General

  • Target

    2025-04-21_303eb0514e712272949688d11dda291f_darkside_elex_neshta

  • Size

    193KB

  • Sample

    250421-mmfztatpz4

  • MD5

    303eb0514e712272949688d11dda291f

  • SHA1

    118822a7d9c35aa91b68bb23d3e7be43be0bad5f

  • SHA256

    0225ded4dc1850d79f0ee3a717c2938d3b6436fdca4a1138dfc427095e8fe878

  • SHA512

    2f8dac85cd969df2a7fadbbc1154da0f765f152044045bafd37fe6444042029b7383f29840e0644c821584cc94704dceee07925467ef4d167e61e9f9549992b8

  • SSDEEP

    3072:sr85Cs4GsUPnliByocWepjLW9lyNX0bzEvH32QvVT6glyuxl:k9JGpvEByocWedq/VzFGVT6gDl

Malware Config

Targets

    • Target

      2025-04-21_303eb0514e712272949688d11dda291f_darkside_elex_neshta

    • Size

      193KB

    • MD5

      303eb0514e712272949688d11dda291f

    • SHA1

      118822a7d9c35aa91b68bb23d3e7be43be0bad5f

    • SHA256

      0225ded4dc1850d79f0ee3a717c2938d3b6436fdca4a1138dfc427095e8fe878

    • SHA512

      2f8dac85cd969df2a7fadbbc1154da0f765f152044045bafd37fe6444042029b7383f29840e0644c821584cc94704dceee07925467ef4d167e61e9f9549992b8

    • SSDEEP

      3072:sr85Cs4GsUPnliByocWepjLW9lyNX0bzEvH32QvVT6glyuxl:k9JGpvEByocWedq/VzFGVT6gDl

    • Detect Neshta payload

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Neshta family

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Renames multiple (7652) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v16

Tasks