agenda | c01edf0478f041cd8ee24307acdcf3f48ec2f93729df50aba0209aa484c9fa8f

General

Target

c01edf0478f041cd8ee24307acdcf3f48ec2f93729df50aba0209aa484c9fa8f.exe
Size

5.1MB
Sample

250311-fd93zasxe1
MD5

ea1f8794c73b26724314e5356f1f4128
SHA1

6581efcf9ada916ec2623280bedd15ad510cb465
SHA256

c01edf0478f041cd8ee24307acdcf3f48ec2f93729df50aba0209aa484c9fa8f
SHA512

e1e0bba254033cec3f883cab7d2011aad874c0303096a34dbb5f42a37533c219f6781c4f95896a49bf5374d36d2784e69bddc0d263055a99c10ae53e772c9f77
SSDEEP

98304:OT50J1Shpi7X/0Mn/kblNzc6KI4Uidnzyg:OV8kni7X/HkblNw6T4Uidnzyg

Score

10^/10

Malware Config

Extracted

Family

agenda

Credentials

Username:
[email protected]
Password:
S4B1DUR14

Attributes

company_id
tGosdZ37nP
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from your system/network. Our group cooperates with the mass media. If you refuse to communicate with us and we do not come to an agreement, your data will be reviewed and published on our blog and on the media page (https://31.41.244.100) Blog links: http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials Please note that communication with us is only possible via the website in the Tor browser, which is specified in this note. All other means of communication are not real and may be created by third parties, if such were not provided in this note or on the website specified in this note. -- Credentials Extension: tGosdZ37nP Domain: ldfuryqpa6vyx53lvhvi7vag4a5yukqv4k3ndlwp6z7xan3g43lj62qd.onion login: 7XV7jr-k5awCtaPST8uiGS6bD1mipbh8 password:

rsa_pubkey.plain

Targets

- Target
  
  c01edf0478f041cd8ee24307acdcf3f48ec2f93729df50aba0209aa484c9fa8f.exe
- Size
  
  5.1MB
- MD5
  
  ea1f8794c73b26724314e5356f1f4128
- SHA1
  
  6581efcf9ada916ec2623280bedd15ad510cb465
- SHA256
  
  c01edf0478f041cd8ee24307acdcf3f48ec2f93729df50aba0209aa484c9fa8f
- SHA512
  
  e1e0bba254033cec3f883cab7d2011aad874c0303096a34dbb5f42a37533c219f6781c4f95896a49bf5374d36d2784e69bddc0d263055a99c10ae53e772c9f77
- SSDEEP
  
  98304:OT50J1Shpi7X/0Mn/kblNzc6KI4Uidnzyg:OV8kni7X/HkblNw6T4Uidnzyg
Score

10^/10

agenda neshta discovery persistence ransomware spyware stealer
- Agenda Ransomware
  A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
  ransomware agenda
- Agenda family
  agenda
- Detect Neshta payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Neshta family
  neshta
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2