General
-
Target
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta
-
Size
197KB
-
Sample
240312-ml5a1seg7v
-
MD5
5d65d61b82de6b9dcdb67a30cae300cd
-
SHA1
e32500c38d39665f5af7860b6bf3b06af3f9c300
-
SHA256
a0e6a9fec2e7ed51bf36286e416deaec40e6bae8174e8c3fb3c1996fa7ef81ed
-
SHA512
f3fa41d0ba991dfa1f23c1ade289201adce06bae9a0495efee15afb3d17f06c9fde43d1fd63e580f8c7abd7cab333a041cb8c502d351ab85aa21196ca76b59d5
-
SSDEEP
3072:sr85CykgZqltP33686plZG1kqxSb6WpDDDDDDDDDDDDDDDDDDDE45d/t6sq:k9pgZqll32rZ2txSb35d/zq
Behavioral task
behavioral1
Sample
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\Users\O957g99QW.README.txt
http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
https://twitter.com/hashtag/lockbit?f=live
http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
Extracted
C:\Users\O957g99QW.README.txt
http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
https://twitter.com/hashtag/lockbit?f=live
http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
Targets
-
-
Target
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta
-
Size
197KB
-
MD5
5d65d61b82de6b9dcdb67a30cae300cd
-
SHA1
e32500c38d39665f5af7860b6bf3b06af3f9c300
-
SHA256
a0e6a9fec2e7ed51bf36286e416deaec40e6bae8174e8c3fb3c1996fa7ef81ed
-
SHA512
f3fa41d0ba991dfa1f23c1ade289201adce06bae9a0495efee15afb3d17f06c9fde43d1fd63e580f8c7abd7cab333a041cb8c502d351ab85aa21196ca76b59d5
-
SSDEEP
3072:sr85CykgZqltP33686plZG1kqxSb6WpDDDDDDDDDDDDDDDDDDDE45d/t6sq:k9pgZqll32rZ2txSb35d/zq
Score10/10-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Rule to detect Lockbit 3.0 ransomware Windows payload
-
Renames multiple (186) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-