MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 16


Intelligence 16 IOCs YARA 14 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29
SHA3-384 hash: 99666709800d31b47e6f164034440f996f85d75303c796b0c47b937f0a24780e269526fc9d349bedceeb2b90f3db2bbf
SHA1 hash: 655c06920e5f737b0a83018acbab4235b9933733
MD5 hash: 63e601878d77aeba4ba671307f870285
humanhash: golf-louisiana-two-magazine
File name:63e601878d77aeba4ba671307f870285
Download: download sample
Signature Neshta
Create hunting rule
File size:359'424 bytes
First seen:2023-12-12 03:49:44 UTC
Last seen:2024-01-13 00:59:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d7401947d3623a2199a2114d62923cd5 (2 x Neshta, 2 x XWorm, 1 x Sality)
ssdeep 6144:jyH7xOc6H5c6HcT66vlmr641MkjVxvb1UeRUqptyH7xOc6H5c6HcT66vlmr3UeRw:jaPkPOezaXe/aXek
Threatray 77 similar samples on MalwareBazaar
TLSH T1A7749D2526D08D3DE87F2AF715F81B53C77BECB17904D04E4BE0699A26322D0D96872B
TrID 63.7% (.EXE) MinGW32 C/C++ Executable (245239/59/22)
10.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
8.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.4% (.SCR) Windows screen saver (13097/50/3)
Reporter zbetcheckin
Tags:32 exe Neshta

Intelligence

File Origin
# of uploads :
2
# of downloads :
322
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
Neshta
Create hunting rule
Link:
https://www.capesandbox.com/analysis/466299/
Detection(s):
Win.Trojan.Jeefo-3
Create hunting rule

PUA.Win.Packer.Devcpp-2
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Trojan.Jeefo-1
Create hunting rule

Win.Ransomware.Hiddentear-6841450-0
Create hunting rule

Win.Adware.Downware-406
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the Windows directory
Creating a process from a recently created file
Modifying an executable file
Restart of the analyzed sample
Creating a service
Launching a service
Creating a file in the %temp% subdirectories
Searching for synchronization primitives
Creating a file
Creating a file in the Program Files subdirectories
Enabling autorun for a service
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm apt blackworm cmd control explorer keylogger lolbin neshta njrat overlay packed schtasks shell32 stealer virus worm
Link:
https://www.filescan.io/uploads/6577d86b855eb2633d675c03/reports/1e536581-5de6-4598-8cbd-eb85ffa6508d/overview
Verdict:
Malicious
Labled as:
Jeefo.A
Link:
https://www.hybrid-analysis.com/sample/ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Jeefo
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e46314f-8732-4276-99e1-6383e9763def
Result
Threat name:
Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1359528
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Found evasive API chain (may stop execution after checking mutex)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sample is not signed and drops a device driver
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1359528 Sample: 1QWuKDSrfN.exe Startdate: 12/12/2023 Architecture: WINDOWS Score: 100 84 www.google.com 2->84 86 shed.dual-low.part-0013.t-0009.t-msedge.net 2->86 88 16 other IPs or domains 2->88 100 Malicious sample detected (through community Yara rule) 2->100 102 Antivirus detection for dropped file 2->102 104 Antivirus / Scanner detection for submitted sample 2->104 106 5 other signatures 2->106 15 1QWuKDSrfN.exe 1 2->15         started        19 svchost.exe 2->19         started        signatures3 process4 file5 74 C:\Windows\svchost.exe, PE32 15->74 dropped 90 Drops PE files with a suspicious file extension 15->90 92 Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS) 15->92 94 Drops PE files with benign system names 15->94 21 svchost.exe 15->21         started        76 C:\Program Files\...\helper.exe, PE32 19->76 dropped 78 C:\...\maintenanceservice_installer.exe, PE32 19->78 dropped 80 C:\Program Files\...\MavInject32.exe, PE32 19->80 dropped 82 6 other malicious files 19->82 dropped 96 Drops executable to a common third party application directory 19->96 98 Infects executable files (exe, dll, sys, html) 19->98 signatures6 process7 file8 62 C:\Users\user\Desktop\1QWuKDSrfN.exe, PE32 21->62 dropped 112 Found evasive API chain (may stop execution after checking mutex) 21->112 25 1QWuKDSrfN.exe 4 21->25         started        signatures9 process10 file11 64 C:\Windows\svchost.com, PE32 25->64 dropped 66 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 25->66 dropped 68 C:\Users\user\AppData\...\1QWuKDSrfN.exe, PE32 25->68 dropped 70 89 other malicious files 25->70 dropped 114 Creates an undocumented autostart registry key 25->114 116 Drops executable to a common third party application directory 25->116 118 Infects executable files (exe, dll, sys, html) 25->118 29 1QWuKDSrfN.exe 25->29         started        signatures12 process13 signatures14 122 Drops executables to the windows directory (C:\Windows) and starts them 29->122 32 svchost.exe 29->32         started        34 1QWuKDSrfN.exe 29->34         started        process15 process16 36 1QWuKDSrfN.exe 3 3 32->36         started        40 svchost.com 34->40         started        file17 54 C:\Program Files (x86)\...\Uninstall.exe, PE32 36->54 dropped 56 C:\...\MicrosoftEdgeUpdateSetup.exe, PE32 36->56 dropped 58 C:\...\MicrosoftEdgeUpdateCore.exe, PE32 36->58 dropped 60 69 other malicious files 36->60 dropped 108 Drops executable to a common third party application directory 36->108 110 Infects executable files (exe, dll, sys, html) 36->110 42 svchost.com 36->42         started        46 1QWuKDSrfN.exe 40->46         started        signatures18 process19 file20 72 C:\Windows\directx.sys, ASCII 42->72 dropped 120 Sample is not signed and drops a device driver 42->120 48 svchost.com 46->48         started        signatures21 process22 process23 50 1QWuKDSrfN.exe 48->50         started        process24 52 svchost.com 50->52         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29/
Threat name:
Win32.Virus.Jeefo
Create hunting rule
Status:
Malicious
First seen:
2023-12-06 07:04:38 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
36 of 37 (97.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5qxmthlrttg6hfzkxng3b34d5lteml2gs6dbkkpk2i6tatcspuuq._file
Verdict:
malicious
Similar samples:
1aae387dce8782d2f58887aa73dd970e51656c72ada983fb040989656a6dc47e
Neshta
997d1ffb13955190f89d7d6c712af1d2b8988cffdda524963f0963b4eb761d5a
Neshta
a89bc5bfb93026e56434c1354508dfa0a66821d35f522429582067fc7f9200cc
Neshta
b0bd95ea0aa5de9849e555fc8a62f51e1406c6b4dc890ce9a63c9807184d9f0b
Neshta
de544199796705d18dad9dcf238c7c96de3fc8c793057cad94e319527af9c7bd
Neshta
e1b0ef4dd27c829683569165d98c902a8ed2f2eaa95b1540c6430f5ea3be0b3f
Neshta
ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29
Neshta
f8d91c8bc33c75ab7794e0c0a8498110cf03403daed2caf77a47975402be2e48
Neshta
+ 67 additional samples on MalwareBazaar
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:neshta persistence spyware stealer
Link:
https://tria.ge/reports/231212-edxl7sfgb3/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
Detect Neshta payload
Neshta
Unpacked files
SH256 hash:
d5ece52a71f0de749b31eb99c506c8b9147f2b690b1f85a88c1ad0357540a6a9
MD5 hash:
b01db2780c5a1bbeb3b76e97eb5ea754
SHA1 hash:
c75b2d4e0c81fb42ccf8b6d7da6e3134b480c7dc
Detections:
win_neshta_auto
Create hunting rule
win_neshta_g0
Create hunting rule
win_neshta_1
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MAL_Neshta_Generic
Create hunting rule
MALWARE_Win_Neshta
Create hunting rule
Link:
https://www.unpac.me/results/229d7f19-3157-4896-91f5-c259a50f4307/
Parent samples :
811d169ec93c76795798353e6fdf509271d61d3424acb7d709c34cc83511b0f9
cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470
4dcd84003dc7b4d627193ce18034c71a3ee35980495d755d9bcf80a672eb544e
2e5b9ebfb2b81c5e512248e2e9224d1054defc4b027c0108fc10d268312ce290
68652defc71770065997b7d60a64a3959446a114a2ee17a443a15ae8b767f150
640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce
4608c3c211744ce283dac6c36cb7a2c0fd584ee440fa4f671bc270f1bc737ff0
c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937
cd23680ab97a8fa8c459690061e90ea0d48d19975900f1a0ee41ffcd76bbb311
313cabf464e7edf69744f94c3ea234fbb5d7b99daf2aff5492131a4ca9d08e00
60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117
ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29
a8df709495ab9ea938880b1ebe744b33bc163b2fe576ce7e585caef7c846b718
a6077288d1353daaab0bf9092c357cd7f0712537def3ff3be60fa68da4e436ac
SH256 hash:
ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29
MD5 hash:
63e601878d77aeba4ba671307f870285
SHA1 hash:
655c06920e5f737b0a83018acbab4235b9933733
Detections:
win_neshta_1
Create hunting rule
MAL_Neshta_Generic
Create hunting rule
MALWARE_Win_Neshta
Create hunting rule
APT_ArtraDownloader2_Aug19_1
Create hunting rule
Link:
https://www.unpac.me/results/229d7f19-3157-4896-91f5-c259a50f4307/
Malware family:
BlackWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ec2ec99d719c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_ArtraDownloader2_Aug19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects ArtraDownloader malware
Reference:https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/
Rule name:DevCv4
Create hunting rule
Author:malware-lu
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MAL_ArtraDownloader2_Aug19_1_RID30FB
Create hunting rule
Author:Florian Roth
Description:Detects ArtraDownloader malware
Reference:https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:VideoLanClient
Create hunting rule
Author:malware-lu
Rule name:W32JeefoPEFileInfector
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

Executable exe ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2739713/
Cape
Cape
https://www.capesandbox.com/analysis/466299/

Comments


Avatar
zbet commented on 2023-12-12 03:49:45 UTC

url : hxxp://cms-sh.de/1/stub.exe