MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c991dbd92d2f3e6f3ff5d1de12016460a2cb557f7482d3322c7b495f0cbe9b89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c991dbd92d2f3e6f3ff5d1de12016460a2cb557f7482d3322c7b495f0cbe9b89
SHA3-384 hash: a5c504d18814540c28ad954d353d6377d99d2864e403b28074863596a91008bf84e274ed9c0a77cdaedb2faf43cfb7b3
SHA1 hash: 9d4bceabeff0e2e0bab26331910c694119584c9d
MD5 hash: d7c3ab252ef50bfbce42bd5ef67a4217
humanhash: arkansas-spring-glucose-triple
File name:d7c3ab252ef50bfbce42bd5ef67a4217
Download: download sample
Signature Neshta
Create hunting rule
File size:1'150'464 bytes
First seen:2021-07-29 16:07:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:0cK6NvIeig5/diMK64JaVbCrPNKkr9ZOQZQDx1zP:1XdK64Jgm7Nr5NZGX
Threatray 577 similar samples on MalwareBazaar
TLSH T1BC35AE21B6D4DE1EE4BE96368ECF102817FCFA133632B7686DE512B90506F01D9752CA
Reporter zbetcheckin
Tags:32 exe Neshta

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SKMBT_C552210622130.xlsx
Verdict:
Malicious activity
Analysis date:
2021-07-29 12:16:18 UTC
Tags:
encrypted exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/402288e3-1781-4079-92d0-2171d037bf76

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
neshta
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175095/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.967-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6092727b-5021-4a6b-a88f-67f2147d75ec
Result
Threat name:
Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/823993
Signature
.NET source code contains very large strings
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c991dbd92d2f3e6f3ff5d1de12016460a2cb557f7482d3322c7b495f0cbe9b89/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 11:43:43 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zgi5xwjnf47g6p7v2hpbealemcrmwvl7osbngmrmpnev6df6toeq._file
Verdict:
malicious
Similar samples:
1ff53011d1b3d8598e8244aca7539ddd8ffc9e205212de251e06457d18fa8b95
Neshta
328b4c94e2260a80f7656227a4f1c186876800647ad8205353acb6ab922ccc46
Neshta
3a33001ae12c200a137fde861b00f08e3afb05ec56ea4331c3ae1606e31f4c79
Neshta
8d56e8c41d8094151017ec3cecc40b5aa78edb0d955d39f3c68c3d211fbcb65a
Neshta
9445483350a3ed0479eed69073869e73b7837327bade374605b841a560a6ee70
Neshta
988954279d7d6998885c73e4436ba19eeb6f5875262e562b655454c93d60ebdc
Neshta
a50383b6ad4661cdf8d6b2acdba251a846999e4533761488fcf9e8e5abc8a11f
Neshta
aaa40ee2b509dc2b3a2f12f62d70565c85eb9aa13a7efd43bb86cfba0a3e1a88
Neshta
c19f16f127fcb44f20f2d94b7b876b1e41287e1ec12cbe6d0052cf416d805b1d
Neshta
f816449f25161cfd95e25d3e885ef160832e35214a0782237bd976f177e0f841
Neshta
+ 567 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210729-5qmy93eygj/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
CustAttr .NET packer
Modifies system executable filetype association
Unpacked files
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/2d4acc5b-27fd-4909-bd33-e73ab223ab3a/
SH256 hash:
d749a8b27bb40f6044ddbb34926eb153ca0376f9ce1b48944b90742306edd928
MD5 hash:
5abae10eaced6e764542d03c968f043f
SHA1 hash:
67bf53960581a44484c8d76c134ffef6df5147e4
Link:
https://www.unpac.me/results/2d4acc5b-27fd-4909-bd33-e73ab223ab3a/
SH256 hash:
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec
MD5 hash:
15d8ab38054a766318c235ee74ac10e8
SHA1 hash:
836c007d0760f9ba204f73553518004c2d7a6746
Detections:
win_neshta_auto
Create hunting rule
Link:
https://www.unpac.me/results/2d4acc5b-27fd-4909-bd33-e73ab223ab3a/
Parent samples :
c991dbd92d2f3e6f3ff5d1de12016460a2cb557f7482d3322c7b495f0cbe9b89
6116018c9a9550c912fdd717f2f3e811339feb4149012f3a15d40a80a492ab8e
c5e477805f7686cbcef90f9ecaed8aa9a438bd1bac0842d3b11b6fe8bce76356
SH256 hash:
a8def73dde3018c4250c52628fe22354af87491e82fdf1d50999c853f0226476
MD5 hash:
d795492e834240e69530093b74e8a0af
SHA1 hash:
d3cca1f910e6b06ddb3fa0ebc07f4167b0a98910
Link:
https://www.unpac.me/results/2d4acc5b-27fd-4909-bd33-e73ab223ab3a/
SH256 hash:
c991dbd92d2f3e6f3ff5d1de12016460a2cb557f7482d3322c7b495f0cbe9b89
MD5 hash:
d7c3ab252ef50bfbce42bd5ef67a4217
SHA1 hash:
9d4bceabeff0e2e0bab26331910c694119584c9d
Link:
https://www.unpac.me/results/2d4acc5b-27fd-4909-bd33-e73ab223ab3a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.99
Link:
https://yomi.yoroi.company/submissions/c991dbd92d2f3e6f3ff5d1de12016460a2cb557f7482d3322c7b495f0cbe9b89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

Executable exe c991dbd92d2f3e6f3ff5d1de12016460a2cb557f7482d3322c7b495f0cbe9b89

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1490120/
Cape
Cape
https://www.capesandbox.com/analysis/175095/

Comments


Avatar
zbet commented on 2021-07-29 16:07:40 UTC

url : hxxp://192.210.173.123/nee/can.exe