neshta

Sharing

General

Target

DomainName.zip
Size

98KB
Sample

230922-qvmn4sgc6z
MD5

cea56583a631a661e52e48025bf24ea2
SHA1

5b0bb61b6dee9736e374a54f7de6fcbc229828dc
SHA256

01e0a5cc0c30dbdddec8320e4a3e1984ccb296d50021fbd73c26a4b7a17cae58
SHA512

8fc299a87e144ca8ddbfc474055af54e4a3eb6e5c606ab8db1cf209cf64c556b4a4f5fcaa0f8eaa416a1ccf8eb664b75d68d9700c06d1ab695449cef406115c1
SSDEEP

1536:4JrUR4fPKH5oTR6YO8fa9LxqBhFxay4XQM8vjn6lDHu0Eqhm0FC0E7QPSn5/6nBU:EXK29TO0aPUkNXf8LnqDO0EqbuwS8BlG

Score

10^/10

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$mKbuAybjn4W3ipQCt6E7ROYxmL5SSZgUbPuA7PKUsPqJU10KB4bma

Campaign

7114

Decoy

withahmed.com

scenepublique.net

aglend.com.au

jyzdesign.com

nsec.se

cirugiauretra.es

gopackapp.com

tinyagency.com

crediacces.com

xn--rumung-bua.online

bowengroup.com.au

mastertechengineering.com

kmbshipping.co.uk

homng.net

fitnessingbyjessica.com

oldschoolfun.net

roygolden.com

sotsioloogia.ee

real-estate-experts.com

mir-na-iznanku.com

Attributes

net
false
pid
$2a$10$mKbuAybjn4W3ipQCt6E7ROYxmL5SSZgUbPuA7PKUsPqJU10KB4bma
prc
oracle

klnagent

mydesktopqos

infopath

BackupExtender

powerpnt

outlook

BackupAgent

Smc

sql

ccSvcHst

BackupUpdater

Rtvscan

winword

kavfsscs

ocssd

isqlplussvc

visio

ShadowProtectSvc

tbirdconfig

TSSchBkpService

dbeng50

ccSetMgr

agntsvc

Sage.NA.AT_AU.SysTray

dbsnmp

thebat

onenote

AmitiAvSrv

wordpad

msaccess

avgadmsv

thunderbird

BackupMaint

Microsoft.exchange.store.worker.exe

CarboniteUI

excel

SPBBCSvc

LogmeInBackupService

encsvc

ocomm

sqbcoreservice

NSCTOP

mydesktopservice

kavfs

kavfswp

ocautoupds

mspub

xfssvccon

DLOAdminSvcu

synctime

lmibackupvssservice

firefox

steam

dlomaintsvcu
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). =========Attention!!!========= Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. ============================== [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
7114
svc
Telemetryserver

"Sophos AutoUpdate Service"

sophos

Altaro.Agent.exe

mysqld

MSSQL$MSGPMR

"SophosFIM"

"Sophos Web Control Service"

SQLWriter

svcGenericHost

AltiBack

"SQLServer Analysis Services (MSSQLSERVER)"

BackupExecAgentAccelerator

"StorageCraft ImageReady"

SQLTELEMETRY

AzureADConnectAuthenticationAgent

ntrtscan

ds_notifier

TeamViewer

"StorageCraft Raw Agent"

"StorageCraft Shadow Copy Provider"

SQLTELEMETRY$SQLEXPRESS

VeeamHvIntegrationSvc

AltiCTProxy

MsDtsServer130

ViprePPLSvc

McAfeeFramework

MSSQL$QM

"swi_service"

"ThreadLocker"

ofcservice

AUService

sophossps

AzureADConnectHealthSyncMonitor

Altaro.OffsiteServer.UI.Service.exe

"SAVAdminService"

ds_monitor

ALTIVRM

SSASTELEMETRY

TmCCSF

MsDtsServer110

"Sophos MCS Client"

TMBMServer

SBAMSvc

mfewc

"Sophos System Protection Service"

MSSQLFDLauncher$TESTBACKUP02DEV

VeeamDeploymentService

masvc

backup

MSSQL$SQLEXPRESS

AltiPhoneServ

MSSQLServerOLAPService

SSISTELEMETRY130

VeeamEndpointBackupSvc

mepocs

Altaro.UI.Service.exe

"ds_agent"

HuntressUpdater

MSSQLFDLauncher

"Sophos File Scanner Service"

SQLAgent$MSGPMR

ADSync

KaseyaAgent

ReportServer

MSSQLFDLauncher$SQLEXPRESS

MSSQL$HPWJA

KaseyaAgentEndpoint

VeeamTransportSvc

"ds_monitor"

mfevtp

MSSQLTESTBACKUP02DEV

SQLTELEMETRY$MSGPMR

ThreadLocker

MSSQLServerADHelper100

veeam

tmlisten

AzureADConnectHealthSyncInsights

"swi_filter"

MsDtsServer120

ProtectedStorage

VeeamDeploySvc

memtas

ds_agent

VeeamMountSvc

HuntressAgent

SQLAgent$SQLEXPRESS

bedbg

MSSQLSERVER

"ofcservice"

VipreAAPSvc

"Sophos Endpoint Defense Service"

KACHIPS906995744173948

DsSvc

MSSQLLaunchpad$SQLEXPRESS

msseces

macmnsvc

LTService

Code42Service

Altaro.HyperV.WAN.RemoteService.exe

LTSvcMon

MSSQL$SQLEXPRESSADV

"SAVService"

Altaro.OffsiteServer.Service.exe

"Sage 100cloud Advanced 2020 (9920)"

Altaro.SubAgent.exe

mfemms

"TeamViewer"

"SQLServer Reporting Services (MSSQLSERVER)"

VSS

sql

Altaro.SubAgent.N2.exe

"SQLServer Integration Services 12.0"

SQLSERVERAGENT

vss

"Sophos Safestore Service"

klnagent

"Sage.NA.AT_AU.Service"

MBAMService

"Sophos Health Service"

SQLBrowser

MySQL

"ProtectedStorage"

"Sophos Clean Service"

"Sage 100c Advanced 2017 (9917)"

"SntpService"

VeeamNFSSvc

KAVFS

SQLEXPRESSADV

KAENDCHIPS906995744173948

sppsvc

Amsp

psqlWGE

Microsoft.exchange.store.worker.exe

kavfsscs

"Amsp"

sqlservr

Altaro.DedupService.exe

svc$

"ds_notifier"

"Sophos Device Control Service"

AzureADConnectAgentUpdater

AltiFTPUploader

"Sophos MCS Agent"

Extracted

Path

C:\Recovery\7a95s-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 7a95s. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). =========Attention!!!========= Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. ============================== [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FA68B5D22BA84E39 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/FA68B5D22BA84E39 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: fpbEHVKPkFC7R06Fii6Oop6ZFa2q0ggdFCB4benU3o5wuxyr/Juk1kmWIF00TD/L higMyhXaVgpi4grOCCtquNOOc5YMqQYpunub5xdEuEvmBSUn2XTgr43mOYWLjP/9 e3QbakbpF5/7TzmJM/NpTi4dc7myYVOLTnX94bEx7xlglANR0TDtVvv6TsZc8o4r ID9j8qZ8VZ7Uily8T442rvCfVQEsBnPSvaC+eErNIuCt5jFytFWryJwCh7SYKN+S JxuiCF2fs9hLcFlvJvxUn8yrtolSnBP1YnkD7Qx38tDB4nNVUUOSYK4seIK01u/j yRZ8fKzAel0m0XScDeuTNz31OwYdXHLeJr+FPQV1TecZ7+4pVQrWtDWw8UBiLReT /NsLTPgvFTX9rJ1baGhZXL1K266pnY8T/WIlOs4ze0Sv0iqj1KnQ7dIkh8q/sdme FsqCDtaLRsjG85NH0FnpWYV/vIE9hfYMbGTJgESqNdc89OctRiid6OrYfyPCch35 ixOpzAAdzCsybmHVfaKvCMH9eJCJ1VhXrViTUP3l3Nb95ENhK0u5ZhNgJouC91rG tcu+Lg8kMmHSPWISlxGncoq6kE4sv9VkheXH2K5ieKWuse/0ukTpZEwXhk1bRlt6 D8cVoqT2ZaDdu4GXUvuBZt0k5iwL2xi03EKMFU+xXPpBzZqt0bNg3g3qfauJ7b89 zN9F7RosNnhFygpMn8JAfqqOjBKWaiVFRQSjbk6a8b0l8eBw2N2aKKNGhqutWI4u UYcqJ4k5Q7tLGCvkSqM743Eegqv/JrosNK4MN2hGN9Ogm31Rr8FQX6GefJHa0idN u9u2IUJks+DVKYPd3ZoIhUcfTevFKqFPkKgy9eUBHXmI4dzjalLLnnYTsxMXL8DT hxmMAxLd1tW1dSUfvuba+qY44bMmBs3FJZtBqFQhrAoSYTbRZ1IKi32aM1VbUrN1 BOjnyA33/3oSAug47wxgC92RNnno0ZnRPaVDip0xe9OOvFkfHEatqW1KoE+ysNGc IXAeVYAK4YFG+lj5RrIWoBj1POIgPe1DAM94oBl2AaKm4MvNWWWV+XlNDUw5M7zZ 99oipRgzSRx2NGqPWbBQ7mBu8pfj4/8p+rKlKSWFyqfBEAGsfUeKkVx81leqg2sP ZVG9uZyl1aY+Y0uLcm3BNE8QuAzKZwfgyzdJa+Nlstl+tGJHSDFFiNB97omN+36n mCgGR7/hFelaXtcqjZACuUBpBYOiVac2W6VHWwlNsUOd0VO7nh75Z5Tr2NvSHkBG /mceDn9BEYo0zZwf2LJGQWvcqkZcU73X9SuJINR2SodZXTuFjmoWLPG3Lp95cP7w YRS0uMkrvz1BlkdoUzhixfF0d6vCaURxvMM= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FA68B5D22BA84E39

http://decoder.re/FA68B5D22BA84E39

Targets

- Target
  
  DomainName.exe
- Size
  
  160KB
- MD5
  
  6023d7082c077af7f45ac812a576f113
- SHA1
  
  74033be723ac674bc8244cd33410f778ae275ddf
- SHA256
  
  9cf2bb3ba92b075e1a53d6a03461bc5d656a744e891683d20650c4e4515b9201
- SHA512
  
  46100b5053a7f2a42d9fd05791996f6e0289cd5c0a2e47c1a911ed190e00745c4ac733a937a4e06068118673b72a1c189c73423995d177777b38ed7a98ce3627
- SSDEEP
  
  1536:JxqjQ+P04wsmJC6pzK88ICS4Aer9DIPcG5zXbwMcClFyFfjRto2+i0BH8A4krBJC:sr85CuZE0cOzbwMflEBPoq/LPrlA0
Score

10^/10

neshta sodinokibi $2a$10$mkbuaybjn4w3ipqct6e7royxml5sszgubpua7pkuspqju10kb4bma 7114 persistence ransomware spyware stealer
- Detect Neshta payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral1