General

  • Target

    2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta

  • Size

    188KB

  • Sample

    241218-rqendasrhj

  • MD5

    69045be037a5cf8195966f57bb30e5c5

  • SHA1

    d4f157136a1b8f43c474b2eaf6cbe86ead68ff62

  • SHA256

    f6c31b093d8940526584290954905d42e87bd16dd88fb64a876216a4e7a3805a

  • SHA512

    dd02da0a0f0aa40324c0717848899deb8d83d48edcaf3ab021eea431764d6efeb52b7943fe04e5987dd92b7f4d8c960a9586906ad0785e78aa990f787e66b398

  • SSDEEP

    3072:sr85CDcSNm9V7DzY07RiY/JhsUogtP9bW3KVu5RTfqJogYg:k9Dc4m9tDzY079sUocPCIm1q2g

Malware Config

Extracted

Path

C:\Qoi6ifOVU.README.txt

Ransom Note
~~~ Cerber 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom EMAIL US - [email protected] >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> Your personal DECRYPTION ID: AD7936094A57E972A31368A0083A02F9 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. If you want to contact us, write in EMAIL [email protected]

Extracted

Path

C:\Qoi6ifOVU.README.txt

Ransom Note
~~~ Cerber 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom EMAIL US - [email protected] >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> Your personal DECRYPTION ID: AD7936094A57E9729819A0D540A6D376 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. If you want to contact us, write in EMAIL [email protected]

Targets

    • Target

      2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta

    • Size

      188KB

    • MD5

      69045be037a5cf8195966f57bb30e5c5

    • SHA1

      d4f157136a1b8f43c474b2eaf6cbe86ead68ff62

    • SHA256

      f6c31b093d8940526584290954905d42e87bd16dd88fb64a876216a4e7a3805a

    • SHA512

      dd02da0a0f0aa40324c0717848899deb8d83d48edcaf3ab021eea431764d6efeb52b7943fe04e5987dd92b7f4d8c960a9586906ad0785e78aa990f787e66b398

    • SSDEEP

      3072:sr85CDcSNm9V7DzY07RiY/JhsUogtP9bW3KVu5RTfqJogYg:k9Dc4m9tDzY079sUocPCIm1q2g

    • Detect Neshta payload

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Neshta family

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Renames multiple (365) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks