neshta

General

Target

893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf
Size

1.3MB
Sample

220212-aschcseae2
MD5

1dff6d9b042d47e9b040f8dffee2112a
SHA1

24c725042eb2a384814e8a4f2c1178be14f4c71f
SHA256

893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf
SHA512

243d0e03738bfa7b9013258fda08f7eee3bd2a3aa187b01c2808956467182f0bd93ab2415c73ba9b006e2baa0f319dbb83c14c616ceb2536df8800cc5e184162

Score

10^/10

Malware Config

Extracted

Path

C:\Read-Me.txt

Ransom Note

All Your Files Has Been Encrypted You Have to Pay to Get Your Files Back 1-Go to C:\ProgramData\ or in Your other Drives and send us prvkey.txt.key file 2-You can send some file little than 1mb for Decryption test to trust us But the test File should not contain valuable data 3-Payment should be with Bitcoin 4-Changing Windows without saving prvkey.txt.key file will cause permanete Data loss Our Email: [email protected] in Case of no Answer: [email protected]

Emails

[email protected]

Targets

- Target
  
  893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf
- Size
  
  1.3MB
- MD5
  
  1dff6d9b042d47e9b040f8dffee2112a
- SHA1
  
  24c725042eb2a384814e8a4f2c1178be14f4c71f
- SHA256
  
  893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf
- SHA512
  
  243d0e03738bfa7b9013258fda08f7eee3bd2a3aa187b01c2808956467182f0bd93ab2415c73ba9b006e2baa0f319dbb83c14c616ceb2536df8800cc5e184162
Score

10^/10

neshta evasion persistence ransomware spyware
- Detect Neshta Payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Drops desktop.ini file(s)
behavioral1 behavioral2