MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Neshta

Vendor detections: 15

Intelligence 15 IOCs YARA 12 File information Comments

SHA256 hash:	fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a
SHA3-384 hash:	72dc5639b1699a8bd3d40542a0ffdad3a14570ad0cee95a840d2e951462d631e65c0fd3ab49259c35c89d9a76abf347e
SHA1 hash:	49694133876acbe35f5493d99a967089ea1cc17a
MD5 hash:	9762ce69c2bf80bf5ffd1029ac0b11ec
humanhash:	fruit-three-william-cat
File name:	SecuriteInfo.com.Win32.CrypterX-gen.29753.1239
Download:	download sample
Signature	Neshta Create hunting rule
File size:	745'984 bytes
First seen:	2024-04-16 02:18:22 UTC
Last seen:	2024-04-18 20:34:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:LxyXRz/I7vByWqTBAdLh9pyEpF/6AJdrWZE1uSRHC6ZDV0xhB01/6NIMt4vv+Kyb:L0Q7vByOTzJRWZeRiMV0DBLNIMaGKy3L
Threatray	7 similar samples on MalwareBazaar
TLSH	T1BAF4120871BBAF6AD77D07B54A2268104B7938B71877D61F0FC160C71A7AB848B41FA7
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	004000c8c8004000 (6 x AgentTesla, 6 x Formbook, 4 x Neshta)
Reporter	SecuriteInfoCom
Tags:	exe Neshta

Intelligence

File Origin

# of uploads :

# of downloads :

482

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a.exe

Verdict:

Malicious activity

Analysis date:

2024-04-16 02:19:06 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2d4a8b42-f084-40da-b1f9-7cd6a9b6dd6b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Moving a file to the Program Files subdirectory

Replacing files

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade obfuscated packed

Link:

https://www.filescan.io/uploads/661de018b575a100a22ff627/reports/37d3d514-3118-4bee-a04a-f35764cc175a/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

StrelaStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5f5d3c8d-cd22-4f18-ab73-36e77ad3f528

Result

Threat name:

AgentTesla, Neshta

Detection:

malicious

Classification:

spre.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1426423

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Creates an undocumented autostart registry key

Drops executable to a common third party application directory

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Drops PE files with a suspicious file extension

Found malware configuration

Infects executable files (exe, dll, sys, html)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Scheduled temp file as task from temp location

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Neshta

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2024-04-16 01:31:48 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7r6jyzgqqapwn4roujmgooysw47tsk4vrtzy3pyuimw43mydpzna._file

Verdict:

malicious

Neshta

aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109

Neshta

fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a

Neshta

Result

Malware family:

neshta

Score:

10/10

Tags:

family:neshta persistence spyware stealer

Link:

https://tria.ge/reports/240416-crvnnagh51/

Behaviour

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Checks computer location settings

Loads dropped DLL

Modifies system executable filetype association

Reads user/profile data of web browsers

Detect Neshta payload

Neshta

Unpacked files

SH256 hash:

0e9bdd633fd83954ae26c72d8d7fe05df617c7b832e7ec92e7997b4cf7e8b97b

MD5 hash:

c1585d4c27862db9356328aadda2cfa6

SHA1 hash:

ad46e3eb13770d43d7623af174633a06af12e96f

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/0234e784-3426-4775-875f-f601d5d4b546/

SH256 hash:

d69e015c3dd8d67d816a815e1e26ba9a5924206f6e1adfaa6a905fe2239f1281

MD5 hash:

b5652cd08e938279318f5cdd5f7a94e7

SHA1 hash:

aa0129d894c988239b8235cf085851b80d4f7537

Link:

https://www.unpac.me/results/0234e784-3426-4775-875f-f601d5d4b546/

SH256 hash:

980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

MD5 hash:

36fd5e09c417c767a952b4609d73a54b

SHA1 hash:

299399c5a2403080a5bf67fb46faec210025b36d

Detections:

win_neshta_auto

win_neshta_g0

win_neshta_1

MAL_Malware_Imphash_Mar23_1

MAL_Neshta_Generic

MALWARE_Win_Neshta

Link:

https://www.unpac.me/results/0234e784-3426-4775-875f-f601d5d4b546/

Parent samples :

6f7a133591129c585c8f2e64f359c6b19158e1772c7ce2a8e49b4ebe672a86cb
6c698bf3490ab6453d37400d05324e2186754ec6b22d7a62fa424d5793599d4b
ac9a8babed0c6938fc6a4218376339223faad8ce24cb38497b6377664867b2a0
d5e739d5b929d725d105c7f3f86cc7fb6466a909d44dabfcec4cece348f985c4
a39d375b4498174ca49f07d6bc5a152d34bbb3b7681b209125f2a1c7a8b01185
29fcb7e81428cb4cd932ccaf2ed0f61ef9d47853605c153a6de503d54009f11a
19a595917039b249ebebe0e98a532a61585b0a4189bdb44a28c73523feed14da
6ffd13100e26b005774349e84e514bc84391682d9a20e1a46862a3e7599bad7a
4b9c39b0624ed5da7d8ffeb5b8de89562a0ba2db40e4899160fdd1e51efa63ea
9ba99db4c643c7b335b73fd5c52062f25f1699cda426b09710db4e0337360e97
563d0226f3ff043014f86d780778fc6bbae2193e46137271d586ca3d83da34af
b4e70946128b7c45e4e6404714ca40df679ed0b6ac5157533c953196d96daa41
cc29d221864706dcc32aff35a4a7a246c310aa7fd8fd4cb254ad36fb415fe3ff
e82473f02711056cbcda98d22a858d95c6cf574c17ee77ea62db86e405ff6e77
3ba615a4d99b560c58bed9e63c8ecd2c20dbc71560ec1fe51ca2b78a6b8309e6
1aae387dce8782d2f58887aa73dd970e51656c72ada983fb040989656a6dc47e
a89bc5bfb93026e56434c1354508dfa0a66821d35f522429582067fc7f9200cc
e1b0ef4dd27c829683569165d98c902a8ed2f2eaa95b1540c6430f5ea3be0b3f
de544199796705d18dad9dcf238c7c96de3fc8c793057cad94e319527af9c7bd
b8344e9c1ee03f949c70959828a08e1f73f198d58e6721b95676d54a7e6cb6be
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08
ab9f07758d73614eb4b307ffe5f88e28c62ffdb94a011874dcc2e992fd0e2ca0
5597878b9d511ad8a3e93423174ce90b689523fb00912e93bc704db788539ec8
0fb3c7511c6494252676592eea6db4da4bc89977c066a5e4f7ea599c3c9ad8d5
42b3efec41088a0afd2cc17e038169dd572baa116aa734a427012d39917f4107
b0bd95ea0aa5de9849e555fc8a62f51e1406c6b4dc890ce9a63c9807184d9f0b
d02c7e238675ed340d700e865360567a92cece2754486e033a7957f7f0b33a22
d48ba61686bed9bcd76c92cca9e720d9afd6695b4ac2e62b5772af8367fff20f
4547a55c5799f4434e76b02424f0b4af53ddcf29969771247b75fcf8e90575c2
3597bda69b3968446d1b4be9472f97f89c0243f129fa2a98cbd5683d4002197d
2a0d6ebfcca611f4249d12ea9fbf3b8bf44729d9db9ecfd0f43c72946febca24
36755da9fd84d9bd9f02f1c36bdfd5d1ba1fd28c748e337b7abc30421fd44fb4
b50f7c365160c6134ce71e97e646d8245761687aa431a31a12423daf6cf33012
889c2ec3e88c2a47de4bcc6d88cb74d21a01088330fb240788c81968ba16155b
909ce4ede18938d21f1c4477be2798c4d985fb045ca3be6201f01d43dc2ca6f2
a5b2cf3be1088ad8088d4ef2919e5fe672ce85b89c7c94f17b0fe2240836aec8
abbda703c3fba08e50f339b1b449ec85382c224772d0e95e9ed4bfa8e6a2106a
5d24735ea4e2f2b2359092ab77bf69477ace086f2ed8de754931e3024fc94eac
b5aa1fa3949badd59b3c1a6f5a838c8eadf639c4199b7238179f0de512383217
6b21b5a3b4624e1ad6ac6a8a28d21bf16131fdec95341fa2ac04ea9824b50d75
f8d91c8bc33c75ab7794e0c0a8498110cf03403daed2caf77a47975402be2e48
aefd458ffd4dd6fd5e7e713cc025439012265d4d8bab169c42d2daf98d8afcd9
46ca293c1bc89688a030ebdcac400a501551743160d99dbc919f800e41577e09
bb741e7ac48085e964e7fdfbd19b97a7376712b09c540a95c9a5f1872034908b
393d94791809b4059141bd1d6de789b431a71eb544bc7f7b0d7a1700c042ece5
f94903b0a50cc5c472b19dbceefb98e9f433f1e8fa9cb0a6f98ffca8dc609d5e
792d13b4f3887733a5ca23c9cb7f8f10186a796fb05891b4ff978cb526832ca0
4edbfbe670bdb8f0b1d0f8deebf86c5bb3444fde69fbfb743ee56fbef2ac5d7d
e8a9d29b01c2dde67df8e2ea6aba968af3ff2a7a1adc151c8773615fd6dc9ed0
24d0e610a636a4c010111cc724c2c5df4923885a02356fdeb22f5e13a5485b6c
449885db82a87d3151e04067039b2d07d8a844e0670842a2f739d493ebe6d1b1
950754e261538834ac3563cd3d382b5f1ed40acdcbb17b775ee158e10c827d5b
f8d79678441dd167be899e3b07fff98b7f39985c73e1207ae0a5dc855edb8344
8dba5c25c8f19e2be8aed3c06fd0fc679abeec44bd70c96f7193b04a5196bda8
7cf16fa9b84052ebac0f1752fd4cb2a9ffc8ffafc757f785376f2bde6fb554a5
995a51be969ea8a589668c591764d0675368c72f46539744babd58722a4c73c9
9de15a5c7e9cdefb9a48de4039027de8687838849d9588434564a343d15a9355
a867eb46763ccee8962f882a1cb2cdca5bb654881c4e2c4a20bd88713ba8818a
83a4b6cd0fa89d77f39c1ac7e3ecf5260bd7bffa07ab30fc6c7ab17e87525e39
73538ff2e8e3a4243c071eb7007086eea884c19db8e6bb92f6889eede28134d7
b63557e2a7e7fd2c0fc2e0d5084da08d62586963b22ad22e6b683fb9ee2934c5
68244f7b16e355e88f752ab26bd7290c019fad11d862754e9b5789ca15c263f1
ac5cec58b7bf1c35c562556c984e15b057ba8b3224559f1cc523ea9b70b53354
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
331d7e76582739e0f13e1405aced8b89f977a595c80c2e481ae74b4189141760
425f76eb82d3accf2865ff9f455a49675c2ca3f273ade57fd865c8fec5163f1e
a5c3adbc3170961645549d41320184a231c0eef43e2c5eea71f235bb4e273d89
377e4f1424a442481aaf05cc99550f80ca5a889bd904f44e04963244274eaaec
2c39793aee8f8966937d52468306f422151978e4b43d665a09f78e5c91fe5401
f9c6d61e21bab262adb55358862e97b2c0cd9b13a6a73129510f24a917558911
0737b4a17fda7c3b5ffe49d1f33da4b1789d0f3b7c77a54113d6136f1672782a
b68cdf9834d06557781bf09a5b3d4dabc3d6d2e1aa18aa42b1a0d42545e8a3d9
b17caccff755c664135937e36fdb567dbae543833983b6168bedbd827c99a9e1
201cffe8bf2c15a804167c67d2a095ff655829395cb54b5c3d3c4d038efde920
dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532
aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109
849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a
fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a
179e9673e3cbfd035d528f744f3eb88c65583089bb78d744f2c380be3bf3540a
75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9
6dd5d1309948dac371cf1cc1083f758ea313161d8658d9d3842e3f908bd280d5
1dbfb91bb378374fbc436b301cc481f6b32c53cfcb5dd3c3ab1eee2460e4bafe
d2fe22f934f6a5445d64e90c88d01a21793f80b0756d520e2d5744cd081193e1
083f671bdfa7b080edff7dc531e68b5179f0adf3109bc5509952209d4c6bffd1
a09effbe070813fd8998f3d09fa1211860faf38f174f3505b0325a9cfae303a5
35845d281a91dae79912a7238697c8b1d074bbff2785b621e0836f7c01d80b6e
5ba9c0369672e2fc6bfe9a4ab55d9c472338990d852c174329200b9771fa1093
cc08d15b67fcc5ed8b92f3360e06e9cf229da6ecb0a887f9ae90243e3288692f
d4f4ad6ea2e448166edde53a24011ddc5c4e870f7c571f9dd5e390e582ca3d33
fc6e2360ec42b0162ca6c115a87359ddb884735669a408df62d03a695554d934
9fad5596477c55d73ef0cedfa3211853f95418dc465c11c14cc3182ceaa1527b
91712842d53fd2c6b1e8f6aafec4a738c6f5a91ecc6849d813c857245a709682
15a7845256801920c72d8eb0b8be091fc8e6bc2461bf1cc53db2cf2b3c76b315
8734c94b5ebc9260065d6ac359500b8f17f290be6c74bb72b9c0cacccf9b7d63
a9d818bc38d2a84ff40e54a062a9fba01a0648300fb1a892432547bc5b85e158
4d934eff240fdf3c222505a546d8fb8c682a3affb70e4a85c635f607a47d8b1a
aead1f538ae65044f17554b188d4d1f88d7c4840bb554f3d70a2fe3ab86f6abf
e273e5e8948330a86519152bc6124971886a15758419d97953187b92b930fbb7
c1d59d4290604980ef30e6b5635108258a206354814ab0b447a2c70f9c7b9cd7

SH256 hash:

99bc976930f766a3d9457c46420f1a536ed2c30083b32a2ed1b1af8d82943302

MD5 hash:

67d8c743bd1b2c927182bd03ca69f803

SHA1 hash:

0cf0de94c7e7ec14b06cb6a2f3f8af7c423e77ce

Link:

https://www.unpac.me/results/0234e784-3426-4775-875f-f601d5d4b546/

SH256 hash:

fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a

MD5 hash:

9762ce69c2bf80bf5ffd1029ac0b11ec

SHA1 hash:

49694133876acbe35f5493d99a967089ea1cc17a

Link:

https://www.unpac.me/results/0234e784-3426-4775-875f-f601d5d4b546/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fc7c9c64d080/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	MALWARE_Win_Neshta Create hunting rule
Author:	ditekSHen
Description:	Detects Neshta

Rule name:	MAL_Neshta_Generic Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Neshta malware
Reference:	Internal Research

Rule name:	MAL_Neshta_Generic_RID2DC9 Create hunting rule
Author:	Florian Roth
Description:	Detects Neshta malware
Reference:	Internal Research

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Virus_Neshta_2a5a14c8 Create hunting rule
Author:	Elastic Security

Rule name:	win_neshta_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neshta

zip e1bfcefa81d738c9cccd256d39be3ec4f4663e7d045e47bee08871482be3e3db

Neshta

exe fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a

(this sample)

Dropped by

SHA256 e1bfcefa81d738c9cccd256d39be3ec4f4663e7d045e47bee08871482be3e3db

Dropped by

MD5 a5f8c4a6e0d0a9729773be1c730aa7c7

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample