neshta | 2b33c66f91c7c4906a9f2b30b9e91a4d96fe79e49fdc69f9a4a68c0f4a4eb4b4

Sharing

Copy URL

Twitter E-mail

General

Target

2b33c66f91c7c4906a9f2b30b9e91a4d96fe79e49fdc69f9a4a68c0f4a4eb4b4
Size

129KB
MD5

e567caa2d14fea5c814428dcfbebe4c2
SHA1

74d6a5894887bf0c033c9fb11d6b022f203d8a1d
SHA256

2b33c66f91c7c4906a9f2b30b9e91a4d96fe79e49fdc69f9a4a68c0f4a4eb4b4
SHA512

dc7944682c5665a3c036f8c53681a6a4692642d06b1d35b29116b90be9e8b116eaf00c011038bafd328a4523ac535fc684cb30694633bdc2a159dac64d3d8f28
SSDEEP

1536:tv6BX1RkCqQ3newBN9cCWgSpOjMYDg112QJHVsW2bFcdDLCVa4v3ghsOxqjQ+P0:tCnewn6D3pOgYDu2wW0DLCVa4vRr85C

Score

10^/10

neshta

Malware Config

Signatures

Detect Neshta Payload 1 IoCs

Processes:

resource yara_rule

sample family_neshta
Neshta family
neshta

resource	yara_rule
sample	family_neshta

Files

2b33c66f91c7c4906a9f2b30b9e91a4d96fe79e49fdc69f9a4a68c0f4a4eb4b4
.exe windows x86

43a420be92d431ee84a0d643143d18d8

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21-12-2012 00:00

Not After

30-12-2020 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18-10-2012 00:00

Not After

29-12-2020 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

49:8c:14:de:6a:22:18:66:fc:75:7a:1f:35:a8:4f:9e
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

08-06-2016 00:00

Not After

06-05-2019 23:59

Subject

CN=Bomgar Corporation,OU=Remote Support,O=Bomgar Corporation,L=Ridgeland,ST=Mississippi,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

66:9f:fc:8b:66:98:1e:61:08:68:84:57:31:9d:15:96
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

05-02-2016 00:00

Not After

06-05-2019 23:59

Subject

CN=Bomgar Corporation,OU=Remote Support,O=Bomgar Corporation,L=Ridgeland,ST=Mississippi,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10-12-2013 00:00

Not After

09-12-2023 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12
Certificate

Issuer

CN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

12-01-2016 00:00

Not After

11-01-2031 23:59

Subject

CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

54:58:f2:aa:d7:41:d6:44:bc:84:a9:7b:a0:96:52:e6
Certificate

Issuer

CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

02-01-2017 00:00

Not After

01-04-2028 23:59

Subject

CN=Symantec SHA256 TimeStamping Signer - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

d9:bc:6d:65:e8:7a:f2:44:7f:03:6b:da:fb:a0:fb:3d:ad:a3:44:92:98:67:0c:b5:de:74:aa:48:37:69:62:65
Signer

Actual PE Digest

d9:bc:6d:65:e8:7a:f2:44:7f:03:6b:da:fb:a0:fb:3d:ad:a3:44:92:98:67:0c:b5:de:74:aa:48:37:69:62:65

Digest Algorithm

sha256

PE Digest Matches

false

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Bomgar Corporation,OU=Remote Support,O=Bomgar Corporation,L=Ridgeland,ST=Mississippi,C=US

21-06-2017 03:36
Valid: false

d9:8a:b2:dd:04:f3:4b:1d:45:a9:11:23:bb:aa:dc:67:f9:43:10:42
Signer

Actual PE Digest

d9:8a:b2:dd:04:f3:4b:1d:45:a9:11:23:bb:aa:dc:67:f9:43:10:42

Digest Algorithm

sha1

PE Digest Matches

false

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Bomgar Corporation,OU=Remote Support,O=Bomgar Corporation,L=Ridgeland,ST=Mississippi,C=US

21-06-2017 03:36
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetCommandLineW
OutputDebugStringA
OutputDebugStringW
CloseHandle
GetLastError
ExitProcess
GetCurrentThreadId
CreateProcessW
GetStartupInfoW
FreeLibrary
GetModuleFileNameW
GetModuleHandleW
GetProcAddress
LocalAlloc
LocalReAlloc
LocalFree
lstrcmpiW
lstrcpynA
lstrcpynW
lstrcatW
lstrlenW
LoadLibraryW
CreateFileW
DecodePointer
WriteConsoleW
SetFilePointerEx
GetConsoleMode
GetConsoleCP
FlushFileBuffers
HeapReAlloc
HeapSize
GetProcessHeap
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
RtlUnwind
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
GetStdHandle
WriteFile
MultiByteToWideChar
WideCharToMultiByte
GetModuleHandleExW
GetACP
HeapFree
HeapAlloc
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetOEMCP
GetCPInfo
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
LCMapStringW
SetStdHandle
GetFileType
GetStringTypeW
RaiseException

user32

DispatchMessageW
TranslateMessage
GetMessageW
wvsprintfW
wvsprintfA
WaitForInputIdle
CharPrevW

shell32

CommandLineToArgvW

shlwapi

PathIsRelativeW

Sections

.text
Size: 42KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 172B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

43a420be92d431ee84a0d643143d18d8

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

49:8c:14:de:6a:22:18:66:fc:75:7a:1f:35:a8:4f:9eCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

66:9f:fc:8b:66:98:1e:61:08:68:84:57:31:9d:15:96Certificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12Certificate

Extended Key Usages

Key Usages

54:58:f2:aa:d7:41:d6:44:bc:84:a9:7b:a0:96:52:e6Certificate

Extended Key Usages

Key Usages

d9:bc:6d:65:e8:7a:f2:44:7f:03:6b:da:fb:a0:fb:3d:ad:a3:44:92:98:67:0c:b5:de:74:aa:48:37:69:62:65Signer

Signature Validations

Verification

21-06-2017 03:36 Valid: false

d9:8a:b2:dd:04:f3:4b:1d:45:a9:11:23:bb:aa:dc:67:f9:43:10:42Signer

Signature Validations

Verification

21-06-2017 03:36 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

shell32

shlwapi

Sections

.text Size: 42KB - Virtual size: 42KB

.rdata Size: 23KB - Virtual size: 22KB

.data Size: 2KB - Virtual size: 4KB

.gfids Size: 512B - Virtual size: 172B

.rsrc Size: 3KB - Virtual size: 2KB

.reloc Size: 4KB - Virtual size: 3KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

49:8c:14:de:6a:22:18:66:fc:75:7a:1f:35:a8:4f:9e
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

66:9f:fc:8b:66:98:1e:61:08:68:84:57:31:9d:15:96
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12
Certificate

54:58:f2:aa:d7:41:d6:44:bc:84:a9:7b:a0:96:52:e6
Certificate

d9:bc:6d:65:e8:7a:f2:44:7f:03:6b:da:fb:a0:fb:3d:ad:a3:44:92:98:67:0c:b5:de:74:aa:48:37:69:62:65
Signer

21-06-2017 03:36
Valid: false

d9:8a:b2:dd:04:f3:4b:1d:45:a9:11:23:bb:aa:dc:67:f9:43:10:42
Signer

21-06-2017 03:36
Valid: false

.text
Size: 42KB - Virtual size: 42KB

.rdata
Size: 23KB - Virtual size: 22KB

.data
Size: 2KB - Virtual size: 4KB

.gfids
Size: 512B - Virtual size: 172B

.rsrc
Size: 3KB - Virtual size: 2KB

.reloc
Size: 4KB - Virtual size: 3KB