General
-
Target
2025-04-21_9a4889237b6aa74e819d60fadb869f51_bitrat_black-basta_cobalt-strike_elex_luca-stealer_neshta
-
Size
459KB
-
Sample
250421-n12n4ssyhx
-
MD5
9a4889237b6aa74e819d60fadb869f51
-
SHA1
d66e40bc12cd60f525b049d4c7a9f3e20a0790aa
-
SHA256
b9ee022489931c6b68b63b0ae34eb1b4ef141e9bb456e84034603a9ae04e5db9
-
SHA512
2bb2763e830c568dcf7fe6873bc5c55c8c8ef07d1fe8423388810ceec5991bcc50a8ce039bde4c8d47920cf3e7414a5c21dc88df700cdd4364c87b99b447b36b
-
SSDEEP
12288:7vxplpMAX99S4B009MqyQMKNT75tfAD8x8q:LxplpMAtU4Bl9MdQFT75tIoOq
Behavioral task
behavioral1
Sample
2025-04-21_9a4889237b6aa74e819d60fadb869f51_bitrat_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
2025-04-21_9a4889237b6aa74e819d60fadb869f51_bitrat_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe
Resource
win11-20250410-en
Malware Config
Extracted
C:\Program Files\readme.txt
dragonforce
http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Targets
-
-
Target
2025-04-21_9a4889237b6aa74e819d60fadb869f51_bitrat_black-basta_cobalt-strike_elex_luca-stealer_neshta
-
Size
459KB
-
MD5
9a4889237b6aa74e819d60fadb869f51
-
SHA1
d66e40bc12cd60f525b049d4c7a9f3e20a0790aa
-
SHA256
b9ee022489931c6b68b63b0ae34eb1b4ef141e9bb456e84034603a9ae04e5db9
-
SHA512
2bb2763e830c568dcf7fe6873bc5c55c8c8ef07d1fe8423388810ceec5991bcc50a8ce039bde4c8d47920cf3e7414a5c21dc88df700cdd4364c87b99b447b36b
-
SSDEEP
12288:7vxplpMAX99S4B009MqyQMKNT75tfAD8x8q:LxplpMAtU4Bl9MdQFT75tIoOq
-
Detect Neshta payload
-
DragonForce
Ransomware family based on Lockbit that was first observed in November 2023.
-
Dragonforce family
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Modifies system executable filetype association
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1