neshta | 60bf2bb354cde8463e912acf65db4d39f44469fd587a0764183db4c3bbb07f66

General

Target

60bf2bb354cde8463e912acf65db4d39f44469fd587a0764183db4c3bbb07f66.exe
Size

206KB
MD5

46c50d9690c2ea3fcc28eabba5c62379
SHA1

25b90b6fe4154cc912fb6ad3435837ef276abd5e
SHA256

60bf2bb354cde8463e912acf65db4d39f44469fd587a0764183db4c3bbb07f66
SHA512

5c1dbe2dac1a51cd895dbe2aace8c5f24abe3d50bfa69ba255f154e2ae39892b1e7aaf5acc810af4a5d2a2a2abc03e79e7cf1b0b5dcc0dd226d878499255467a

Score

10^/10

neshta sodinokibi 19 2909 persistence ransomware spyware stealer

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

2909

C2

hoteltantra.com

randyabrown.com

noda.com.ua

vdolg24.online

zumrutkuyutemel.com

ufovidmag.com

bruut.online

kausette.com

paradigmlandscape.com

achetrabalhos.com

mariamalmahdi.com

glende-pflanzenparadies.de

der-stempelking.de

georgemuncey.com

sbit.ag

advanced-removals.co.uk

lattalvor.com

fotoslubna.com

michaelfiegel.com

sololibrerie.it

Attributes

net
true
pid
19
prc
visio
firefox
dbsnmp
xfssvccon
oracle
dbeng50
excel
sqbcoreservice
ocomm
encsvc
tbirdconfig
ocautoupds
thebat
synctime
mydesktopqos
onenote
mspub
msaccess
isqlplussvc
ocssd
steam
wordpad
thunderbird
powerpnt
agntsvc
infopath
outlook
winword
mydesktopservice
sql
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
2909
svc
svc$
sophos
sql
veeam
vss
memtas
backup
mepocs

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes: