General

  • Target

    https://bazaar.abuse.ch/browse

  • Sample

    250519-na7sfafk3w

Malware Config

Extracted

Path

C:\Users\Public\R3ADM3.txt

Ransom Note
YOUR ALL DATA HAVE BEEN ENCRYPTED! We have encrypted your side entire data. The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program, you must contact us. We guarantee that you can recover all your files safely and easily. But you have not so enough time. You can decrypt some of your files for free when you contact us. You Only Have 7 Days To Contact Us! How to contact us 1. Download "Tor Browser" and install it. 2. In the "Tor Browser" open this site here : http://jzbhtsuwysslrzi2n5is3gmzsyh6ayhm7jt3xowldhk7rej4dqqubxqd.onion 3. After login with below Client ID to this site and contact Manger Client ID : 681ded4c9edfa0e65fca67c8 You need to contact "Manager" to recover all your data successfully. !!!DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself.We WILL NOT be able to RESTORE them. And also you can get info about us below this url. Data publish : http://gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion Don't share your client ID with the third-party guys, you can get scammed by fake decryptors. !!!DANGER !!!
URLs

http://jzbhtsuwysslrzi2n5is3gmzsyh6ayhm7jt3xowldhk7rej4dqqubxqd.onion

http://gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion

Targets

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Neshta family

    • Renames multiple (1864) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v16

Tasks