lockergoga

General

Target

2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
Size

1.2MB
Sample

230903-q8eknaad2z
MD5

e82c5e5d888935b99f1d4404eee4d63f
SHA1

e1ceef1881c0b59b7f8c46c4009cf8188ba3a369
SHA256

c75d27311d7c5271e0a415bf0e4d62da7e4567c38711cc003892884dfeb3b331
SHA512

fd426a5bf0b1a5de8e50c6fc5ebe3eafe038d6317372874ea6a2277975403eb9c269834735226b5ab998107ef9f8333411f34cdab0893c1c3665a5277568e229
SSDEEP

24576:W5Rt4El7fc/TFJzjJUgrrCq5sNIwQsUGy1q7a9DlIACTp+kqGslRG4s:Wjt4El7fc/TFJWstwQsPdSDuACTpqhGv

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Emails

[email protected]

Targets

- Target
  
  2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
- Size
  
  1.2MB
- MD5
  
  e82c5e5d888935b99f1d4404eee4d63f
- SHA1
  
  e1ceef1881c0b59b7f8c46c4009cf8188ba3a369
- SHA256
  
  c75d27311d7c5271e0a415bf0e4d62da7e4567c38711cc003892884dfeb3b331
- SHA512
  
  fd426a5bf0b1a5de8e50c6fc5ebe3eafe038d6317372874ea6a2277975403eb9c269834735226b5ab998107ef9f8333411f34cdab0893c1c3665a5277568e229
- SSDEEP
  
  24576:W5Rt4El7fc/TFJzjJUgrrCq5sNIwQsUGy1q7a9DlIACTp+kqGslRG4s:Wjt4El7fc/TFJWstwQsPdSDuACTpqhGv
Score

10^/10

lockergoga neshta banker persistence ransomware spyware stealer trojan
- Detect Neshta payload
- LockerGoga
  LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
  trojan banker lockergoga
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Renames multiple (1602) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (516) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2