MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f88027fc711019e9d0ee47e50907456f23d8b6dc90472b42ebbb8c1452470bf1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f88027fc711019e9d0ee47e50907456f23d8b6dc90472b42ebbb8c1452470bf1
SHA3-384 hash: 3395d7574384bb17a5af575be43e8681c2361c87fe43c007cc7ac8706a0586a14b665b300174c57b50c83048ca1a4615
SHA1 hash: 9b27bf60587df0f927beb3e4445cd3b229bda5ed
MD5 hash: e3cca48835f42c9e02ee1d40b53a955b
humanhash: delta-red-dakota-coffee
File name:JUNE PAYMENT BANK COPY.zip
Download: download sample
Signature Neshta
Create hunting rule
File size:689'674 bytes
First seen:2023-06-26 07:17:52 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:uFC0aWO4Pz2/IIH6bMvNWLFkxRQMWwkFw3Vz1WPqNzg1rmLfRDpFepdtaP:+OWPL2/II0MvNWLC7OXPeGyTEpdtaP
TLSH T141E4236B2FB80130AA0F31B1A0D412A76BB55345FB68E5397E8DDEDC636548813CCDA6
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:Neshta payment zip


Avatar
cocaman
Malicious email (T1566.001)
From: "info <info09@poituox.fr>" (likely spoofed)
Received: "from mail.poituox.fr (unknown [87.121.221.219]) "
Date: "Sat, 24 Jun 2023 02:36:23 -0700"
Subject: "Re: Reservation Booked Payment for June 2023"
Attachment: "JUNE PAYMENT BANK COPY.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:JUNE PAYMENT BANK COPY.exe
File size:1'053'184 bytes
SHA256 hash: 24d0e610a636a4c010111cc724c2c5df4923885a02356fdeb22f5e13a5485b6c
MD5 hash: 45873cf0bedce8a91227dc02ea2785ff
MIME type:application/x-dosexec
Signature Neshta
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Lazy.355307.7716.18615.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/f88027fc711019e9d0ee47e50907456f23d8b6dc90472b42ebbb8c1452470bf1/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64993baa76927ec2c00796f9/reports/da2c0d13-c028-4415-a5dd-70f048198a30/overview
Verdict:
Malicious
Labled as:
Troj/MSIL
Link:
https://www.hybrid-analysis.com/sample/f88027fc711019e9d0ee47e50907456f23d8b6dc90472b42ebbb8c1452470bf1
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f88027fc711019e9d0ee47e50907456f23d8b6dc90472b42ebbb8c1452470bf1
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f88027fc711019e9d0ee47e50907456f23d8b6dc90472b42ebbb8c1452470bf1/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-25 02:13:51 UTC
File Type:
Binary (Archive)
Extracted files:
19
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7cacp7drcam6tuhoi7sqsb2fn4r5rnw4sbdswqxlxogbiushbpyq._file
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:neshta persistence spyware stealer
Link:
https://tria.ge/reports/230626-mg376ahd45/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
Detect Neshta payload
Neshta
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Neshta
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f88027fc711019e9d0ee47e50907456f23d8b6dc90472b42ebbb8c1452470bf1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neshta

zip f88027fc711019e9d0ee47e50907456f23d8b6dc90472b42ebbb8c1452470bf1

(this sample)

Neshta

Executable exe 24d0e610a636a4c010111cc724c2c5df4923885a02356fdeb22f5e13a5485b6c

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 24d0e610a636a4c010111cc724c2c5df4923885a02356fdeb22f5e13a5485b6c
  
Dropping
Neshta
  
Dropping
MD5 45873cf0bedce8a91227dc02ea2785ff

Comments