General
-
Target
2025-04-21_8947dfad1fb06abd4a2bcffc7b54a2bd_bitrat_black-basta_cobalt-strike_elex_luca-stealer_neshta
-
Size
459KB
-
Sample
250421-mw29ea1xaz
-
MD5
8947dfad1fb06abd4a2bcffc7b54a2bd
-
SHA1
aa37e858cf6a94ac69fb24db28fe8b96dc298a4e
-
SHA256
6677e07bcccdeb28e532bb030f2ff2e4e39049caf6a1a0f9cd7f50e6d829daac
-
SHA512
9208be80083f4ffe7538ab420572efad3b1e6a772b2b3ae601738db73ce14a05f7e21232a57a817a4a0de740ae95840b34c72089a7b5e85fa35cf1dec716a237
-
SSDEEP
12288:7vxplpMAX99S4B009MqyQMKNT7T2fAD8x8q:LxplpMAtU4Bl9MdQFT7T2IoOq
Behavioral task
behavioral1
Sample
2025-04-21_8947dfad1fb06abd4a2bcffc7b54a2bd_bitrat_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
2025-04-21_8947dfad1fb06abd4a2bcffc7b54a2bd_bitrat_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe
Resource
win11-20250410-en
Malware Config
Extracted
C:\Program Files\readme.txt
dragonforce
http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Targets
-
-
Target
2025-04-21_8947dfad1fb06abd4a2bcffc7b54a2bd_bitrat_black-basta_cobalt-strike_elex_luca-stealer_neshta
-
Size
459KB
-
MD5
8947dfad1fb06abd4a2bcffc7b54a2bd
-
SHA1
aa37e858cf6a94ac69fb24db28fe8b96dc298a4e
-
SHA256
6677e07bcccdeb28e532bb030f2ff2e4e39049caf6a1a0f9cd7f50e6d829daac
-
SHA512
9208be80083f4ffe7538ab420572efad3b1e6a772b2b3ae601738db73ce14a05f7e21232a57a817a4a0de740ae95840b34c72089a7b5e85fa35cf1dec716a237
-
SSDEEP
12288:7vxplpMAX99S4B009MqyQMKNT7T2fAD8x8q:LxplpMAtU4Bl9MdQFT7T2IoOq
-
Detect Neshta payload
-
DragonForce
Ransomware family based on Lockbit that was first observed in November 2023.
-
Dragonforce family
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Modifies system executable filetype association
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1