Authenticate for API access | If you are experiencing issues with receiving data from abuse.ch platforms via API, please ensure your requests are authenticated. ➡️ Read here for more info

YARAify Scan Results

You are viewing the YARAify database entry for the file with the SHA256 hash 0f4b63505952eb7a4142bcab560dd477ce1d0eb58b13399199462065d19b32bc.

Scan Results


SHA256 hash: 0f4b63505952eb7a4142bcab560dd477ce1d0eb58b13399199462065d19b32bc
File size:8'981'058 bytes
File download: Original
MIME type:application/x-dosexec
MD5 hash: 4e35761cab450753839d351bfaa0fcce
SHA1 hash: 60b9e72beccc3c932194d86866d561769480dfb1
SHA3-384 hash: 74fa61760d17f800d163450edfea99231a63012def19644ff37cc5c6e7aaef84d9ce4858bdc27f833b1d86d87f922a69
First seen:2025-08-24 22:17:28 UTC
Last seen:Never
Sightings:1
imphash : 9f4693fc0c511135129493f2161d1e86
ssdeep : 196608:GU8b88xkdIPXMCHGLLc54i1wN+grRRu7NtbFRKnZMZDmdmhcTNzs6BnTNwD3:yGKPXMCHWUjYrRQ7XbFsn6ZqIaNO
TLSH :n/a
telfhash :n/a
gimphash :n/a
dhash icon : 307071f0e8e8f0cc

Tasks


There are 1 tasks on YARAify for this particular file. The 10 most recent ones are shown below.

Task Information


Task ID:1ecb011a-8138-11f0-8fb7-42010aa4000b
File name:4e35761cab450753839d351bfaa0fcce
Task parameters:ClamAV scan:True
Unpack:False
Share file:True

ClamAV Results


The file matched the following open source and commercial ClamAV rules.

Signature:SecuriteInfo.com.Win32.HLLP.Neshta.UNOFFICIAL
Signature:Win.Trojan.Neshta-153
Signature:Win.Trojan.Neshta-160
Signature:Win.Trojan.Neshuta-1
Signature:Win.Virus.Neshta-7101689-0

YARA Results


Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:Borland
Author:malware-lu
TLP:TLP:WHITE
Repository:
Rule name:CP_AllMal_Detector
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
TLP:TLP:WHITE
Repository:YARAify
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:TLP:WHITE
Rule name:DebuggerException__SetConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:TLP:WHITE
Rule name:Detect_PyInstaller
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
TLP:TLP:WHITE
Rule name:EXE_Virus_Neshta_March2024
Author:Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell
TLP:TLP:WHITE
Repository:YARAify
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
TLP:TLP:WHITE
Repository:YARAify
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
TLP:TLP:WHITE
Repository:YARAify
Rule name:classified
Author:classified
Description:classified
Reference:classified
TLP :TLP:AMBER
Rule name:MAL_Malware_Imphash_Mar23_1
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:MALWARE_Win_Neshta
Author:ditekSHen
Description:Detects Neshta
TLP:TLP:WHITE
Repository:diˈtekSHən
Rule name:neshta_v1
Author:RandomMalware
TLP:TLP:WHITE
Repository:YARAify
Rule name:pe_detect_tls_callbacks
Author:
TLP:TLP:WHITE
Repository:YARAify
Rule name:PyInstaller
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
TLP:TLP:WHITE
Repository:bartblaze
Rule name:shellcode
Author:nex
Description:Matched shellcode byte patterns
TLP:TLP:WHITE
Repository:MalwareBazaar
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
TLP:TLP:WHITE
Repository:YARAify
Rule name:upxHook
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
TLP:TLP:WHITE
Repository:MalwareBazaar
Rule name:classified
Author:classified
Description:classified
Reference:classified
TLP :TLP:GREEN
Rule name:Windows_Virus_Neshta_2a5a14c8
Author:Elastic Security
TLP:TLP:WHITE
Repository:elastic

Unpacker

The following YARA rules matched on the unpacked file.

Unpacked Files


The following files could be unpacked from this sample.