General
Target

26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a

Filesize

238KB

Completed

24-01-2022 02:23

Task

static1

Score
10/10
MD5

f3b3bb093d9f95fa405947c9be02594d

SHA1

102ea13148647c13ecc20c75cd62f3c17a7bebf2

SHA256

26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a

SHA256

8f749837fe4300378d87b398486f15a7cf0bb9753832161c82cf31919b781a496cf29077acd11b4c302e53c49674ca259105a0ec7af93a9b5dd8aab12437286b

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

29

C2

schluesseldienste-hannover.de

alpesiberie.com

bratek-immobilien.de

bcmets.info

log-barn.co.uk

diverfiestas.com.es

nexstagefinancial.com

mundo-pieces-auto.fr

marmarabasin.com

walterman.es

juergenblaetz.de

centuryvisionglobal.com

witraz.pl

aslog.fr

qandmmusiccenter.com

awag-blog.de

domilivefurniture.com

penumbuhrambutkeiskei.com

from02pro.com

teamsegeln.ch

scholarquotes.com

mind2muscle.nl

karmeliterviertel.com

rs-danmark.dk

amco.net.au

oro.ae

jayfurnitureco.com

bellesiniacademy.org

georgemuncey.com

catering.com

limounie.com

cssp-mediation.org

eyedoctordallas.com

craftingalegacy.com

innervisions-id.com

brunoimmobilier.com

richardiv.com

randyabrown.com

buffdaddyblog.com

kombi-dress.com

chorusconsulting.net

silverbird.dk

oraweb.net

burg-zelem.de

rhino-turf.com

paardcentraal.nl

kellengatton.com

larchwoodmarketing.com

terraflair.de

redpebblephotography.com

Attributes
net
true
pid
19
prc
mysql.exe
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
29
Signatures 4

Filter: none

  • Detect Neshta Payload

    Reported IOCs

    resourceyara_rule
    samplefamily_neshta
  • Neshta family

    Tags

  • Sodinokibi family

    Tags

  • Sodinokibi/Revil sample

    Reported IOCs

    resourceyara_rule
    samplefamily_sodinokobi

Files

  • 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a Extensions .exe Tags windows x86