neshta | 8737a598aa00cbf1b6329b33e3c22e3c21a079675a7fc9e97498438ccf50152a[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

8737a598aa00cbf1b6329b33e3c22e3c21a079675a7fc9e97498438ccf50152a.exe
Size

595KB
MD5

7d46dd928aed03380e3f8eb9c44a9497
SHA1

c8718a550fd9a3a4c63a036b6cd19f9294232eeb
SHA256

8737a598aa00cbf1b6329b33e3c22e3c21a079675a7fc9e97498438ccf50152a
SHA512

bc0c1252e070bff3d9be3debb3ee563961a1e65463763cf7e8a8477fc841560187a848f51d8fc36ec52cf01ab46fc4e96dac9c806d3f26a65676ea55980c3109
SSDEEP

12288:RqFwpkDPhijh2Z1MVM9aWmHd/1Uk496YKQFM8a4VCY:RqFwqThijh2/5Ux1+r9TRaACY

Score

10^/10

neshta

Malware Config

Signatures

Detect Neshta payload 1 IoCs

resource	yara_rule
sample	family_neshta

Neshta family
neshta

Files

8737a598aa00cbf1b6329b33e3c22e3c21a079675a7fc9e97498438ccf50152a.exe
.exe windows:5 windows x86 arch:x86

62df9102727220cfa42ee5fb50554dfb

Code Sign

71:a0:b7:36:95:dd:b1:af:c2:3b:2b:9a:18:ee:54:cb
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=thawte SHA256 Code Signing CA,O=thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

49:09:89:b9:85:49:11:4e:70:ed:3f:3d:ea:55:23:43
Certificate

Issuer

CN=thawte SHA256 Code Signing CA,O=thawte\, Inc.,C=US

Not Before

21/09/2020, 00:00

Not After

21/09/2021, 23:59

Subject

CN=PLANET ADVISORY LIMITED,O=PLANET ADVISORY LIMITED,L=LONDON,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

71:a0:b7:36:95:dd:b1:af:c2:3b:2b:9a:18:ee:54:cb
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=thawte SHA256 Code Signing CA,O=thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

49:09:89:b9:85:49:11:4e:70:ed:3f:3d:ea:55:23:43
Certificate

Issuer

CN=thawte SHA256 Code Signing CA,O=thawte\, Inc.,C=US

Not Before

21/09/2020, 00:00

Not After

21/09/2021, 23:59

Subject

CN=PLANET ADVISORY LIMITED,O=PLANET ADVISORY LIMITED,L=LONDON,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a8:74:65:61:ca:a4:31:c5:30:6c:ea:f9:30:ea:73:49:ca:34:1d:e7:f5:96:35:60:0d:d2:6b:6f:df:af:6d:26
Signer

Actual PE Digest

a8:74:65:61:ca:a4:31:c5:30:6c:ea:f9:30:ea:73:49:ca:34:1d:e7:f5:96:35:60:0d:d2:6b:6f:df:af:6d:26

Digest Algorithm

sha256

PE Digest Matches

false

02:5f:4a:3c:59:21:43:0b:2e:11:8a:a0:a3:f4:39:d5:b3:16:63:5d
Signer

Actual PE Digest

02:5f:4a:3c:59:21:43:0b:2e:11:8a:a0:a3:f4:39:d5:b3:16:63:5d

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LoadLibraryW
ReadFile
GetModuleFileNameW
CreateFileW
GetTempPathW
GetFileSizeEx
GetProcAddress
FindClose
IsWow64Process
FindNextFileW
ExpandEnvironmentStringsW
FreeResource
SetFilePointer
SetEndOfFile
SetStdHandle
FlushFileBuffers
SetFilePointerEx
GetConsoleMode
GetConsoleCP
LCMapStringW
UnregisterWaitEx
QueryDepthSList
InterlockedFlushSList
InterlockedPushEntrySList
InterlockedPopEntrySList
InitializeSListHead
ReleaseSemaphore
VirtualProtect
VirtualFree
VirtualAlloc
GetVersionExW
GetModuleHandleA
GetThreadTimes
OutputDebugStringW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCurrentProcessId
QueryPerformanceCounter
GetLastError
GetStringTypeW
GetStdHandle
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
IsDebuggerPresent
GetModuleHandleExW
ExitProcess
UnregisterWait
RegisterWaitForSingleObject
SetThreadAffinityMask
GetProcessAffinityMask
GetNumaHighestNodeNumber
DeleteTimerQueueTimer
ChangeTimerQueueTimer
CreateTimerQueueTimer
GetLogicalProcessorInformation
GetThreadPriority
SetThreadPriority
SwitchToThread
SignalObjectAndWait
WaitForSingleObjectEx
SetEvent
CreateTimerQueue
LoadLibraryExW
ExitThread
CreateThread
CreateSemaphoreW
GetTickCount
GetStartupInfoW
TlsFree
WriteFile
GetCurrentProcess
FreeLibrary
FindFirstFileW
GetTempFileNameW
MultiByteToWideChar
WideCharToMultiByte
LockResource
SizeofResource
LoadResource
FindResourceW
FormatMessageW
GetModuleHandleW
DeleteFileW
RemoveDirectoryW
CopyFileW
CreateDirectoryW
LocalFree
CloseHandle
ReleaseMutex
DecodePointer
FreeLibraryAndExitThread
HeapSize
VerifyVersionInfoW
RaiseException
Sleep
InitializeCriticalSectionAndSpinCount
GetProcessHeap
HeapFree
InitializeCriticalSection
VerSetConditionMask
HeapAlloc
CreateMutexW
HeapReAlloc
GetCommandLineW
TlsSetValue
TlsGetValue
TlsAlloc
TerminateProcess
CreateEventW
SetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsProcessorFeaturePresent
RtlUnwind
EncodePointer
GetSystemTimeAsFileTime
GetExitCodeThread
GetCurrentThreadId
GetCurrentThread
WaitForSingleObject
DuplicateHandle
MoveFileExW
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetFileType
WriteConsoleW

user32

SetWindowLongW
ReleaseDC
GetWindowLongW
RegisterClassExW
IsDialogMessageW
TranslateMessage
GetDC
LoadCursorW
MapWindowPoints
DefWindowProcW
RedrawWindow
DispatchMessageW
GetDesktopWindow
UnregisterClassW
GetMessageW
GetWindowRect
LoadIconW
LoadImageW
CharLowerA
EnumDisplaySettingsW
MonitorFromPoint
SetWindowTextW
SendMessageW
GetSysColor
GetDlgItem
SetWindowPos
EnumChildWindows
ShowWindow
CreateWindowExW
PostMessageW
MessageBoxW
GetWindowTextW
GetClientRect
TrackMouseEvent
GetParent
GetWindowTextLengthW
DrawTextW
FillRect
CharLowerW
CharUpperW
DestroyIcon
SetForegroundWindow
SetTimer
KillTimer
MapDialogRect
FindWindowW
PostQuitMessage
SetClassLongW
ShowScrollBar
ClientToScreen
DestroyWindow
EnableWindow
MoveWindow
DrawIconEx
EndPaint
SetCapture
GetFocus
SetFocus
BeginPaint
LockWindowUpdate
SetCursorPos
GetCursorPos
GetSysColorBrush
ReleaseCapture
GetSystemMetrics
UpdateWindow
SetCursor
ShowCursor
DestroyCursor
IsWindowEnabled
GetDlgCtrlID

gdi32

StretchBlt
SetStretchBltMode
CreatePen
GetBkMode
SetBkColor
GetBkColor
GetTextColor
SetTextColor
CreateFontIndirectW
CreateSolidBrush
AddFontMemResourceEx
GetDeviceCaps
GetStockObject
GetDIBits
SetDIBits
BitBlt
DeleteDC
SetBkMode
DeleteObject
SelectObject
CreateCompatibleDC
CreateCompatibleBitmap
RemoveFontMemResourceEx

advapi32

RegEnumValueW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegDeleteKeyW
RegSetValueExW
RegDeleteValueW
RegCreateKeyExW

shell32

ShellExecuteW
CommandLineToArgvW
SHGetFolderPathW

ole32

CreateStreamOnHGlobal
CoCreateInstance
CoInitializeEx
CoUninitialize

shlwapi

PathIsURLW
AssocQueryStringW
PathMatchSpecW
PathFileExistsW

version

GetFileVersionInfoExW
GetFileVersionInfoSizeExW
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

comctl32

ord410
ord413
ord412
InitCommonControlsEx

rpcrt4

UuidToStringW
RpcStringFreeW
UuidCreate

gdiplus

GdipLoadImageFromStreamICM
GdipCloneImage
GdipDisposeImage
GdipAlloc
GdipLoadImageFromFileICM
GdipFree
GdiplusStartup
GdiplusShutdown
GdipGetImageWidth
GdipSetInterpolationMode
GdipCreateFromHDC
GdipDeleteGraphics
GdipDrawImageRectRectI
GdipGetImageHeight

msimg32

GradientFill
AlphaBlend

winmm

timeKillEvent
timeSetEvent

wininet

InternetCloseHandle
HttpOpenRequestW
HttpQueryInfoW
InternetSetOptionW
HttpSendRequestW
InternetConnectW
InternetReadFile
InternetCrackUrlW
HttpQueryInfoA
InternetOpenW
InternetGetLastResponseInfoW

Sections

.text
Size: 282KB - Virtual size: 281KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 71KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 81KB - Virtual size: 80KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

62df9102727220cfa42ee5fb50554dfb

Code Sign

71:a0:b7:36:95:dd:b1:af:c2:3b:2b:9a:18:ee:54:cbCertificate

Extended Key Usages

Key Usages

49:09:89:b9:85:49:11:4e:70:ed:3f:3d:ea:55:23:43Certificate

Extended Key Usages

Key Usages

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

71:a0:b7:36:95:dd:b1:af:c2:3b:2b:9a:18:ee:54:cbCertificate

Extended Key Usages

Key Usages

49:09:89:b9:85:49:11:4e:70:ed:3f:3d:ea:55:23:43Certificate

Extended Key Usages

Key Usages

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

a8:74:65:61:ca:a4:31:c5:30:6c:ea:f9:30:ea:73:49:ca:34:1d:e7:f5:96:35:60:0d:d2:6b:6f:df:af:6d:26Signer

02:5f:4a:3c:59:21:43:0b:2e:11:8a:a0:a3:f4:39:d5:b3:16:63:5dSigner

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

shlwapi

version

comctl32

rpcrt4

gdiplus

msimg32

winmm

wininet

Sections

.text Size: 282KB - Virtual size: 281KB

.rdata Size: 71KB - Virtual size: 70KB

.data Size: 9KB - Virtual size: 28KB

.rsrc Size: 81KB - Virtual size: 80KB

.reloc Size: 17KB - Virtual size: 17KB

71:a0:b7:36:95:dd:b1:af:c2:3b:2b:9a:18:ee:54:cb
Certificate

49:09:89:b9:85:49:11:4e:70:ed:3f:3d:ea:55:23:43
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

71:a0:b7:36:95:dd:b1:af:c2:3b:2b:9a:18:ee:54:cb
Certificate

49:09:89:b9:85:49:11:4e:70:ed:3f:3d:ea:55:23:43
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

a8:74:65:61:ca:a4:31:c5:30:6c:ea:f9:30:ea:73:49:ca:34:1d:e7:f5:96:35:60:0d:d2:6b:6f:df:af:6d:26
Signer

02:5f:4a:3c:59:21:43:0b:2e:11:8a:a0:a3:f4:39:d5:b3:16:63:5d
Signer

.text
Size: 282KB - Virtual size: 281KB

.rdata
Size: 71KB - Virtual size: 70KB

.data
Size: 9KB - Virtual size: 28KB

.rsrc
Size: 81KB - Virtual size: 80KB

.reloc
Size: 17KB - Virtual size: 17KB