MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6407a39f1b2fb728a40612d6ca8e71d6dc004d9efb569f2f4d351ab693ac6f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Neshta

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	e6407a39f1b2fb728a40612d6ca8e71d6dc004d9efb569f2f4d351ab693ac6f4
SHA3-384 hash:	a739059783b173241cfb78e4c5238a60f032f41fb3c6ec24ebdac0117830c73b90236d90f1939299d8a1aeacd2994ab4
SHA1 hash:	6ba74f52e4e774f5762e99d7f49cc787f28353d4
MD5 hash:	44c401c50cdbecf5f20fffd60e48628f
humanhash:	dakota-red-pluto-romeo
File name:	44c401c50cdbecf5f20fffd60e48628f.exe
Download:	download sample
Signature	Neshta Create hunting rule
File size:	306'514 bytes
First seen:	2021-07-30 06:14:15 UTC
Last seen:	2021-07-30 06:44:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	05152935bf9d81fb98052085f5eb7148 (2 x Neshta)
ssdeep	6144:LWlg4qQdWyIAvEZ023cZ05Pi+xPwIwWFvAKbmWJI8xF7+Or:LQzAyIAvP7iwWyKb1+GqOr
Threatray	4'654 similar samples on MalwareBazaar
TLSH	T19654F113B0C0A0F1D1F344318999EAB6A46EF5110F295C5FF38846B95E3A5E1AD3AE37
Reporter	abuse_ch
Tags:	exe Neshta

Intelligence

File Origin

# of uploads :

# of downloads :

599

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

44c401c50cdbecf5f20fffd60e48628f.exe

Verdict:

Suspicious activity

Analysis date:

2021-07-30 06:25:10 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/3e44d451-0e3c-474e-9e24-3a52b49a20de

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/175200/

Detection(s):

SecuriteInfo.com.Generic.Cryptor.X.11335AA9.12187.32697.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6970978b-5805-4a39-822e-f148638acc73

Result

Threat name:

a310Logger

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/824313

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Antivirus detection for dropped file

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Yara detected a310Logger

Yara detected Generic Dropper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e6407a39f1b2fb728a40612d6ca8e71d6dc004d9efb569f2f4d351ab693ac6f4/

Threat name:

Win32.Ransomware.Cryptor

Status:

Malicious

First seen:

2021-07-30 06:15:06 UTC

AV detection:

12 of 46 (26.09%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4zahuoprwl5xfcsamewwzkhhdvw4abgz562wt4xu2ni2w2j2y32a._file

Verdict:

unknown

Neshta

3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b

Neshta

413cdd0ae3d9ba60b132796a63dad08bea31d309157f5497380ad72cb3b0ae27

Neshta

6116018c9a9550c912fdd717f2f3e811339feb4149012f3a15d40a80a492ab8e

Neshta

89b4067a98c617d7d81350f7b5f5e7d5c2530a766cd42c7d1cb46efac3e9d7ae

Neshta

8a7a54c2c7952b89a9bd9898ee42e52da9aeb17e41a878f2a5236401f3e14efa

Neshta

ab7e2f3d96941792e0be9139f29d555c350123f8be701c6cd0f132c98f351407

Neshta

+ 4'644 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/210730-e2thcnfrs6/

Behaviour

Checks processor information in registry

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Reads local data of messenger clients

Reads user/profile data of web browsers

Executes dropped EXE

Unpacked files

SH256 hash:

5e6dc1889ae2e306d7ba0026ab0126db790f5625062b02b40d517dd89d36f721

MD5 hash:

5fc8520e69f1ae660d3b611773d9cd55

SHA1 hash:

05bce1b08196299deb61f2bc162ec6d111049851

Link:

https://www.unpac.me/results/cf095021-fb67-4ffd-bb7c-9151047cace7/

SH256 hash:

e6407a39f1b2fb728a40612d6ca8e71d6dc004d9efb569f2f4d351ab693ac6f4

MD5 hash:

44c401c50cdbecf5f20fffd60e48628f

SHA1 hash:

6ba74f52e4e774f5762e99d7f49cc787f28353d4

Link:

https://www.unpac.me/results/cf095021-fb67-4ffd-bb7c-9151047cace7/

Verdict:

Malicious

Link:

https://colossus.mw.local.vmray.com/user/analysis/view?id=6752430&sub=%2Freport%2Foverview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e6407a39f1b2fb728a40612d6ca8e71d6dc004d9efb569f2f4d351ab693ac6f4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

exe e6407a39f1b2fb728a40612d6ca8e71d6dc004d9efb569f2f4d351ab693ac6f4

(this sample)

Cape

https://www.capesandbox.com/analysis/175200/

URLhaus

https://urlhaus.abuse.ch/url/1490120/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample