MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe31f9f04529e00c72d2b8957d0ed1e4031c463b0850a68b04310b03827c6120. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe31f9f04529e00c72d2b8957d0ed1e4031c463b0850a68b04310b03827c6120
SHA3-384 hash: 8d8b5fd36f3c98b8f25418a545aa25e2132125b14f2c8f77a97bd860e7b246a9c51ee2bfc851de3b8a3b316a5b28b364
SHA1 hash: 384d81b5dbf1b4333d3898c9352b111bb5413d5b
MD5 hash: 527501864f0fec233ec4eb0d1382e7ed
humanhash: fish-snake-blossom-mango
File name:527501864f0fec233ec4eb0d1382e7ed.exe
Download: download sample
Signature Neshta
Create hunting rule
File size:288'919 bytes
First seen:2021-11-24 19:31:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGijCLluy0JCkI0INsbqb6vyMj8ZKhPFwbI0ej+dd3GZxoLGR2qOL:falSk6CsbHvDAZWl0fd3GkDn
Threatray 205 similar samples on MalwareBazaar
TLSH T1EF54230B52C49FF7C79B473306B376BCD77AC898516A4AA717F02F3A5D7368A1006582
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe Neshta

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
527501864f0fec233ec4eb0d1382e7ed.exe
Verdict:
Malicious activity
Analysis date:
2021-11-24 20:50:49 UTC
Tags:
installer
Link:
https://app.any.run/tasks/5e69fc7e-6685-44d0-8654-1abab1e73b20

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Сreating synchronization primitives
Creating a file in the Windows directory
Modifying an executable file
DNS request
Creating a file in the Program Files subdirectories
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/619e9337f36138de3f3a75bf/reports/5223faee-03ad-482c-bdf4-72bc479041f2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5093c77e-801a-480f-b448-9078a3b515cc
Result
Threat name:
FormBook Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/895733
Signature
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe31f9f04529e00c72d2b8957d0ed1e4031c463b0850a68b04310b03827c6120/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-11-24 11:57:35 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
16f75019c7de5d79c259d4b1f1003938bd6449ce3c49b28d6320bb43dd6bd82a
Neshta
21260151f07549ff5e1dc07ca6281d3fa876483f1dd014afde823fa0a0e0a1a2
Neshta
232f876999f6681e26051a522b6f2a73668c407b499f4bd5a0b64236dce25a1f
Neshta
511f5c0a9946188ad3dbbb58c2e2e5564402d83dd77379a39c8a17c660a737da
Neshta
6abec81da375b886b6e0fe09360f68980fcc3f51f00dbcdaf3a7945420e73b57
Neshta
8397681fb127b7050397870b95f23d310f2e62ee5c2e3a7410d2daeec99e9e06
Neshta
997d1ffb13955190f89d7d6c712af1d2b8988cffdda524963f0963b4eb761d5a
Neshta
99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f
Neshta
bd0eb6fff38b72907c56ad02467144b61744a7d24a054ce14eddf779854180ca
Neshta
+ 195 additional samples on MalwareBazaar
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:neshta persistence spyware stealer
Link:
https://tria.ge/reports/211124-x8y3madedp/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Reads user/profile data of web browsers
Modifies system executable filetype association
Neshta
Unpacked files
SH256 hash:
fe31f9f04529e00c72d2b8957d0ed1e4031c463b0850a68b04310b03827c6120
MD5 hash:
527501864f0fec233ec4eb0d1382e7ed
SHA1 hash:
384d81b5dbf1b4333d3898c9352b111bb5413d5b
Link:
https://www.unpac.me/results/866e07e4-a6ea-404a-85e5-bc44e1126634/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fe31f9f04529/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/fe31f9f04529e00c72d2b8957d0ed1e4031c463b0850a68b04310b03827c6120

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

Executable exe fe31f9f04529e00c72d2b8957d0ed1e4031c463b0850a68b04310b03827c6120

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1809274/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/209157/

Comments