MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1ebd4c1595fa80d6521320a9500d22b55693bd7ce20af58492a1018b8ccf18e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1ebd4c1595fa80d6521320a9500d22b55693bd7ce20af58492a1018b8ccf18e
SHA3-384 hash: 4dd8b4e904ba754a9c8082f33716b8b17faa24cfd4768fa722592bd7fd60fe9385f9d3e936a4f3fb78919418e1704872
SHA1 hash: 9cb754e4471a26957f5aad0e37a3c705358fbde2
MD5 hash: 3f64df9616321b718366e70eab655e0c
humanhash: nineteen-bacon-sixteen-hydrogen
File name:补丁打包.exe
Download: download sample
Signature Neshta
Create hunting rule
File size:889'344 bytes
First seen:2024-11-19 08:04:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (250 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 24576:MNjTaxN/1+N7zOQr3mYCFY7Mk2xT+2n/S225E2Y22222Gxqz8uRHYbJ2d2hgZgFU:Hx2N7qM3mvnZe
Threatray 723 similar samples on MalwareBazaar
TLSH T1AC15BF42F5D280F5C675193014BA67379A7ABA465B18CFCB93A4DD3D2C32180AA3737E
TrID 70.2% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
15.3% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
3.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
2.8% (.EXE) Win64 Executable (generic) (10522/11/4)
2.6% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
Magika pebin
dhash icon 2d8c8c24b294c666 (2 x Neshta)
Reporter Joker
Tags:exe malware Neshta

Intelligence

File Origin
# of uploads :
1
# of downloads :
400
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
补丁打包.exe
Verdict:
No threats detected
Analysis date:
2024-11-19 08:05:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/642d36b8-0efc-4f52-8a4d-954816f78722

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Win.Trojan.Neshta-157
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673c47d05107a56eacc7de9a
Tags:
vmdetect neshta emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Modifying an executable file
Creating a file in the Windows directory
Creating a file in the %temp% directory
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Verdict:
Malicious
Labled as:
Virus.Neshta
Link:
https://www.hybrid-analysis.com/sample/c1ebd4c1595fa80d6521320a9500d22b55693bd7ce20af58492a1018b8ccf18e
Malware family:
Ramnit
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb3884a4-663a-43dd-9325-2ecb62f7bc21
Result
Threat name:
Bdaejec, Neshta, Ramnit
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1558248
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after checking mutex)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Sample is not signed and drops a device driver
Suricata IDS alerts for network traffic
Yara detected Bdaejec
Yara detected Neshta
Yara detected Ramnit
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558248 Sample: #U8865#U4e01#U6253#U5305.exe Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 90 ddos.dnsnb8.net 2->90 116 Suricata IDS alerts for network traffic 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 Antivirus detection for dropped file 2->120 122 12 other signatures 2->122 15 #U8865#U4e01#U6253#U5305.exe 5 2->15         started        19 svchost.com 2->19         started        signatures3 process4 file5 74 C:\Windows\svchost.com, PE32 15->74 dropped 76 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 15->76 dropped 78 C:\Users\...\#U8865#U4e01#U6253#U5305.exe, PE32 15->78 dropped 80 97 other malicious files 15->80 dropped 102 Creates an undocumented autostart registry key 15->102 104 Drops PE files with a suspicious file extension 15->104 106 Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS) 15->106 108 2 other signatures 15->108 21 #U8865#U4e01#U6253#U5305.exe 2 15->21         started        24 msedge.exe 19->24         started        signatures6 process7 dnsIp8 62 C:\Users\user\AppData\Local\...\OMmJKXpD.exe, PE32 21->62 dropped 64 C:\Users\...\#U8865#U4e01#U6253#U5305Srv.exe, PE32 21->64 dropped 27 #U8865#U4e01#U6253#U5305Srv.exe 3 21->27         started        31 OMmJKXpD.exe 12 21->31         started        92 239.255.255.250 unknown Reserved 24->92 34 msedge.exe 24->34         started        36 msedge.exe 24->36         started        file9 process10 dnsIp11 66 C:\Program Files (x86)\...\DesktopLayer.exe, PE32 27->66 dropped 126 Found evasive API chain (may stop execution after checking mutex) 27->126 38 DesktopLayer.exe 27->38         started        96 ddos.dnsnb8.net 44.221.84.105, 799 AMAZON-AESUS United States 31->96 68 C:\Program Files\7-Zip\Uninstall.exe, PE32 31->68 dropped 70 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 31->70 dropped 72 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 31->72 dropped 128 Detected unpacking (changes PE section rights) 31->128 130 Infects executable files (exe, dll, sys, html) 31->130 40 WerFault.exe 31->40         started        98 chrome.cloudflare-dns.com 162.159.61.3, 443, 49719, 49720 CLOUDFLARENETUS United States 34->98 100 172.64.41.3, 443, 49721, 49726 CLOUDFLARENETUS United States 34->100 file12 signatures13 process14 process15 42 iexplore.exe 53 68 38->42         started        process16 44 iexplore.exe 6 21 42->44         started        dnsIp17 94 chrome.cloudflare-dns.com 44->94 47 svchost.com 44->47         started        51 svchost.com 44->51         started        process18 file19 82 C:\...\maintenanceservice.exe, PE32 47->82 dropped 84 C:\...\MicrosoftEdgeUpdateCore.exe, PE32 47->84 dropped 86 C:\...\MicrosoftEdgeUpdateBroker.exe, PE32 47->86 dropped 88 71 other malicious files 47->88 dropped 110 Sample is not signed and drops a device driver 47->110 112 Drops executable to a common third party application directory 47->112 114 Infects executable files (exe, dll, sys, html) 47->114 53 ie_to_edge_stub.exe 47->53         started        56 ssvagent.exe 51->56         started        signatures20 process21 signatures22 124 Drops executables to the windows directory (C:\Windows) and starts them 53->124 58 svchost.com 53->58         started        process23 process24 60 msedge.exe 58->60         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c1ebd4c1595fa80d6521320a9500d22b55693bd7ce20af58492a1018b8ccf18e
Detection:
ramnit
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c1ebd4c1595fa80d6521320a9500d22b55693bd7ce20af58492a1018b8ccf18e/
Threat name:
Win32.Virus.Neshuta
Create hunting rule
Status:
Malicious
First seen:
2024-11-19 08:05:12 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
37 of 38 (97.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yhv5jqkzl6ua2zjbgifjkagsfnkwso6xzyqk6wcjfiibrogm6gha._file
Verdict:
malicious
Label(s):
neshta
Create hunting rule
Similar samples:
213018b120fa8dc907187cf834fd4222bf527a990a17886cd6d82c206230ae63
Neshta
232f876999f6681e26051a522b6f2a73668c407b499f4bd5a0b64236dce25a1f
Neshta
6df33c856858c03f62d5a67a7bc69499db91a1405e67b83907dcabfe9bd31d40
Neshta
99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f
Neshta
a56201e88978eee0be785d68c9f510b25dc8d5e702af0b9d17dec5e507fc3626
Neshta
ae27369e82861c261ef0827edef24f8bde12f0028c239b92a21d67a4b5fba338
Neshta
b771a64bbfce8232710851ea13f5408cc28133ac0537ff1309c749ce85f42633
Neshta
error
Neshta
f20f7a895d3c4004241bbe4d9084b93fcc5183356aceacfb75b4f8e89f246f69
Neshta
fe31f9f04529e00c72d2b8957d0ed1e4031c463b0850a68b04310b03827c6120
Neshta
+ 713 additional samples on MalwareBazaar
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:neshta discovery persistence spyware stealer
Link:
https://tria.ge/reports/241119-jyt42ashmj/
Behaviour
Modifies registry class
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Modifies system executable filetype association
Reads user/profile data of web browsers
Neshta
Neshta family
Verdict:
Malicious
Tags:
trojan neshta Win.Malware.Wapomi-10020301-0
YARA:
Windows_Generic_Threat_3f060b9c MAL_Neshta_Generic MAL_Malware_Imphash_Mar23_1
Link:
https://app.threat.zone/submission/a0c16bfe-bde3-47e4-bdbe-0520a6fab72f
Unpacked files
SH256 hash:
6057d87753daee3c71eb8c0d3cb8582ea88d6e56f02864019db9fd7af3fb4a9f
MD5 hash:
651defc532f0e72be60621696aa97972
SHA1 hash:
43176a96322202fc8fd8901c213fde820d005871
Detections:
win_ramnit_g1
Create hunting rule
win_ramnit_auto
Create hunting rule
Link:
https://www.unpac.me/results/dc5c0cfa-97f2-49c0-b871-381811ecf974/
Parent samples :
3aae149445e6ae7d5dff0a830abcd1bb26b868e4e7c8cf8bc625a9e46795d96b
4f71eb9c8a80ea511ade6a4ea951cd642c7046f3a97c7b965fdc732314bb3224
712902f16ad8e9570dc1e25dba5f4219f3fdd497d727f08dd98f1c6baa78335b
21077824b7eea56bdfe182de863fe599286c70fd067744faf6fa850da7342db3
3eabf4e909e889bfcb994a36d041ced30c30a377a6a0d6057eda4b8f35f4ca0e
1d448335a3b897166b49488a43f72689a054cd464ad5b5b148d57454d0515f50
680e418e349d611812a6afd357c39fa4fe3baf32cd95012f9b0632a364f2f349
bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90
f158a9650580dcf9a875b153192a86e20798c7f01b4a458b668704661e2cc89c
b8e40ed3d1f01fd75f0f43d4784d92aaa9596f289f23c35969af1a4c1e149c30
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
4e707c27c365409032b8081092276d83498149589fa42c52271febbc5682bc81
0df97a0e5fe6fa55e4e8d20b0478a80dfb6d080bca66e630e9f80ed4838facee
06f2fef10fedbb774853c71cc9c923cd56d49d6165a6476fa7e5445550b0a6dc
81b64a354103b21b8d7f2bebb62923b5c2bc4f7f9cba5197fc24b5d869c032be
33b4058adaed65e17b07ee1c11af2c1a53e65dbd98f86cdfc72d841529160c14
aa7c68bbb7a270aede803fb6d767aaec5794724cb2711a34c15eac54cfd9a88f
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3
493c63489f594c10e1f5aace2dd833f3fddaac2800d3603498d2b4abe4bd7e0c
f09ec41136e8e5e5076ca495192d9326e5581c748148fa877412d466db26112d
33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52
973c7137d6a2921d75eb42cb09ef9270a60ca23f25457bb5803a604effd14eb4
93e0a3cbd07c8c1e99fea9e05a7a2bd7a312cf92d3b407be37db43774827ca09
876c5cea11bbbcbe4089a3d0e8f95244cf855d3668e9bf06a97d8e20c1ff237c
b5aa1fa3949badd59b3c1a6f5a838c8eadf639c4199b7238179f0de512383217
60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117
87c160843bc0bdcd754a151c288f899763494385830016c299245f1fe9354b54
daa4efd6ea62d68ce47d73ee57d12cacb07d84ed87e7b4d680c20a715e29e519
ab41d83fb3c5aedecd6fbb3c54ce1c3a58d73d9969fc9c76d01c1c3f2b8c8cc2
f2574f6588e32a3d97988edb359a4f0a9a2df8f36caf8a0e2597d46bb2551985
482991b76849008ad700cf7e29ddd2b3d00d7d40d69377650154dca3adfde791
be4f04a6cb1df55610f461e3e05d81daebe75cbab021746e0cbf6b05389ff02b
ceeed21fc6b040b57c17d0b94c3af9597abde599a37192f40730656e48633b51
d0265e42d4f24fa518f631540cd3e29d9f1086448400de348c300c63bf6aa35f
8a9e221015ab7127c650f6fe81ef3e062ae7ebe00f88ba04717189099862c7d7
d0df8fac2089608a6b5dee7132981e88ab3b98178aff1d3fe7e003d388541e24
ee9378542050d13b1028b443f214d363dac7d11c1229e7e9054efde251d3e36b
c1ebd4c1595fa80d6521320a9500d22b55693bd7ce20af58492a1018b8ccf18e
90dd057ac1bdec6b27174681b857af28e2ddd05f84b7536eecd28cf6cc1a1189
cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f
08e00ccaa704c210e5841227e0db6b5c911ad675f3eaf48f5a629877c0ac3de1
250f05b7b22f886df69550d87c9f0139c0ddfb7dc85b6c6c7e12d1ae3b71d1e7
990357fe141b7e0ef376eb3d71279a6d160f8bbbd3e6d25e269c34af50e6ef04
4bb178da0a560d36af39e243dda93fe45446907a00009210abd6ba1a036a600c
2c3804853d63043067a602c9b5271831d7c8b7b9bc91e39a061e28135588b6b3
SH256 hash:
c1ebd4c1595fa80d6521320a9500d22b55693bd7ce20af58492a1018b8ccf18e
MD5 hash:
3f64df9616321b718366e70eab655e0c
SHA1 hash:
9cb754e4471a26957f5aad0e37a3c705358fbde2
Link:
https://www.unpac.me/results/dc5c0cfa-97f2-49c0-b871-381811ecf974/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_3f060b9c
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play Multimediagdi32.dll::StretchDIBits
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::GetDriveTypeA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WinExec
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::FindFirstFileA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA

Comments