General

  • Target

    2025-04-21_81499281fc56d523784a9de7ba7aa3e2_darkside_elex_neshta

  • Size

    187KB

  • Sample

    250421-mv7gqs1wfv

  • MD5

    81499281fc56d523784a9de7ba7aa3e2

  • SHA1

    889e5499efc00ea3fd18876a0ca1317b97b3056a

  • SHA256

    cacd19da487b913db74cfd788771b355559ab45e90c7354be85c7e2c1c0ff15b

  • SHA512

    f0614cdf38e97adec2767a85d4b3fa39fa4a88d63cb2f3672089cc88e1e3b0d7c2fad7c885edd1380c445d1bedcdd849b13f8d8fd70aad852d849b743fc4e0f9

  • SSDEEP

    1536:JxqjQ+P04wsmJCVvMH+1zGSNAojMP95D1xDzp6HbSCkHdMBfusRDARJbWUyzUzIW:sr85CDcSNm9V7Dzx19pODObWT7qJogYg

Malware Config

Extracted

Path

C:\ni8pxbvnx.README.txt

Ransom Note
>>>> Your data are stolen and encrypted! >>>> Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Your competitors or law enforcement may get them on the web. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... You can request the tree of files that we have. >>>> You need contact us and decrypt one file for free, send a small file for test decryption with your personal DECRYPTION ID to tox chat: >>>> Your personal DECRYPTION ID: 6791ACA56D6F7E545C3723DA457BF3C8 1)Download and install TOX chat: https://tox.chat 2)Write to this tox id: DED25DCB2AAAF65A05BEA584A0D1BB1D55DD2D8BB4185FA39B5175C60C8DDD0C0A7F8A8EC815 and wait for the answer, we will always answer you. >>>> DO NOT MODIFY FILES YOURSELF. >>>> DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. >>>> YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >>>> YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY.
URLs

https://tox.chat

Extracted

Path

C:\ni8pxbvnx.README.txt

Ransom Note
>>>> Your data are stolen and encrypted! >>>> Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Your competitors or law enforcement may get them on the web. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... You can request the tree of files that we have. >>>> You need contact us and decrypt one file for free, send a small file for test decryption with your personal DECRYPTION ID to tox chat: >>>> Your personal DECRYPTION ID: 6791ACA56D6F7E54B13D352CEB3EC21E 1)Download and install TOX chat: https://tox.chat 2)Write to this tox id: DED25DCB2AAAF65A05BEA584A0D1BB1D55DD2D8BB4185FA39B5175C60C8DDD0C0A7F8A8EC815 and wait for the answer, we will always answer you. >>>> DO NOT MODIFY FILES YOURSELF. >>>> DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. >>>> YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >>>> YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY.
URLs

https://tox.chat

Targets

    • Target

      2025-04-21_81499281fc56d523784a9de7ba7aa3e2_darkside_elex_neshta

    • Size

      187KB

    • MD5

      81499281fc56d523784a9de7ba7aa3e2

    • SHA1

      889e5499efc00ea3fd18876a0ca1317b97b3056a

    • SHA256

      cacd19da487b913db74cfd788771b355559ab45e90c7354be85c7e2c1c0ff15b

    • SHA512

      f0614cdf38e97adec2767a85d4b3fa39fa4a88d63cb2f3672089cc88e1e3b0d7c2fad7c885edd1380c445d1bedcdd849b13f8d8fd70aad852d849b743fc4e0f9

    • SSDEEP

      1536:JxqjQ+P04wsmJCVvMH+1zGSNAojMP95D1xDzp6HbSCkHdMBfusRDARJbWUyzUzIW:sr85CDcSNm9V7Dzx19pODObWT7qJogYg

    • Detect Neshta payload

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Neshta family

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Renames multiple (630) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v16

Tasks