MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efa78d9ed272969fb2ac62b355f0b9532d20d26ed47d87e3c2d5f1e4b67bbad3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 9


Maldoc score: 11


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efa78d9ed272969fb2ac62b355f0b9532d20d26ed47d87e3c2d5f1e4b67bbad3
SHA3-384 hash: 8e8648f0eea920bff85350bfd61ba9b3d0978163e762defb146c0ecda87c542658086d368c09a9ad43ec81cd27cdfbd4
SHA1 hash: ec07a60874477f99a7ca4c9e704fbb9a82e72aa0
MD5 hash: 09727593446a5003a833fb6ad80fff68
humanhash: west-magnesium-london-oranges
File name:Facture_17062021.doc
Download: download sample
Signature Neshta
Create hunting rule
File size:28'672 bytes
First seen:2021-06-18 06:23:27 UTC
Last seen:2021-06-18 06:48:02 UTC
File type:Word file doc
MIME type:application/msword
ssdeep 192:wDYl3VKM6/6rX3mSBqEvS+ay7JJRIgw7TT50jAIBMtZRa:wDU1iSX3mSBqEIydggIT50jAIet
TLSH 78D25D03B3D9DE96F65245B24DD3C286762ABC6D9E16C20F33407F0EBCB46718A22795
Reporter abuse_ch
Tags:doc Neshta

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 11
Application name is Microsoft Office Word
Office document is in OLE format
Office document contains VBA Macros
OLE dump

MalwareBazaar was able to identify 10 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
24096 bytesDocumentSummaryInformation
34096 bytesSummaryInformation
46940 bytes1Table
5376 bytesMacros/PROJECT
641 bytesMacros/PROJECTwm
71805 bytesMacros/VBA/ThisDocument
82462 bytesMacros/VBA/_VBA_PROJECT
9514 bytesMacros/VBA/dir
104096 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecDocument_OpenRuns when the Word or Publisher document is opened
SuspiciousRunMay run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Facture_17062021.doc
Verdict:
Malicious activity
Analysis date:
2021-06-18 06:26:20 UTC
Tags:
macros macros-on-open
Link:
https://app.any.run/tasks/508560a6-8e3e-45dc-bdbb-8f9df4e1a18a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
True
Detection(s):
TwinWave.EvilDoc.DOCXSTRGOOD..EXE.200225.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.AutoTriggerEvilMrFantasyM3.20200721.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.CROStringGamesBangBang.20200908.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD.HTTP
Create hunting rule

TwinWave.EvilDoc.CROAnemone.20210607.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy Word File with Macro
Link:
https://app.docguard.net/efa78d9ed272969fb2ac62b355f0b9532d20d26ed47d87e3c2d5f1e4b67bbad3/results/dashboard
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/efa78d9ed272969fb2ac62b355f0b9532d20d26ed47d87e3c2d5f1e4b67bbad3
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Result
Threat name:
Neshta
Create hunting rule
Detection:
malicious
Classification:
expl.spre.phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804126
Signature
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Modifies Internet Explorer zone settings
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Execution from Suspicious Folder
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 436538 Sample: Facture_17062021.doc Startdate: 18/06/2021 Architecture: WINDOWS Score: 100 84 www.energym63.com 2->84 106 Antivirus detection for dropped file 2->106 108 Multi AV Scanner detection for submitted file 2->108 110 Yara detected Neshta 2->110 112 8 other signatures 2->112 15 WINWORD.EXE 36 39 2->15         started        signatures3 process4 file5 74 C:\Users\user\...\Facture_17062021.doc.LNK, MS 15->74 dropped 18 powershell.exe 32 15->18         started        process6 process7 20 Congress.exe 2 18->20         started        23 conhost.exe 18->23         started        file8 54 C:\Users\user\AppData\Local\...\Congress.tmp, PE32 20->54 dropped 25 Congress.tmp 5 30 20->25         started        process9 file10 56 C:\Users\user\AppData\Local\...\is-UVL6I.tmp, PE32 25->56 dropped 58 C:\Users\user\AppData\Local\...\is-TM1U9.tmp, PE32 25->58 dropped 60 C:\Users\user\AppData\Local\...\is-N0F6E.tmp, PE32 25->60 dropped 62 15 other files (none is malicious) 25->62 dropped 28 firefox.exe 1 25 25->28         started        process11 file12 64 C:\Users\user\AppData\Roaming\...\tor.exe, PE32 28->64 dropped 66 C:\Users\user\AppData\Roaming\...\firefox.exe, PE32 28->66 dropped 68 C:\Users\user\AppData\Roaming\...\zlib1.dll, PE32 28->68 dropped 70 15 other files (none is malicious) 28->70 dropped 31 tor.exe 4 28->31         started        35 firefox.exe 28->35         started        process13 dnsIp14 76 C:\Windows\svchost.com, PE32 31->76 dropped 78 C:\Users\Public\Documents\Congress.exe, PE32 31->78 dropped 80 C:\ProgramData\...\vcredist_x86.exe, PE32 31->80 dropped 82 109 other files (108 malicious) 31->82 dropped 94 Creates an undocumented autostart registry key 31->94 96 Drops PE files with a suspicious file extension 31->96 98 Drops executable to a common third party application directory 31->98 100 Infects executable files (exe, dll, sys, html) 31->100 38 tor.exe 31->38         started        86 127.0.0.1 unknown unknown 35->86 102 Modifies Internet Explorer zone settings 35->102 104 Tries to harvest and steal browser information (history, passwords, etc) 35->104 41 tor.exe 35->41         started        file15 signatures16 process17 dnsIp18 88 179.43.141.92, 443, 49739 PLI-ASCH Panama 38->88 90 81.7.18.7, 49734, 9001 ISPPRO-ASISPPRO-AScoversthenetworksofISPproDE Germany 38->90 92 3 other IPs or domains 38->92 44 conhost.exe 38->44         started        114 Drops executables to the windows directory (C:\Windows) and starts them 41->114 46 svchost.com 41->46         started        signatures19 process20 file21 72 C:\Windows\directx.sys, ASCII 46->72 dropped 116 Sample is not signed and drops a device driver 46->116 50 tor.exe 46->50         started        signatures22 process23 process24 52 conhost.exe 50->52         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efa78d9ed272969fb2ac62b355f0b9532d20d26ed47d87e3c2d5f1e4b67bbad3/
Threat name:
Win32.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-06-17 15:37:34 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=56ty3hwsoklj7mvmmkzvl4fzkmwsbuto2r6ypy6c2xy6jnt3xljq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro macro_on_action persistence spyware stealer xlm
Link:
https://tria.ge/reports/210618-atfa22stbn/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies system executable filetype association
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://www.energym63.com/10451372/cports.exe
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efa78d9ed272969fb2ac62b355f0b9532d20d26ed47d87e3c2d5f1e4b67bbad3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neshta

Word file doc efa78d9ed272969fb2ac62b355f0b9532d20d26ed47d87e3c2d5f1e4b67bbad3

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments