MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddda60d1e3fa833ce9bc480cbd5cbabb28d2902f7ab20c842a6bc73dab1ec293. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Neshta

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	ddda60d1e3fa833ce9bc480cbd5cbabb28d2902f7ab20c842a6bc73dab1ec293
SHA3-384 hash:	d79145bf57509666c0f259da6c2823b006001c3676f9291533de4fd8707b689ef23d75c61a1e0d2f3d8876180453ba1d
SHA1 hash:	7e2cee7f0a5d607583389b16887c46829abc36e0
MD5 hash:	3d339653a024ebb3969829307400a392
humanhash:	bacon-washington-angel-hotel
File name:	3d339653a024ebb3969829307400a392.exe
Download:	download sample
Signature	Neshta Create hunting rule
File size:	1'490'728 bytes
First seen:	2022-06-20 14:08:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep	24576:B4/s8CUCfJdjgqsLqf3ZfMmVcX3hmyaadfkzrS4LcNcts2g2cKjTeqbGDGOr0VMj:Bc0rJdjgqsLqf3ZfM0Pa5kLLcatsXkju
Threatray	295 similar samples on MalwareBazaar
TLSH	T1C1659D13B29611F9C02EC1B88B565161E971BC850B35BADF17A0B7262E32FD06F3DB25
TrID	71.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 11.7% (.EXE) InstallShield setup (43053/19/16) 3.8% (.EXE) Win32 Executable Delphi generic (14182/79/4) 3.5% (.SCR) Windows screen saver (13101/52/3) 2.7% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
File icon (PE):
dhash icon	c090b090ba12b4b6 (1 x Neshta)
Reporter	abuse_ch
Tags:	exe Neshta

Intelligence

File Origin

# of uploads :

# of downloads :

241

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Neshta

Link:

https://www.capesandbox.com/analysis/281644/

Detection(s):

Win.Trojan.Neshuta-1

PUA.Win.Packer.Pequake-4

Win.Virus.Neshta-7101689-0

Win.Trojan.Jadtre-5

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Сreating synchronization primitives

Creating a file in the Windows directory

Creating a process from a recently created file

Modifying an executable file

Creating a window

Searching for the window

Reading critical registry keys

Sending a custom TCP request

Creating a file

Creating a file in the Program Files subdirectories

Enabling autorun with the shell\open\command registry branches

Infecting executable files

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/22060/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

neshta overlay shell32.dll

Link:

https://www.filescan.io/uploads/62b07f8cd37f6643508eb1f0/reports/b4621ba3-6bdf-42b0-95ab-5df266f5d025/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Neshta

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/01af4a8f-dcc3-4cb0-afc4-2cafb3b0c2bc

Result

Threat name:

Neshta

Detection:

malicious

Classification:

spre

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1016390

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Creates an undocumented autostart registry key

Drops executable to a common third party application directory

Drops PE files with a suspicious file extension

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Neshta

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ddda60d1e3fa833ce9bc480cbd5cbabb28d2902f7ab20c842a6bc73dab1ec293/

Threat name:

Win32.Virus.Neshta

Status:

Malicious

First seen:

2022-06-20 09:59:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 26 (100.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3xngbupd7kbtz2n4jagl2xf2xmunfebppkzazbbknpdt3ky6ykjq._file

Verdict:

malicious

Neshta

2cf1affaddac715171d5be89d0c2bfaa3470608efdc12940967fc22fcffde54f

Neshta

6fcd9b779accb07c3b05ac111df68e64fbc255f81887a60d810b94acd6f44388

Neshta

7ec8d23c5167687f3e60e57527cedf105a3de3b1d88e47924d96bad31bfe5385

Neshta

a70171a1bc2a7fba0f4dcc65d2f0458f4e08388fcea7fe880c26341dcaaed413

Neshta

aae66e4930de3e86e7a4095dbba08680278f96f570a0d116e4616c12492a3073

Neshta

ba66dd24d4e15ad89e20c99cc4fc7dbbdd429299e0edd1a36be467d98334a30a

Neshta

f491ca92789db4ebf58c5107059fd90616472d55a8ee51734cb9b77d89d0a7e3

Neshta

+ 285 additional samples on MalwareBazaar

Result

Malware family:

neshta

Score:

10/10

Tags:

family:neshta persistence spyware stealer

Link:

https://tria.ge/reports/220620-rf46aafhh8/

Behaviour

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Modifies system executable filetype association

Neshta

Unpacked files

SH256 hash:

ddda60d1e3fa833ce9bc480cbd5cbabb28d2902f7ab20c842a6bc73dab1ec293

MD5 hash:

3d339653a024ebb3969829307400a392

SHA1 hash:

7e2cee7f0a5d607583389b16887c46829abc36e0

Detections:

win_neshta_g0

Link:

https://www.unpac.me/results/2f0923b8-24e7-4e68-9048-fbbf8f500c00/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ddda60d1e3fa/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/ddda60d1e3fa833ce9bc480cbd5cbabb28d2902f7ab20c842a6bc73dab1ec293

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

Rule name:	MALWARE_Win_Neshta Create hunting rule
Author:	ditekSHen
Description:	Detects Neshta

Rule name:	MAL_Neshta_Generic Create hunting rule
Author:	Florian Roth
Description:	Detects Neshta malware
Reference:	Internal Research

Rule name:	MAL_Neshta_Generic_RID2DC9 Create hunting rule
Author:	Florian Roth
Description:	Detects Neshta malware
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

exe ddda60d1e3fa833ce9bc480cbd5cbabb28d2902f7ab20c842a6bc73dab1ec293

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2236164/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/281644/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample