59316fc8224622a24b95b621828b5704481d6ea5001e00a108f60716210d9881

Sharing

Copy URL

Twitter E-mail

General

Target

59316fc8224622a24b95b621828b5704481d6ea5001e00a108f60716210d9881.bin
Size

465KB
Sample

200823-b14sm867ze
MD5

b48c54150f2366dd29504dbef0600ab3
SHA1

0d8190ac6b0235d881217e8e7e2df8f5426464c3
SHA256

59316fc8224622a24b95b621828b5704481d6ea5001e00a108f60716210d9881
SHA512

3d548670df6e9c229a8bcb29093f04d92496dcd01526e3c97e2b74cd683f4b653d9e2a6dd990ce9b62e33ef8899c2e29d979cb3e46dd6c493bdad3e81c1396b6

Score

10^/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-403932158-3302036622-1224131197-1000\bft0pz99-readme.txt

Ransom Note

OH NO! Your Files Have been Encrypted!! All of your personal files have been encrypted with AES 256 and RSA 2048 ciphers The only way to recover them is to send your Personal Installation ID to [email protected] !ANY ATTEMPT AT DECRYPTION COULD CAUSE PERMANENT DAMAGE TO YOUR FILES! Personal Installation ID -----BEGIN INSTALLATION ID----- dNvc/NOlYuk+Zm3r8lOf7uV8p6msGOsqi+8Vr4S5d2Zc2BxDmSwl683gJ35mL3+x/kzjc+9wNpfVH q3AMcN72L5pvXM6XNqEKvHa8uvd23DYMIkYDWAwJ2/Fnz3D9VIkqBaQW/57ViN1Htc97ptHB6MfC EGXhrDgzKSFCrzyl2SlpVQV9ZCpn8oJLhGzLZX4vvrG34foQ+wz/1NQr2XW7/7sM0WdR3caHPwwx FZhI9c9pXLHY9LvRlgYanMG3g2XAyxwfY7Yn5wMgts2mlem83nY8GBXe8OYzYAxzOxvdWjhagcPp y5+YdN/wBVnxoeaoQriU82C5xjr/XUvN3S/8iY8VUey6rz/kkyraIjbCW4B1l4PmCY9hLx2MghV4 /uKxSm1PBAc98ZuVrZscVXvZzs0RAgeIMMZCckTc5OqOz4GzwsTNA4tnSBr0gXz9r5N4H7d/xrkx eubk8hGMT9R61qGLyn5g4fX42V3+OczSYs4WGjjvQj5CWuKe1PgTavLEJQd/zFk4U62yXCXkIFwf DOddULi+RICMQ5+gTmxbZxhwq8n5BQx28+046A56kZInJbz0aOPJg3EpfzHYc294+4+v8o/YyxeT OpsKBLxgh32R34d10bZF8wr7od2gqqnJj4Yg6BHKhZqu1NBO4AljS9LKo0vPzsmLPsHkGV8ATQ= -----END INSTALLATION ID----- Extension: bft0pz99

Emails

[email protected]

Extracted

Path

C:\$Recycle.Bin\bft0pz99-readme.txt

Ransom Note

OH NO! Your Files Have been Encrypted!! All of your personal files have been encrypted with AES 256 and RSA 2048 ciphers The only way to recover them is to send your Personal Installation ID to [email protected] !ANY ATTEMPT AT DECRYPTION COULD CAUSE PERMANENT DAMAGE TO YOUR FILES! Personal Installation ID -----BEGIN INSTALLATION ID----- BKvv5kZksQOdtvKipwegD/6WCQ2l0EwPmIXWIiX/HmUXsACKDjQBYBD/MwrWByxBw5tThL8jvWBmw ydvlHTnx4YkuW0AkwnwklUO/v2qeAEuwZHUJlFtpD3uTdM9zKDHFD8A7iOvUx6I87itm/6JTInAQ mvm2xB33fA+lfYtkuYEuPIi14nZ/yG211ney8eO507VwJZgvO7+DjQzqZ58M8cYLgWxxrwVbmUvx PfZ4XqtXZ8KQ1sYez8duHu9A8IuqKU36sz+UEtmAJSQdWc7nd7lFU5TBbmfyi9KUEfw7XmSFDlmD leniIfsBF24pohXfDfLSTCN8jeWXLWL6qLIRVTB/tujL+RQptj0L2vJCIRSX8yGgumKM656tfImB APKoAPS5Nm3R3j5DFR7kLZhn6E4kafK91NFXYt7fNnKDvj6av43jEcF2lXteUdxJ8VUUh+bhSUrr e6VAzhtTICiGPHEnZkJd/A6Qk92lzEb2weKUMOJGImlN1dsSAO+AoK/eNgxjY9e9YN+6Y9R3uCiE GuiWM8xMMHnnrR0Tp37/v4AwmzxhPlRC2TDRH/VKaGW3/keydlBtmU3ubWdLB6/KF/D/4igPbMSw YMwFKvshrsYUIWaEVRLQyjCDZ6Jp6fqq3wxGoSQ6Zc3935oi577Gv1h654FtcUtm6At3Ep73js= -----END INSTALLATION ID----- Extension: bft0pz99

Emails

[email protected]

Extracted

Path

C:\Program Files (x86)\bft0pz99-readme.txt

Ransom Note

OH NO! Your Files Have been Encrypted!! All of your personal files have been encrypted with AES 256 and RSA 2048 ciphers The only way to recover them is to send your Personal Installation ID to [email protected] !ANY ATTEMPT AT DECRYPTION COULD CAUSE PERMANENT DAMAGE TO YOUR FILES! Personal Installation ID -----BEGIN INSTALLATION ID----- Ny+Cob+fEUjlm8SwSot2a9PeMlkv1hsudFjeGKSQb/RD8qM37q4F1DJ1raDuwiMdK+Cbdm/g2JakA aB0jntIwzrz5zRJ6ddbyOv2eWBPcigXvRjpz47eBQkWbq5Mtvuj189dGHMt2oUghWL0F6WUbgnqD 6/ibcEeACAxcTFbA8ha6mI2LsZ8RHL2GDmKFQm/P85NvozVmhCmeRQ7fttlRdSA6SQwzNMyDaGJt 6kvbFP+IA+0BU0UQn4bEViqYSyptCUzc49Q4hbuCHQXnJaS8KKWwunDscP3CjNISBBnJdSfhTkXZ 5gO5vyoaTWT3GCF5OxHjgG4C2/CHXSi4Y6lpOfsCbFFqGawUJEKdEfhAe8YoKT/TK4fTPwlmslp0 enPBAlMZoVoQjcQlkvOGRdJzALZx30GTKoOfv2H2rlofDxYiWJBh1Xm1nKTnRepmbLqdkmTMW0uQ /6ss0giTfP9+s+M8B826hfmwj7zWktCMqY4vOcDl+kBQP5sk9geutVyxyH5dyaP0q1IXRul2+Mqh /4f4CU1mOaaPR1BAWyBSHuf3YOzgNJ9IL2HJVWT3Keu7SsrXYaD2PD2w8cXUUOZ1qw1fg7t4v1jo jC5EOy8h8HAn2qJ39WXn3qB138/J0uLeasUfC46Zl2B5MzpgkZx3ylqFFN3ulIh2hWN7FkH9j0= -----END INSTALLATION ID----- Extension: bft0pz99

Emails

[email protected]

Extracted

Path

C:\ProgramData\bft0pz99-readme.txt

Ransom Note

OH NO! Your Files Have been Encrypted!! All of your personal files have been encrypted with AES 256 and RSA 2048 ciphers The only way to recover them is to send your Personal Installation ID to [email protected] !ANY ATTEMPT AT DECRYPTION COULD CAUSE PERMANENT DAMAGE TO YOUR FILES! Personal Installation ID -----BEGIN INSTALLATION ID----- d0aaShlLLQts0c4+yMeuYVizuLaNSITmrofpN1hWCz13nPg7yK6CQTq1jt3sncaTqFeiVpz99l4B7 lVV0+d86XBtoonAGfcgOBdFmIrcxGYoJU5mPEbxzHHVFMospVu0TWfkbtW8U7QFuIeusMgZ8KMmn v+yf3Uk7Hb+A4rwOuKdJKbPVvouyEdvuXKkOnR3E05X1fUf+r8C/kNJJEfxMnUFZTiu7MNGDudDz Vp9ps2W06Ca0+ORKvMsibrOfUQsVEHIfhssFISpn+nlWjpuNoCKSVXqclhRcoeKDVcsjb6mznz1V KwNxO8dyijN++Nm3HLN+nuB0ccijVwL5zlqhoDvyS03E0UOhjfOgsVxtLwTnTM9PwhEItyOvD5of zn3Yz2IVat2R3K97ThwSoY+7+ZjBZEk8bKz6/IShn4qA8Xf14N5adeSzzR7SLRDQXc4TJ12q+H+3 IPP4Yx0C6hUEw8m4m8HYgMgBa/Zd5OKJk02V5me7+Xdd1vKtIOjVCfotIRuXRsChforcioOPY361 uvi5hCS+50QKW5cwpyFVJDE7GOZKINzTbftSQvV0Vd0XIyeR5bbMmCoZ8YM1WRlcM85mgStSAp/D NC3zdb7acsKaqYMInmu5BfcWltuOImXznYk7108w/VKnRIADIsVYqQNLL8XoNiDSt6HvECVs1g= -----END INSTALLATION ID----- Extension: bft0pz99

Emails

[email protected]

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\bft0pz99-readme.txt

Ransom Note

OH NO! Your Files Have been Encrypted!! All of your personal files have been encrypted with AES 256 and RSA 2048 ciphers The only way to recover them is to send your Personal Installation ID to [email protected] !ANY ATTEMPT AT DECRYPTION COULD CAUSE PERMANENT DAMAGE TO YOUR FILES! Personal Installation ID -----BEGIN INSTALLATION ID----- Q25dSyy16vlOQOYwDYYFONWX+qvDXdk/bEuDuV4euEqR0JUeXd3EAkaK3OKtFVoS+kGzwSCLlKomD zckla6mAjTF7VOpudeOqTsnAarGkyiw+lm3qxuGLw/ZuvZqWhLtpStV078D2LDz2tyRR4eLBFoGF XDAoxBihqdvkoxvGk9cIzrnxArjki1Y1kxLoaEZv3gHUbHUIl7XO3QpuXNdjVKTHoQAp+cuM/iBP 1n9Q6W187Mx/uxl3P2gjlU0Bph0407bYvPTlh3jWxsGSMuY5vt+JQk5jFkKxomGYBiUIzpAi49dE tHYnCZMd8Ua+S2rJrxp0LrSJKOxrXv/+KQENNVOrF3XbRuejqXwDQlgjkNjn5YY+gbHJm2mEs53A YIotMxDd3mNQI+d+N/flbD6SiDutxojKaAo1Hc7TDtyq4LWONyplR2LD/OhDrsXj/o6WG7HWz/cq oUbpnJyOMQI6PT/SdfLCLnGQ12CRKwgxykC3XduaHYon6qNLVbQ1engvabqEznsYq7b+ckXA738K ssEI49sBVm2j4vgf5XgC7ybbhlcz1nj79HGpQB8ki05OGUl6UB6Hz2r/wKTgY5ko6IiEaBHRyTC9 81DH1vogkHhJ15qb9gTRcYK1ZStJoALQ53xxGTc/EqArLrq1alPrumkSP17GL8E1AKfPI5zeBM= -----END INSTALLATION ID----- Extension: bft0pz99

Emails

[email protected]

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\bft0pz99-readme.txt

Ransom Note

OH NO! Your Files Have been Encrypted!! All of your personal files have been encrypted with AES 256 and RSA 2048 ciphers The only way to recover them is to send your Personal Installation ID to [email protected] !ANY ATTEMPT AT DECRYPTION COULD CAUSE PERMANENT DAMAGE TO YOUR FILES! Personal Installation ID -----BEGIN INSTALLATION ID----- E/Kvh7NbOcmUeT4o46XWeUs2ZiphG2OF3r6JIY17wqXR7wNT1LrMwLcN4uvTG3Ezl0fHgy2L+zYC8 WO2BWoBOi9iKMGV0WH+FD903c6KpdKAdiMRPfoZHzn+v58TycCbrpiAqHQWrlAvC5pqoTXqshMbZ 1Q3suNv/0uKHWXfQDQOH46IhoO7dYCoBSfGeqtB6M+9Sp/KcnDozFHTQEaP4ynNKtfBe0ugiZUhh UYy4bcKF+xxHtTC3692oCliSHXUBIT200UGfUEjWe2Lx4BQLp/F+rlD/5Cuzl0hXANzhBdSEbCKj tNm5jIhA4eyXcJZCIOz0a0jbjBnBpUSHnN1zpgbVfZr6IfZuPmJJ84+Q+CYItcdJhbojhtr4q3dK sMxt2JEgBMQ9zYqf+SjxlPgflDlxuB1mAQoDAtCyU56LamYeYLJ0fnMOHpISQYZAss3kUm04IoVA DdXwuXluy++agkYKsbTEY5Qfyzh9+CwEzEWxU44k23VJPwkcULpByNC83nfMmR34hR9aw9oQXzFx 4HYBQf43YXBw4xKywCFHb8EaNv2IXaR9T7yHTLha7gXm+B3H/mH79ZIoNrz/4e7YdyYXonnjQ7Q9 aAe+WilGyAAqvpKf6iLU4NbWbz4rJzgP2Q4tEgdE0HhjoZnkMQasvhzVkTQr7nLrmhUg7IRJCs= -----END INSTALLATION ID----- Extension: bft0pz99

Emails

[email protected]

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\bft0pz99-readme.txt

Ransom Note

OH NO! Your Files Have been Encrypted!! All of your personal files have been encrypted with AES 256 and RSA 2048 ciphers The only way to recover them is to send your Personal Installation ID to [email protected] !ANY ATTEMPT AT DECRYPTION COULD CAUSE PERMANENT DAMAGE TO YOUR FILES! Personal Installation ID -----BEGIN INSTALLATION ID----- WVqcBKxtO4C+Xlet/O0EvnxfAYT8dXilJDtR1V3cFhJOnXFJEmXiMySrPWjiU3Ud34wYP+IxTg1fW 79GPY4iGf/delYwe9KKR6EfE+yrTuYdaIlvQUu0hmMWG2PUZyNV0CqClRDTu4R9jdiShyGqRKZeg N5zfotaSYtpMy9ckE3X8wF6BowVpn0j8LeNxNoBchZ9Rnne0VMei4YICjJmathb9amRp+qJCV/C5 +RtSqqjuZYllH4ti/4ky7PtmJs3YwmIurNHYhfiEF7Rn1uspGDbfw3i1qZc+p+CwklqijO7Yinl8 ugPThIxwSV8ezqKJp1cwzQeTLZUhR4K/3tF10gYOtAYjCAl6cuteaCwAz9BwPPKlORLtBaAZSSD8 LWO6uQapeTkfDvxKX6mESPLX7s2My/iN/SuPZmIyAcFP01++QZsARwvJwFHsskjTAZZiGatWRaBw KIF3/N29U+HKrkL1AAnTolUYsRT71xMudqYYthy70mmnRr8M2MU5csbYvw5Q9dgvEaDIstgixFFr HST1wU3+9NLr72OkA1ivN//HhTahMnYcFAJcYsUE8uZqH6A5DU+MomwUjzQf8CtHeiFme7oinjtH QeZ+jXV7w5WQ9A9HiRXyKYauvxAjZ31QRmAjB2xd2Gs0REkMQZp2PDzTNByoDiaDkymVhrtSDM= -----END INSTALLATION ID----- Extension: bft0pz99

Emails

[email protected]

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\bft0pz99-readme.txt

Ransom Note

OH NO! Your Files Have been Encrypted!! All of your personal files have been encrypted with AES 256 and RSA 2048 ciphers The only way to recover them is to send your Personal Installation ID to [email protected] !ANY ATTEMPT AT DECRYPTION COULD CAUSE PERMANENT DAMAGE TO YOUR FILES! Personal Installation ID -----BEGIN INSTALLATION ID----- KlcG999nifHcsDZwrLPNZ5Ef1SyNZg2/+Q/+xBEMt9VsdXDsSwiw/H7R3FVniA4eKqRnIe8rSUYy7 Y1dQ8+nC78LDwo64a0SWAabKXQmz4FPeFVYhrUGumgK5Bof1VTp/9KnG9PgH6S+057NmTXX9WWKn gCVG2juksTOxQnqlE67+iH3yaPID2PVATKGciY01y6PCQJOHg1wlODZtEfUTsKDLSURbEwWJH5gD TYSxmgLSRxP79NuH2eBVDThCk8S2pE1lWWSvqsL1Wxqza8ek7q1UqMJQXsmB9HRcKcLlwXhO5AD5 bSWmQ08y63hbA6FeG6wlwavgaDcsYh5yF0PLOV61dAJnlumn9f3ccKVWZaxs2B1i3JEk56oDMUAW QY3WfPiHu5j6ZAFHyOpmx8k2NUbc965PBkttfG43WP8jxMT7XxFn2aDfFf3zDQKVy9UW9mAgw1fU D+kwrujbkSvU7xmo7BhjECgMY2Qn9pVnhVa+CtCt2KJ14gjE7mWJTYVtmbjnnHe0wFKRyrPF/3JB Daou3g9/QG1oIOM+/e6dfG2kz6JGxOewJ0GDahZuS0OJM+VbelMiu08nNAyiJf8FesJtZXwME6PO 0BoouaJCvwhGl7HtPnTtalyPGHS6dWzKxMDVqBasx7S5qyYcZTV4KsfjJ08dRKchu9lx55hrRI= -----END INSTALLATION ID----- Extension: bft0pz99

Emails

[email protected]

Extracted

Path

C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\bft0pz99-readme.txt

Ransom Note

OH NO! Your Files Have been Encrypted!! All of your personal files have been encrypted with AES 256 and RSA 2048 ciphers The only way to recover them is to send your Personal Installation ID to [email protected] !ANY ATTEMPT AT DECRYPTION COULD CAUSE PERMANENT DAMAGE TO YOUR FILES! Personal Installation ID -----BEGIN INSTALLATION ID----- HUA2LCSdarZW7GCxsRGQ2MUkRW3NK9EmOYwD8lRULsQhP3V2ojyOkcIHDYWmyFEf6sXgRznMtPnEZ /+qABAh+2DDyKrWzEsHNNuGXiX2v7gXuCtHv11VzRGOM+b3dELtw6L6mxFuX66G2ffha5yeCPL59 hUnaMsFEdpvppxZ8GEHrWvLwdVW1WS4UmOxAM+REuLKPB4D+MlX85ZurkofbbNcnF+0BzBeQLjW8 7R4OFU16pvL0I6WjcHTOzU2lKasL9M9ZT161QNRddt+gmPYJSynVl2IR+Y4oN7sZoKwLpC5zJPOr gNzi41ZABoMBMbhVSRk4z65h4j3g834SDUczmmsS2GMnLD2CwAvmBx7QLqIyQbBAmgKeFhArRZIV WrH58ir7s5lqGw7e9dIR0ZFIOsWXU4r1KHHQt+IF0SkWCq1DknsFFWvh8rI5EP1aXfJ6ql7p2oLT WtAFOA/vyT2vja4XPXfIa4yTYYx4WFWjAOIQMieoPtVsp6h52Aa5bTCQvAQptBC7WemLIhtLYIPL npdOFl2MqBD1eqGMQFLMI0g1aajMiQ/Bci53CswHm/7hBfQd6mt1+VkVjWW9ocONhSCk5I9RBUkw PPPewb73zAkuS1pZW/g3lyQEGbS6uEV6X4LWfPqnEBoU8FvuRxk9Ug2qgdLYeZ3zAf69fWbBY0= -----END INSTALLATION ID----- Extension: bft0pz99

Emails

[email protected]

Extracted

Path

C:\Windows\bft0pz99-readme.txt

Ransom Note

OH NO! Your Files Have been Encrypted!! All of your personal files have been encrypted with AES 256 and RSA 2048 ciphers The only way to recover them is to send your Personal Installation ID to [email protected] !ANY ATTEMPT AT DECRYPTION COULD CAUSE PERMANENT DAMAGE TO YOUR FILES! Personal Installation ID -----BEGIN INSTALLATION ID----- lfpKBdggBXnF32QtnnFnWjtl10aS42Ry1WAQWVzt1KYNIwaUotQoqP/omXV95cxmElXfQCiPKx2en s7UXJOxsc3R5ZKQzDZKbWHVKvQHy4jz1hnPeGXFjHgS1LZBXVhlTlLyuVPI8fvqR1oDJ08NQ6UgO WYEMVxyuHPgPtmENetXxLLqStI55wJOmxxQCwkEOVpWCng+0udRYbF8BFdf3SO8UfMpR6uymjHyK /5gztrpuHokrwFLnPwEhLivLkXxXO6Tw7sdnKHIFZYbdjdfNPylY/DL9VvORrrz+mczHwuqhxOZS h2vcMADRa0w5tr9npLfI0Tfvt0UFVF4NTvrQwmx91L/H3oTUtd5sUonGoWHiETRgkhxWUvWT/7ft p2R2PlK6JMLD0dOH61CN7L5rtJrekPHZVSvmGAThJ3y7RBQFpaXYsL1FROSCV4dPwY1oCmBAE7Ls 0M52JE1DfF2NE0EthGC7+Tx3Llbpb3p7nXj7hZzfEyreDPhCRwLH0tzYhy9xtdCZPKzJlUqX3ftm t17QqYDBK1+FPt/qzSWrJ4sehWsFVnIyMsN0vQy9pmN8+5+ObWV+vS6baXr3vnXu4GzQbOqphwhZ PdWuijVwYuM688Fge9vhdag6WR9JtUoiyuPqCQrwILAz8ZTGNMvvNVtZ55biVpMmKzed+hEPyo= -----END INSTALLATION ID----- Extension: bft0pz99

Emails

[email protected]

Targets

- Target
  
  59316fc8224622a24b95b621828b5704481d6ea5001e00a108f60716210d9881.bin
- Size
  
  465KB
- MD5
  
  b48c54150f2366dd29504dbef0600ab3
- SHA1
  
  0d8190ac6b0235d881217e8e7e2df8f5426464c3
- SHA256
  
  59316fc8224622a24b95b621828b5704481d6ea5001e00a108f60716210d9881
- SHA512
  
  3d548670df6e9c229a8bcb29093f04d92496dcd01526e3c97e2b74cd683f4b653d9e2a6dd990ce9b62e33ef8899c2e29d979cb3e46dd6c493bdad3e81c1396b6
Score

10^/10

ransomware persistence spyware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Modifies service
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Modifies service

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2