MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f91ab8dca79b2e7b62753fefa457cca98286ba43f4c48ded59fb595e063eb89a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f91ab8dca79b2e7b62753fefa457cca98286ba43f4c48ded59fb595e063eb89a
SHA3-384 hash: 0a0a33412f642917e1380b8be2cb5e411ab035719d29c9e8c3cbc8538f82f6e17d3328bef368234dda94877f0fb9c9cd
SHA1 hash: de3fc615f1feabcca554fe92f3c8396d8e57ccde
MD5 hash: 2a9e8f3f3c78a235c07c29f516d99f5c
humanhash: video-fruit-pasta-salami
File name:Products - 69101000.exe
Download: download sample
Signature Neshta
Create hunting rule
File size:20'480 bytes
First seen:2022-10-04 06:29:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 384:N+W4rEx3Ox9Njvb9APAv48zLB/WBL7n0uCFEHEziiay9ycyrsR2vZn:PgEIPNPWIvXULb0uAycyrsR2vZn
Threatray 1'345 similar samples on MalwareBazaar
TLSH T168923841A65E92ECC229C67ED4F7FA9017F4E2A2E412CD2FBDD5234B2813317D522646
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 64f4d4d4ecf4d4d4 (82 x SnakeKeylogger, 34 x AgentTesla, 24 x Formbook)
Reporter lowmal3
Tags:exe Neshta

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316344/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.62454981.5902.29230.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Creating a file in the Windows directory
Modifying an executable file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/633bd2ecdace43a378f427a1/reports/c45b4f3d-8fc8-47b2-b2b3-afb9713c6087/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b52e4170-6a1f-4230-8b8c-5a95872cfd29
Result
Threat name:
Neshta, Remcos
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1082999
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Costura Assembly Loader
Yara detected Neshta
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715560 Sample: Products - 69101000.exe Startdate: 04/10/2022 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for dropped file 2->46 48 11 other signatures 2->48 7 Products - 69101000.exe 16 7 2->7         started        12 svchost.com 17 3 2->12         started        process3 dnsIp4 40 192.227.183.152, 49683, 49684, 49686 AS-COLOCROSSINGUS United States 7->40 26 C:\Users\user\AppData\...\Kumwuozvv.exe, PE32 7->26 dropped 28 C:\Users\...\Kumwuozvv.exe:Zone.Identifier, ASCII 7->28 dropped 30 C:\Users\user\...\Products - 69101000.exe.log, ASCII 7->30 dropped 50 Encrypted powershell cmdline option found 7->50 52 Injects a PE file into a foreign processes 7->52 14 Products - 69101000.exe 1 7->14         started        18 powershell.exe 16 7->18         started        54 Antivirus detection for dropped file 12->54 56 Multi AV Scanner detection for dropped file 12->56 58 Machine Learning detection for dropped file 12->58 20 svchost.com 1 3 12->20         started        file5 signatures6 process7 file8 32 C:\Windows\svchost.com, PE32 14->32 dropped 34 C:\Users\user\AppData\Local\...\DismHost.exe, PE32 14->34 dropped 36 C:\Users\user\AppData\Local\...\setup.exe, PE32 14->36 dropped 38 16 other malicious files 14->38 dropped 60 Creates an undocumented autostart registry key 14->60 62 Drops executable to a common third party application directory 14->62 64 Infects executable files (exe, dll, sys, html) 14->64 22 conhost.exe 18->22         started        66 Drops executables to the windows directory (C:\Windows) and starts them 20->66 24 svchost.com 2 20->24         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f91ab8dca79b2e7b62753fefa457cca98286ba43f4c48ded59fb595e063eb89a/
Threat name:
Win32.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2022-10-01 13:14:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7enlrxfhtmxhwytvh7x2iv6mvgbinosd6tci33kz7nmv4br6xcna._file
Verdict:
malicious
Similar samples:
7ef24f6499dd9fc7809783a98febc44c2dc25a3f74d02c9bf8ddbae0d3b781c6
Neshta
9131b2d3b37f8533ba4b9e5b5923d4f5289342ae919960c28367a9f9e6d84564
Neshta
b950dcbb1211c4300becf8cf343e287a2bb849d042310ce3aed90e354db2b75c
Neshta
ca943cad4feb48b7da378e205184231cd95928e5dff61300fba10d15b142d333
Neshta
d57321805b57d9a004d652b7d8b00d9045d6940800653374e2a47c7dad2e9196
Neshta
d5d8501413231217f31c6b614fbc4e5cba5ba8cabb6da772e5ed82e484238088
Neshta
f7d30dd28a8fa43fff19f4b71ba5273a60ff7a03ce01643ce958b8f4a02752b3
Neshta
+ 1'335 additional samples on MalwareBazaar
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:neshta persistence spyware stealer
Link:
https://tria.ge/reports/221004-g9glzafhbr/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Detect Neshta payload
Modifies system executable filetype association
Neshta
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c96803e1-cc69-4b7d-983f-0b5a37791fb4
Unpacked files
SH256 hash:
f91ab8dca79b2e7b62753fefa457cca98286ba43f4c48ded59fb595e063eb89a
MD5 hash:
2a9e8f3f3c78a235c07c29f516d99f5c
SHA1 hash:
de3fc615f1feabcca554fe92f3c8396d8e57ccde
Link:
https://www.unpac.me/results/bd4182d7-6aa8-46e4-a4b9-bb9c1ac256d8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f91ab8dca79b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/f91ab8dca79b2e7b62753fefa457cca98286ba43f4c48ded59fb595e063eb89a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neshta

Executable exe f91ab8dca79b2e7b62753fefa457cca98286ba43f4c48ded59fb595e063eb89a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/316344/

Comments