General
-
Target
2025-04-21_81499281fc56d523784a9de7ba7aa3e2_darkside_elex_neshta
-
Size
187KB
-
Sample
250421-mv7gqs1wfv
-
MD5
81499281fc56d523784a9de7ba7aa3e2
-
SHA1
889e5499efc00ea3fd18876a0ca1317b97b3056a
-
SHA256
cacd19da487b913db74cfd788771b355559ab45e90c7354be85c7e2c1c0ff15b
-
SHA512
f0614cdf38e97adec2767a85d4b3fa39fa4a88d63cb2f3672089cc88e1e3b0d7c2fad7c885edd1380c445d1bedcdd849b13f8d8fd70aad852d849b743fc4e0f9
-
SSDEEP
1536:JxqjQ+P04wsmJCVvMH+1zGSNAojMP95D1xDzp6HbSCkHdMBfusRDARJbWUyzUzIW:sr85CDcSNm9V7Dzx19pODObWT7qJogYg
Behavioral task
behavioral1
Sample
2025-04-21_81499281fc56d523784a9de7ba7aa3e2_darkside_elex_neshta.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
2025-04-21_81499281fc56d523784a9de7ba7aa3e2_darkside_elex_neshta.exe
Resource
win11-20250410-en
Malware Config
Extracted
C:\ni8pxbvnx.README.txt
https://tox.chat
Extracted
C:\ni8pxbvnx.README.txt
https://tox.chat
Targets
-
-
Target
2025-04-21_81499281fc56d523784a9de7ba7aa3e2_darkside_elex_neshta
-
Size
187KB
-
MD5
81499281fc56d523784a9de7ba7aa3e2
-
SHA1
889e5499efc00ea3fd18876a0ca1317b97b3056a
-
SHA256
cacd19da487b913db74cfd788771b355559ab45e90c7354be85c7e2c1c0ff15b
-
SHA512
f0614cdf38e97adec2767a85d4b3fa39fa4a88d63cb2f3672089cc88e1e3b0d7c2fad7c885edd1380c445d1bedcdd849b13f8d8fd70aad852d849b743fc4e0f9
-
SSDEEP
1536:JxqjQ+P04wsmJCVvMH+1zGSNAojMP95D1xDzp6HbSCkHdMBfusRDARJbWUyzUzIW:sr85CDcSNm9V7Dzx19pODObWT7qJogYg
-
Detect Neshta payload
-
Lockbit family
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Rule to detect Lockbit 3.0 ransomware Windows payload
-
Renames multiple (630) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Modifies system executable filetype association
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-