MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e103c29f6e8365d4ca9f843839556faadbb907060dbd711fa3119fe12944a635. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e103c29f6e8365d4ca9f843839556faadbb907060dbd711fa3119fe12944a635
SHA3-384 hash: deaa3d94fa7f16d741924f6684e5955bc065b9f55ce7aa1a16cee4e194170e26ee881a5a2b2223f419186c0abdce6011
SHA1 hash: 6d89ec633bf1fc506ba796846f1e108543b85756
MD5 hash: d54251187d34bf23efbd1aeb8863fa80
humanhash: twenty-equal-rugby-delta
File name:d54251187d34bf23efbd1aeb8863fa80
Download: download sample
Signature Neshta
Create hunting rule
File size:90'624 bytes
First seen:2022-07-20 19:13:35 UTC
Last seen:2022-07-23 03:52:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (250 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 1536:JxqjQ+P04wsmJC7kJgZVclNWRCkorTopzbOOfp:sr85C7rzYCCkorTopzbOG
TLSH T17B938E40B7D0C436E17D0FB8ECB2D244857AF6232D13DAA57CD8189E6E27BC15A065EE
TrID 78.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.2% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.9% (.SCR) Windows screen saver (13101/52/3)
3.1% (.EXE) Win64 Executable (generic) (10523/12/4)
3.0% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
Reporter zbetcheckin
Tags:32 exe Neshta

Intelligence

File Origin
# of uploads :
2
# of downloads :
316
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Neshta
Create hunting rule
Link:
https://www.capesandbox.com/analysis/292991/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Malware.Generickdz-9865912-0
Create hunting rule

Win.Malware.Enigmaprotector-9874743-0
Create hunting rule

Win.Malware.Enigmaprotector-9881027-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the Windows directory
Modifying an executable file
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file
Running batch commands
Searching for the window
Launching a process
Creating a file in the Program Files subdirectories
Sending a custom TCP request
DNS request
Unauthorized injection to a recently created process
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/26872/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm asyncrat configsecuritypolicy.exe dcrat evasive hacktool mpcmdrun.exe msconfig.exe neshta njrat overlay rat regedit.exe shell32.dll virus windows winlock
Link:
https://www.filescan.io/uploads/62d854777b83f958a969d6fd/reports/54651939-b3d5-416d-82c0-7a031ec3a7c2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4677a1cd-ea10-4318-b827-93e84348b66c
Result
Threat name:
AsyncRAT, DcRat, Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1037866
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e103c29f6e8365d4ca9f843839556faadbb907060dbd711fa3119fe12944a635/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2022-07-20 19:14:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4eb4fh3oqns5jsu7qq4dsvlpvln3sbygbw6xch5dcgp6ckkeuy2q._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:neshta botnet:default persistence rat spyware stealer
Link:
https://tria.ge/reports/220720-xxm6zsgah2/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Async RAT payload
AsyncRat
Detect Neshta payload
Modifies system executable filetype association
Neshta
Malware Config
C2 Extraction:
widda1.ddns.net:8848
widda1.ddns.net:8828
widda1.ddns.net:22
windda.ddns.net:8848
windda.ddns.net:8828
windda.ddns.net:22
runam.ddns.net:8848
runam.ddns.net:8828
runam.ddns.net:22
winam.ddns.net:8848
winam.ddns.net:8828
winam.ddns.net:22
Unpacked files
SH256 hash:
e103c29f6e8365d4ca9f843839556faadbb907060dbd711fa3119fe12944a635
MD5 hash:
d54251187d34bf23efbd1aeb8863fa80
SHA1 hash:
6d89ec633bf1fc506ba796846f1e108543b85756
Detections:
win_neshta_g0
Create hunting rule
Link:
https://www.unpac.me/results/99c8e4ec-a468-4742-b685-84c5005bd011/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e103c29f6e83/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e103c29f6e8365d4ca9f843839556faadbb907060dbd711fa3119fe12944a635

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Rule name:INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Author:ditekSHen
Description:Detects executables containing the string DcRatBy
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:win_neshta_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

Executable exe e103c29f6e8365d4ca9f843839556faadbb907060dbd711fa3119fe12944a635

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2259391/
  
URLhaus
https://urlhaus.abuse.ch/url/2259393/
  
URLhaus
https://urlhaus.abuse.ch/url/2259395/
  
URLhaus
https://urlhaus.abuse.ch/url/2259397/
  
URLhaus
https://urlhaus.abuse.ch/url/2259396/
Cape
Cape
https://www.capesandbox.com/analysis/292991/

Comments


Avatar
zbet commented on 2022-07-20 19:13:40 UTC

url : hxxp://102.37.220.234/htdocs/qDQBK.exe