MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2dd89a5116214f44214380e06bb86158f67b8148ae1cdfb4dddefe444badbb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Chaos


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c2dd89a5116214f44214380e06bb86158f67b8148ae1cdfb4dddefe444badbb0
SHA3-384 hash: b812e076ecc787d1a0bb9f6535104c8f9d47ff1a9379a35c2c72d91514f93dd36c525c40ae6f72c57900b7e6720221e6
SHA1 hash: 0b2990ac885898ffc4bd3a63d469f63090cd7c27
MD5 hash: 6a16f337d3315623f0d40b26572b8abb
humanhash: nuts-foxtrot-bluebird-autumn
File name:2023-02-21_6a16f337d3315623f0d40b26572b8abb_neshta_wannacry
Download: download sample
Signature Chaos
Create hunting rule
File size:2'884'608 bytes
First seen:2023-02-23 05:06:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 24576:BS4lQMNWi3VesNY8106qPN4K3P0QcejoMZLyiTtiFfkOfEC/:BSy6PX3PpM+P5Idp/
Threatray 104 similar samples on MalwareBazaar
TLSH T179D52E3839EA9019F1B3EF7A6FD4B9D7DA9FB7733A0294191081034B4623A81DD9153E
TrID 84.8% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.3% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e8f4b27959b2f4e8 (5 x Chaos, 5 x WannaCry)
Reporter petikvx
Tags:Chaos

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2023-02-21_6a16f337d3315623f0d40b26572b8abb_neshta_wannacry
Verdict:
Malicious activity
Analysis date:
2023-02-23 05:10:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b19bc15e-18a9-4fb9-be1a-e1883511b1fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Chaos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/369169/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Ransomware.Hydracrypt-9878672-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the Windows directory
Modifying an executable file
Creating a window
Creating a file
Creating a file in the Program Files subdirectories
Creating a file in the %AppData% directory
Searching for the window
Creating a process with a hidden window
Running batch commands
Launching a service
Unauthorized injection to a recently created process
Enabling autorun with the shell\open\command registry branches
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Deleting volume shadow copies
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
80%
Tags:
neshta overlay shell32.dll virus
Link:
https://www.filescan.io/uploads/63f6f47cd385ee5858515b80/reports/eb1d11fb-be94-4d95-8c31-a0b5250ffd35/overview
Verdict:
Malicious
Labled as:
Virus.Neshta
Link:
https://www.hybrid-analysis.com/sample/c2dd89a5116214f44214380e06bb86158f67b8148ae1cdfb4dddefe444badbb0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc120e6b-3357-4f11-b71a-9f257f25cbbf
Result
Threat name:
Chaos, Neshta
Create hunting rule
Detection:
malicious
Classification:
rans.spre.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1181083
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Deletes shadow drive data (may be related to ransomware)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Delete shadow copy via WMIC
Tries to harvest and steal browser information (history, passwords, etc)
Uses bcdedit to modify the Windows boot settings
Yara detected Chaos Ransomware
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 813914 Sample: VNGUnanbs4.exe Startdate: 23/02/2023 Architecture: WINDOWS Score: 100 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for dropped file 2->82 84 Antivirus / Scanner detection for submitted sample 2->84 86 8 other signatures 2->86 10 VNGUnanbs4.exe 4 2->10         started        14 svchost.com 2->14         started        16 svchost.com 2->16         started        process3 file4 72 C:\Windows\svchost.com, PE32 10->72 dropped 74 C:\Users\user\AppData\Local\...\setup.exe, PE32 10->74 dropped 76 C:\Users\user\AppData\...\VNGUnanbs4.exe, PE32 10->76 dropped 78 8 other malicious files 10->78 dropped 112 Creates an undocumented autostart registry key 10->112 114 Drops PE files with a suspicious file extension 10->114 116 Drops executable to a common third party application directory 10->116 118 Infects executable files (exe, dll, sys, html) 10->118 18 VNGUnanbs4.exe 5 10->18         started        22 svchost.exe 1 49 14->22         started        24 svchost.exe 16->24         started        signatures5 process6 file7 64 C:\Users\user\AppData\Roaming\svchost.exe, PE32 18->64 dropped 66 C:\Users\user\AppData\...\VNGUnanbs4.exe.log, CSV 18->66 dropped 88 Multi AV Scanner detection for dropped file 18->88 90 Drops PE files with benign system names 18->90 26 svchost.exe 4 3 18->26         started        68 C:\Users\user\AppData\...\svchost.exe.nbua, data 22->68 dropped 92 Deletes shadow drive data (may be related to ransomware) 22->92 94 Drops executables to the windows directory (C:\Windows) and starts them 22->94 96 Uses bcdedit to modify the Windows boot settings 22->96 98 Tries to harvest and steal browser information (history, passwords, etc) 22->98 29 svchost.com 22->29         started        31 svchost.com 22->31         started        33 svchost.com 22->33         started        signatures8 process9 signatures10 108 Deletes shadow drive data (may be related to ransomware) 26->108 110 Uses bcdedit to modify the Windows boot settings 26->110 35 svchost.com 1 26->35         started        39 cmd.exe 29->39         started        41 cmd.exe 31->41         started        43 cmd.exe 33->43         started        process11 file12 70 C:\Windows\directx.sys, ASCII 35->70 dropped 100 Multi AV Scanner detection for dropped file 35->100 102 Deletes shadow drive data (may be related to ransomware) 35->102 104 Uses bcdedit to modify the Windows boot settings 35->104 106 Sample is not signed and drops a device driver 35->106 45 cmd.exe 1 35->45         started        48 conhost.exe 39->48         started        50 vssadmin.exe 39->50         started        52 WMIC.exe 39->52         started        54 conhost.exe 41->54         started        56 conhost.exe 43->56         started        signatures13 process14 signatures15 120 Deletes shadow drive data (may be related to ransomware) 45->120 58 WMIC.exe 1 45->58         started        60 conhost.exe 45->60         started        62 vssadmin.exe 1 45->62         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c2dd89a5116214f44214380e06bb86158f67b8148ae1cdfb4dddefe444badbb0/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2023-02-21 22:26:17 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
25 of 25 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yloytjirmikpiqquhahano4gcwhwpoaurlq4362n3xx6irf23oya._file
Verdict:
malicious
Similar samples:
101580f357d05a637f15eeab3a11c713a7e19d223209b443ce5d4e62346e2869
Chaos
2cf1affaddac715171d5be89d0c2bfaa3470608efdc12940967fc22fcffde54f
Chaos
4ee95ee6271482c7939ce3b9db210ffb7a73ceebb6500b978fa3e6fe1d6ea168
Chaos
a70171a1bc2a7fba0f4dcc65d2f0458f4e08388fcea7fe880c26341dcaaed413
Chaos
aae66e4930de3e86e7a4095dbba08680278f96f570a0d116e4616c12492a3073
Chaos
c03f0aebf7867cd5195061605cec8e933575787fc59950b15ae2947dc34a2a42
Chaos
+ 94 additional samples on MalwareBazaar
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:chaos family:neshta evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/230223-fr1fpagg3z/
Behaviour
Interacts with shadow copies
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Sets desktop wallpaper using registry
Adds Run key to start application
Drops desktop.ini file(s)
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Modifies extensions of user files
Deletes shadow copies
Chaos
Chaos Ransomware
Detect Neshta payload
Neshta
Unpacked files
SH256 hash:
c2dd89a5116214f44214380e06bb86158f67b8148ae1cdfb4dddefe444badbb0
MD5 hash:
6a16f337d3315623f0d40b26572b8abb
SHA1 hash:
0b2990ac885898ffc4bd3a63d469f63090cd7c27
Detections:
win_neshta_g0
Create hunting rule
Link:
https://www.unpac.me/results/6bb14212-18b7-4402-972e-03bce5ab29e0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c2dd89a51162/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.74
Link:
https://yomi.yoroi.company/submissions/c2dd89a5116214f44214380e06bb86158f67b8148ae1cdfb4dddefe444badbb0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:INDICATOR_SUSPICOUS_EXE_References_VEEAM
Create hunting rule
Author:ditekSHen
Description:Detects executables containing many references to VEEAM. Observed in ransomware
Rule name:MALWARE_Win_Chaos
Create hunting rule
Author:ditekSHen
Description:Detects Chaos ransomware
Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369169/

Comments