Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 2, 2021, 10:35 a.m.	April 2, 2021, 10:40 a.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3fb887b5886aaf9b3b5103d868c56c84`
SHA256	`564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0`
CRC32	`57210D46`
ssdeep	`24576:yBu2XV04jnHW8VwBYcOa3sM6zlYzLhQ0zJ68VQWWRWqMOoU:qu4jHmScOcsvWkq3+`
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero network_tcp_listen - Listen for incoming communication network_tcp_socket - Communications over RAW socket network_dns - Communications use DNS screenshot - Take screenshot keylogger - Run a keylogger win_mutex - Create or check mutex win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check

reg.bk.exe "C:\Users\test22\AppData\Local\Temp\reg.bk.exe"
4748
- reg.bk.exe "C:\Users\test22\AppData\Local\Temp\3582-490\reg.bk.exe"
  3872

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 2, 2021, 10:35 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 2, 2021, 10:35 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 2, 2021, 10:35 a.m.	process_identifier: 3872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe

Creates executable files on the filesystem (50 out of 137 events)

file	C:\Program Files (x86)\Mozilla Thunderbird\pingsender.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.32\GoogleUpdateBroker.exe
file	C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.32\GoogleUpdateSetup.exe
file	C:\Program Files (x86)\Hnc\HncUtils\HncUpdate.exe
file	C:\Program Files (x86)\Mozilla Thunderbird\plugin-container.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\REGFORM.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\DSSM.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\MSQRY32.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\ACCICONS.EXE
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\ODSERV.EXE
file	C:\Python27\Scripts\easy_install.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
file	C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\ose.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\w32.exe
file	C:\Program Files (x86)\7-Zip\7z.exe
file	C:\Program Files (x86)\Hnc\Common80\HimTrayIcon.exe
file	C:\Program Files (x86)\Hnc\Hwp80\HwpFinder.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\SELFCERT.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\PPTVIEW.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\MSPUB.EXE
file	C:\Program Files (x86)\EditPlus\editplus.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t64.exe
file	C:\Program Files (x86)\Hnc\Hwp80\HwpPrnMng.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe
file	C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe
file	C:\Program Files (x86)\Mozilla Thunderbird\maintenanceservice.exe
file	C:\Program Files (x86)\Mozilla Thunderbird\minidump-analyzer.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
file	C:\Program Files (x86)\Mozilla Thunderbird\crashreporter.exe
file	C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\DW20.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\INFOPATH.EXE
file	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe
file	C:\Program Files (x86)\Hnc\Common80\HncReporter.exe
file	C:\Program Files (x86)\7-Zip\7zFM.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\1042\ONELEV.EXE
file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.111\notification_helper.exe
file	C:\Program Files (x86)\Hnc\Hwp80\HncPUAConverter.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\MSTORE.EXE
file	C:\Program Files (x86)\Hnc\HncDic80\HncDic.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\MSTORDB.EXE
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\ACECNFLT.EXE
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe
file	C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe
file	C:\Program Files (x86)\Hnc\PDF80\x86\HNCE2PPRCONV80.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.32\GoogleCrashHandler64.exe
file	C:\util\dotnet4.5.exe
file	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\3582-490\reg.bk.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe
file	C:\Users\test22\AppData\Local\Temp\3582-490\reg.bk.exe

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)

reg_value

C:\Windows\svchost.com "%1" %*

Harvests credentials from local FTP client softwares (1 event)

registry

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 events)

Bkav	W32.NeshtaB.PE
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	W32.Neshta.C8
McAfee	W32/HLLP.41472.e
Malwarebytes	Neshta.Virus.FileInfector.DDS
Zillya	Virus.Neshta.Win32.1
K7AntiVirus	Virus ( 00556e571 )
Alibaba	Virus:Win32/Neshta.288
K7GW	Virus ( 00556e571 )
Cybereason	malicious.5886aa
Arcabit	Win32.Neshta.A
Baidu	Win32.Virus.Neshta.a
Cyren	W32/Neshta.OBIX-2981
Symantec	W32.Neshuta
ESET-NOD32	Win32/Neshta.A
APEX	Malicious
Avast	Win32:Apanas [Trj]
ClamAV	Win.Trojan.Neshuta-1
Kaspersky	Virus.Win32.Neshta.a
BitDefender	Win32.Neshta.A
NANO-Antivirus	Trojan.Win32.Winlock.fmobyw
Paloalto	generic.ml
AegisLab	Virus.Win32.Neshta.tn9H
MicroWorld-eScan	Win32.Neshta.A
Tencent	Virus.Win32.Neshta.a
Ad-Aware	Win32.Neshta.A
Sophos	Mal/Generic-R + W32/Neshta-D
Comodo	Win32.Neshta.A@3ypg
DrWeb	Win32.HLLP.Neshta
VIPRE	Virus.Win32.Neshta.a (v)
TrendMicro	PE_NESHTA.A
McAfee-GW-Edition	BehavesLike.Win32.HLLP.tc
FireEye	Generic.mg.3fb887b5886aaf9b
Emsisoft	Win32.Neshta.A (B)
SentinelOne	Static AI - Malicious PE
Jiangmin	Virus.Neshta.a
Avira	W32/Neshta.A
Kingsoft	Win32.Infected.neshta.nl.(kcloud)
Gridinsoft	Virus.Neshta.A.sd!yf
Microsoft	Virus:Win32/Neshta.A
ViRobot	Win32.Neshta.Gen.A
GData	Win32.Virus.Neshta.D
TACHYON	Virus/W32.Neshta
AhnLab-V3	Win32/Neshta
Acronis	suspicious
BitDefenderTheta	AI:FileInfector.D5C3B0640E
ALYac	Win32.Neshta.A
MAX	malware (ai score=100)
VBA32	Virus.Win32.Neshta.a

reg.bk.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All