4YGeS
TLSH T1B8469D56A6A450ECD5BBC17CC6568617E7F2BC0503719BCF06A0A66A1F33AE12F3E710
TrID 84.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.1% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.0% (.EXE) Win64 Executable (generic) (6522/11/2)
Magika pebin
dhash icon f8e4e4d3f2bcd8e0 (2 x Neshta)
Reporter JAMESWT_WT
Tags:exe Neshta

Intelligence


File Origin
# of uploads :
1
# of downloads :
159
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.9%
Tags:
dropper bitcoin neshta crypt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 borland_delphi evasive expand fingerprint lolbin overlay packed reconnaissance
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-26T14:08:00Z UTC
Last seen:
2026-07-15T13:45:00Z UTC
Hits:
~10
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Threat name:
Win32.Virus.Neshta
Status:
Malicious
First seen:
2026-06-26 19:00:28 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
35 of 36 (97.22%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
Similar samples:
Result
Malware family:
Score:
  10/10
Tags:
family:neshta defense_evasion discovery persistence spyware stealer trojan
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Modifies trusted root certificate store through registry
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
Detect Neshta payload
Family: Neshta
Unpacked files
SH256 hash:
c16ebbbebe01f0fee4eb7f658bb25770eb0601cc850d0225097c0157d12df0e7
MD5 hash:
37cd426b36fc4ee517cef319cf14076f
SHA1 hash:
b26a0f4fff71202b4183619cd360a8d88dae5158
Detections:
win_neshta_g0 Neshta
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Borland
Author:malware-lu
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:EXE_Virus_Neshta_March2024
Author:Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Rule name:identity_golang
Author:Eric Yocam
Description:find Golang malware
Rule name:MALWARE_Win_Neshta
Author:ditekSHen
Description:Detects Neshta
Rule name:MAL_Malware_Imphash_Mar23_1
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:neshta_v1
Author:RandomMalware
Rule name:pe_detect_tls_callbacks
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Author:nex
Description:Matched shellcode byte patterns
Rule name:skip20_sqllang_hook
Author:Mathieu Tartare <mathieu.tartare@eset.com>
Description:YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:https://www.welivesecurity.com/
Rule name:Sus_All_Windows_PE_Malware
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:test_rule_vldslv
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:upxHook
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:Windows_Virus_Neshta_2a5a14c8
Author:Elastic Security
Rule name:Win_FakeInstaller_PythonShellcodeLoader_Crepectl_2026
Author:SixHands
Description:Detects the analyzed fake installer sample using .key config, XOR key, and Python/fiber shellcode loader traits

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments