neshta

Sharing

Copy URL

Twitter E-mail

General

Target

064b5a8a6527e9b7b857c78417c9701ccab7f6fd0cfcc367aa73a98a91e1f6a2
Size

199KB
Sample

220124-c3gaeaaeek
MD5

81da022977dec2624184697c779c0318
SHA1

e6591a63f5466d721e3227e05ae7fb5e726b81f8
SHA256

064b5a8a6527e9b7b857c78417c9701ccab7f6fd0cfcc367aa73a98a91e1f6a2
SHA512

f63b0b04c6a5e01b92172a7ffe37b29ee537e620c67bfeba6cb270950288b80a557e5fcb9e5cd0dda78241cc75b61a66396d6b8d7d3cf163991b547990c893ab

Score

10^/10

neshta sodinokibi 19 96 persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\1mu4v19ta7-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 1mu4v19ta7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8DD156D589223FF0 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/8DD156D589223FF0 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Q9QugZBHBPkhK/Spwj89qfAGbkKGogsJ1H6uMM5QB8qFCpva9U+OFAucH+6FdAKf GsPhfPHdWdO1k/Nncvb9/pGAQRWHQjlAAAkZzHadDOZQcxl/KWfuwBcJkn4abl0E EMo8+0u7cI4ck8kPh6ZeheNZNpBb5la6Ic77QZdxgrULez9VYmtwRSu1Hi5O5A+c iUgKmUcRLlBkFPCvxysCZNpkPl9gMxaUglPdLMG1RU6Gc1AOFoFD+LgmXUKSxgRS Ve8aSMqEQwACmM386TsP8k/FqMYtCzRGGGUF0B/jCqwSlxcRW2H8CEQ+82D5djVk MG0ys2jAJJw5TdkpJYC5UvPC8PrSj1sFyDvh8FfkvMb0kR0BiEmJp5SnvRCCg9FM iJ9dIy+sjkG7rB6DRBphirdYLI+61bb+hdYX8fGM9S2ccjakqcVCE7n1sx/z1Bmk 3kiytkCn2afeUwpC2uNR/du8SJP4aGuDF4Jd2dbJX5eSoAKPl7WQmO9EeeAiaPDF sfv3rdZLGiLpaQOfQbjbK7KwCaU7I8HwZMhxvC5AswdIiTqpiR9KdEjQDSxXawA3 pX7j8DTB5+ZuV/R8eIQ/EuNX9iA+9AzKplD0nNND01jMvsJMcqdMAUKkgfzCG9gc t40AA4P0NJn8KmNnJe0JbFRAW6PF+8jmEBmwHi9P+K9+XdWurugicsXlzg18j7Ak ShGvJ8RF7ROcujdlyeJ83DG1DGesfKe3IGTwQtpQ6ugQzdZ27RuXFaZZ1euXqtgt ipVelRPkF6EzumABZ2JJWIb+16M55TtzVrObiK6ea07jSUZyO3VMVCILYpuJC9TN ehpt+rgXCAsOmEa4joQsb37HPKknpRam/vwqbeSu1peybN1rlGzuVY9KIIdZ1tLL WPhqmgjWGWsP9PRoxkdIjnl4JnDafhXXlStGHYFd9xczy6AfonpDuHNdE3vAcIvx XM74C5TX3TlLDDA+WqTST+ntmeFkvwa6iQmBH0YL96X3WAbDTaD1hSCEoDqQWmCY 3T9HhZ2VZ7YeGj5RJGwKHYu6BG1WfCeBNlof9+9GZAVN1E0TSnfacTxqxcEKJdWT p49yTpI7MH+asMdAHNYKVNNj Extension name: 1mu4v19ta7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8DD156D589223FF0

http://decryptor.top/8DD156D589223FF0

Extracted

Family

sodinokibi

Botnet

Campaign

vitormmcosta.com

allinonecampaign.com

edvestors.org

haard-totaal.nl

stabilisateur.fr

anleggsregisteret.no

ufovidmag.com

oraweb.net

oththukaruva.com

acumenconsultingcompany.com

xn--billigafrgpatroner-stb.se

glennverschueren.be

subquercy.fr

leadforensics.com

devplus.be

silkeight.com

bluetenreich-brilon.de

askstaffing.com

hutchstyle.co.uk

netadultere.fr

Attributes

net
true
pid
19
prc
firefoxconfig.exe

mysqld_opt.exe

thebat64.exe

powerpnt.exe

tbirdconfig.exe

msftesql.exe

mysqld.exe

sqlwriter.exe

infopath.exe

winword.exe

sqlbrowser.exe

sqlagent.exe

sqbcoreservice.exe

mspub.exe

onenote.exe

thebat.exe

visio.exe

mysqld_nt.exe

excel.exe

thunderbird.exe

encsvc.exe

mydesktopservice.exe

ocssd.exe

steam.exe

ocomm.exe

isqlplussvc.exe

dbsnmp.exe

synctime.exe

agntsvc.exe

mydesktopqos.exe

ocautoupds.exe

wordpad.exe

dbeng50.exe

outlook.exe

xfssvccon.exe

oracle.exe

sqlservr.exe

msaccess.exe
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
96

Extracted

Path

C:\7c7nm6-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 7c7nm6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A9BF329183CAC3F1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/A9BF329183CAC3F1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 7n2JIY+x8Qi9TW8QrCSxrI207yfMXQq2YCMXMPciNCLd1uafpIy+V5K9mkiSSQwd rXZ7LhLhbZCQUEZGCw7xvemlCjYCxMmPLaqOlEd26Wn1dDdb3lkubFg3FE8XMvID ysV2WJI2Lrlyxgc2AY5/2CAFs/QMmf7W5pCOvXB86c3AvJ778zYPxj3KhgOdoOrz o/4iZwNEGVqDepjdOQ9rDkqCoKcJrSLGU7KUSrmNxb8ZZnGvUB1FGGd/K3fr6qGD Jw66+PcqqllG0gtVRd9XzVwFE+SMiP63mSvdF8n/gv3d1qeHQPqX/zgO56BQxrvF s5UrUwVagiilKe2EBnsc7us0SmwuYmdVygGTCHFtkPHIGfUaVwX9y44L/iy3FEVQ RAZF46G02Cjau9NrC6udw9DuA70ziH6Zmt2PqVWAcbg4euM6u2kYsmZ++Zv4XIbe MyuOXY33k/OQnTNJU1MpWgddKdBNHUCzrm6zN2M7MgcjpWa4fgEM967pHDzIw0QJ nndKT3YTxJ7CqFfRtfp7KC4bnu9CcczqjgOL02ZhQH+FNvmRBVzxOS7Qtwsnx8V1 jZOUSdCQCef1iLqW1JqgvQ/sx54+ELhZmuPlAReezSOu9reYhCBGHjQfL1YquLuU omFK0NM+Igx/J9cNg2EuuGvMv+7yr3/D47yRl3d7f1rV3toITWyQSfZrNauH0A+W 4EBLnY2HnPn54lMAScFBeV6M8mEfzNI5FOjiQp/sUYXs2/7fDhUzi9bs1lwdNoxb dkQiSlFerglXoukS/maZufUWqASiOnO6pvcK5vyuexjjlrpR3bHvFqeBH1tvMDVA lGtEH6EfYxaTi2XboK/7e3PkpmPGk6u6tKssHLhQIHKjqHgIOjrtL1xX5hLmSdRo 7pHoXXURV02kRswnHIr/Zzk2EaxwgMmTGOqWuRn41y4UC5gGZTJyZXSG1wfHFJ7N 6Z5wflPH6lEt3DYKve56aH5Vd2m7H/ZnQSfigCUaslxgdq6+V9JdikBFr3BHy2qM l4tQt+PNpBsepehMOoL3BIzpV+oD7e0S5KPfWNUCIitYLmkUVHRzqSXnZtMdRl0L CEgQq9nHrkqL5A== Extension name: 7c7nm6 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A9BF329183CAC3F1

http://decryptor.top/A9BF329183CAC3F1

Targets

- Target
  
  064b5a8a6527e9b7b857c78417c9701ccab7f6fd0cfcc367aa73a98a91e1f6a2
- Size
  
  199KB
- MD5
  
  81da022977dec2624184697c779c0318
- SHA1
  
  e6591a63f5466d721e3227e05ae7fb5e726b81f8
- SHA256
  
  064b5a8a6527e9b7b857c78417c9701ccab7f6fd0cfcc367aa73a98a91e1f6a2
- SHA512
  
  f63b0b04c6a5e01b92172a7ffe37b29ee537e620c67bfeba6cb270950288b80a557e5fcb9e5cd0dda78241cc75b61a66396d6b8d7d3cf163991b547990c893ab
Score

10^/10

neshta sodinokibi 19 96 persistence ransomware spyware stealer
- Detect Neshta Payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Sodinokibi/Revil sample
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Detect Neshta Payload

Modifies system executable filetype association

Sodin,Sodinokibi,REvil

Sodinokibi/Revil sample

Deletes shadow copies

Executes dropped EXE

Modifies extensions of user files

Loads dropped DLL

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2