MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7bc5381981979086744173f2f135bc0267898fe43675c3e2f290e4da6b6c141. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7bc5381981979086744173f2f135bc0267898fe43675c3e2f290e4da6b6c141
SHA3-384 hash: 198471ca198b44f4052a7335fd7208ada92561402381ac36640152c99a182aa856522551c9c89b3c28b4c7986e911d53
SHA1 hash: 4f3639558966bd7ba00c3f4a1933c62a1ea7a654
MD5 hash: 0f25aebd0e16d936e33b04bfee087250
humanhash: happy-paris-low-stream
File name:Invoice current.zip
Download: download sample
Signature Neshta
Create hunting rule
File size:723'595 bytes
First seen:2024-03-29 10:37:48 UTC
Last seen:2024-03-29 14:00:25 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:L05ULiog46bhYQL7nasx7R+e2F3QVAZuWFOO7fg/+lNUVyyFBhSuolnCK+7Cu:L05ULioO1Y6TashR+fFUVWFOO7YmlNUd
TLSH T14FF4338A38038539F506DACD5436895BD15B12E11A6D0CCA5B177FF9A9EB0FAF8638C0
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:INVOICE Neshta zip


Avatar
cocaman
Malicious email (T1566.001)
From: "roseu@eri-rwanda.com" (likely spoofed)
Received: "from eri-rwanda.com (unknown [45.137.22.116]) "
Date: "29 Mar 2024 06:59:28 +0100"
Subject: "Invoice of March 2024"
Attachment: "Invoice current.zip"

Intelligence

File Origin
# of uploads :
2
# of downloads :
380
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Current Invoice.exe
File size:776'192 bytes
SHA256 hash: f9c6d61e21bab262adb55358862e97b2c0cd9b13a6a73129510f24a917558911
MD5 hash: a0e731bdd58096ba8ca50487f5410f5d
MIME type:application/x-dosexec
Signature Neshta
Vendor Threat Intelligence
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/c7bc5381981979086744173f2f135bc0267898fe43675c3e2f290e4da6b6c141/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/66069a0ba0783463fa9dc23e/reports/8535ef3f-ad9d-448c-9e23-710bdc2a7e64/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c7bc5381981979086744173f2f135bc0267898fe43675c3e2f290e4da6b6c141
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c7bc5381981979086744173f2f135bc0267898fe43675c3e2f290e4da6b6c141
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7bc5381981979086744173f2f135bc0267898fe43675c3e2f290e4da6b6c141/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-03-29 04:15:00 UTC
File Type:
Binary (Archive)
Extracted files:
19
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y66fhamydf4qqz2ec47s6e23yathrgh6intvyprpfehe3jvwyfaq._file
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:neshta persistence spyware stealer
Link:
https://tria.ge/reports/240329-qmsv6ahe2w/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
Detect Neshta payload
Neshta
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.88
Link:
https://yomi.yoroi.company/submissions/c7bc5381981979086744173f2f135bc0267898fe43675c3e2f290e4da6b6c141

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neshta

zip c7bc5381981979086744173f2f135bc0267898fe43675c3e2f290e4da6b6c141

(this sample)

Neshta

Executable exe f9c6d61e21bab262adb55358862e97b2c0cd9b13a6a73129510f24a917558911

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 f9c6d61e21bab262adb55358862e97b2c0cd9b13a6a73129510f24a917558911
  
Dropping
Neshta

Comments