MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9a6b4115e1a143cd4d36fc7a0ef2edd53f18ac454a4576e726b6ce3221b8a46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9a6b4115e1a143cd4d36fc7a0ef2edd53f18ac454a4576e726b6ce3221b8a46
SHA3-384 hash: d885e0f20a52e5ebe8c8e42711e600344f8a0b5ddb9fee91fb4d9ea667f3c20df71f125bd26e17918a2a56e606158035
SHA1 hash: 355b6aa591a635766da555b1f06f5d4ed7f0f2c1
MD5 hash: bd405c68074283dbf3e4dbdff708b38c
humanhash: music-beer-charlie-india
File name:order SL2401-545.img
Download: download sample
Signature Neshta
Create hunting rule
File size:1'441'792 bytes
First seen:2024-07-14 07:40:49 UTC
Last seen:Never
File type: img
MIME type:application/x-iso9660-image
ssdeep 24576:Z3tCNVECr4YOprbXj64us/OboCCk8C0CaV2:Z9CNZyprbXG4ujo5k8C0bV
TLSH T1C465015537B84F23F0BD57F69861640413F9B9266932E38D2DDA60CE1B66F404E02FAB
TrID 47.7% (.ISO/UDF) UDF disc image (2114500/1/6)
46.2% (.NULL) null bytes (2048000/1)
5.7% (.HTP) HomeLab/BraiLab Tape image (256000/1)
0.1% (.ATN) Photoshop Action (5007/6/1)
0.0% (.ISO) ISO 9660 CD image (2545/36/1)
Reporter cocaman
Tags:img Neshta


Avatar
cocaman
Malicious email (T1566.001)
From: "Hasegawa Takaaki <hasegawa@sincere-inc.co.jp>" (likely spoofed)
Received: "from sincere-inc.co.jp (unknown [135.125.217.198]) "
Date: "10 Jul 2024 10:58:39 -0700"
Subject: "Re: New Order-SL2401-545 SINCERE"
Attachment: "order SL2401-545.img"

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:ORDER_SL.EXE
File size:837'632 bytes
SHA256 hash: 61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e
MD5 hash: 23e6c75cd60aae58526c9bd734324ddf
MIME type:application/x-dosexec
Signature Neshta
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30424.BadIso.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.UDF.EXE-1.UNOFFICIAL
Create hunting rule

Sanesecurity.Rogue.0hr.20240710-0933.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6693810fbcca3f923eb4672dwin10vpnfull_triage
Tags:
Hllp
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
borland_delphi context-iso fingerprint lolbin masquerade neshta overlay packed shell32 virus
Link:
https://www.filescan.io/uploads/6693810ff739ad163685f349/reports/ac048a61-2fd6-4d42-aa80-f160d97917c2/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f9a6b4115e1a143cd4d36fc7a0ef2edd53f18ac454a4576e726b6ce3221b8a46
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9a6b4115e1a143cd4d36fc7a0ef2edd53f18ac454a4576e726b6ce3221b8a46/
Threat name:
Win32.Virus.Nestha
Create hunting rule
Status:
Malicious
First seen:
2024-07-10 15:06:00 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7gtliek6dikdzvgtn7d2b3zo3vj7dcwekssfo3tsnnwogiq3rjda._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9a6b4115e1a143cd4d36fc7a0ef2edd53f18ac454a4576e726b6ce3221b8a46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neshta

img f9a6b4115e1a143cd4d36fc7a0ef2edd53f18ac454a4576e726b6ce3221b8a46

(this sample)

Neshta

Executable exe 61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e
  
Dropping
Neshta
  
Dropping
MD5 23e6c75cd60aae58526c9bd734324ddf

Comments