neshta

General

Target

78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361
Size

265KB
Sample

221209-f9rw9sfd5z
MD5

3ac0d935228460fdc38bdab692d71b0c
SHA1

d08f753af5b5d9be3352495189be6fd4914ad8e1
SHA256

78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361
SHA512

04376fc469808504a8071f0b9baa35c4f922d7b69c4d4c6e77309022f95cf916a80b758a6733154f36e8be59d928b93903eec47a6df32e96b2ef3b4b6f0fde54
SSDEEP

6144:k9Pj5XJkcXV50DErs5xgTw7ozFz254WfRgzJmXrQwAN:akzDZGcoxfWfRglerQwAN

Score

10^/10

Malware Config

Extracted

Path

C:\README.html

Ransom Note

<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center"><<<Venus>>></h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>KCueoWKQaSt+yRRD81dTYB0nKzQVeSTtCiaoXzRn8WQosi8BBOZKikri9+AMHnkD hQb2FvXVOmTwV9bWCYj6hCaB6MAWGvma+M8ap19geYQL27ardqXBvdlu3BT0cOao KWfi8ZunW8ju9mtDxg32IBF3/sadJ/6FLxc0B7Fvf1d2pZlTXEaAyFXKOGqXx/JX kklBepHp+kIA2rAaDTiEdmzSA4ljhIAkCNMnF3re5hLZSSmWoXljh56gnnoMcrou yZq4f5E3IvHEUvS+yBokK+ZHOjqcpMHQeIP2A3PUBGdMFeYXty+/9/lWXY3VJmNG HNIHZFt7VtNat1z9FsoOTv2XuaR9E4iB1XmmkYFHXI65RjVCFhRRzKdMDR3rM+50 sLkSaDGD1WkwjHXDCM34MAXXUJRKyDlJe3wGEouAFzaDsCXdY48lne4hRFjANmKO Uqi46kTX9bsENeLgLrtbeAVfLegjbc243/3cfxI7UgvgQKCmGXJCuGH7f/p/FYU9 LeUYZrY7R1TH4qQFMzdaYvi4xgMVMQCzd2QdFx8sW02o8KSiMKyUlzUvhHTjzn/n OGzA7CHQ6bsGy7yCsDHI5GsZrMwE9tDA2/ImNOuSty/f7zeKi8Tm/mTg/qOqNHia uPF3gTzY1g== </p></div></body></html></html></body></html>

Emails

us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>KCueoWKQaSt+yRRD81dTYB0nKzQVeSTtCiaoXzRn8WQosi8BBOZKikri9+AMHnkD

Targets

- Target
  
  78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361
- Size
  
  265KB
- MD5
  
  3ac0d935228460fdc38bdab692d71b0c
- SHA1
  
  d08f753af5b5d9be3352495189be6fd4914ad8e1
- SHA256
  
  78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361
- SHA512
  
  04376fc469808504a8071f0b9baa35c4f922d7b69c4d4c6e77309022f95cf916a80b758a6733154f36e8be59d928b93903eec47a6df32e96b2ef3b4b6f0fde54
- SSDEEP
  
  6144:k9Pj5XJkcXV50DErs5xgTw7ozFz254WfRgzJmXrQwAN:akzDZGcoxfWfRglerQwAN
Score

10^/10

neshta venus persistence ransomware spyware stealer
- Detect Neshta payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Venus
  Venus is a ransomware first seen in 2022.
  ransomware venus
- Venus Ransomware
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2