General
-
Target
828dcdae96bf3729e803d09bdcb637d5
-
Size
625KB
-
Sample
201025-az9vhsl5lj
-
MD5
828dcdae96bf3729e803d09bdcb637d5
-
SHA1
2ecb0685626d6e7bd322f4d59ce9f1d34902fdc9
-
SHA256
33f51bc65501f737c3411ddc0645a26b0777c912bf6b66a62e8cf7b433d04e9b
-
SHA512
ec5db19410b5cf3c2b98e840384bfe6c4b23bcf35ed57fc4ee9e89c5a2df5af6c12be63532f60b1777f1860dffb8df662f9c285506963f80e2c3b4466cbbd51f
Static task
static1
Behavioral task
behavioral1
Sample
828dcdae96bf3729e803d09bdcb637d5.exe
Resource
win7
Behavioral task
behavioral2
Sample
828dcdae96bf3729e803d09bdcb637d5.exe
Resource
win10
Malware Config
Extracted
C:\Users\Admin\Documents\# HELP DECRYPT #.txt
http://6liso4fbnupevqsn.onion.to/4FEB-2EA8-1B61-0006-4B19
http://6liso4fbnupevqsn.onion.cab/4FEB-2EA8-1B61-0006-4B19
http://6liso4fbnupevqsn.onion.nu/4FEB-2EA8-1B61-0006-4B19
http://6liso4fbnupevqsn.onion.link/4FEB-2EA8-1B61-0006-4B19
http://6liso4fbnupevqsn.tor2web.org/4FEB-2EA8-1B61-0006-4B19
http://6liso4fbnupevqsn.onion.to/4FEB-2EA8-1B61-0006-4B19);
http://6liso4fbnupevqsn.onion/4FEB-2EA8-1B61-0006-4B19
Extracted
C:\Users\Admin\Desktop\# HELP DECRYPT #.html
http://6liso4fbnupevqsn.onion.to/4FEB-2EA8-1B61-0006-4B19(Get
http://6liso4fbnupevqsn.onion.cab/4FEB-2EA8-1B61-0006-4B19
http://6liso4fbnupevqsn.onion.nu/4FEB-2EA8-1B61-0006-4B19
http://6liso4fbnupevqsn.onion.link/4FEB-2EA8-1B61-0006-4B19
http://6liso4fbnupevqsn.tor2web.org/4FEB-2EA8-1B61-0006-4B19
http://6liso4fbnupevqsn.onion.to/4FEB-2EA8-1B61-0006-4B19);
http://6liso4fbnupevqsn.onion.to/4FEB-2EA8-1B61-0006-4B19
http://6liso4fbnupevqsn.onion/4FEB-2EA8-1B61-0006-4B19
Extracted
C:\Users\Admin\Music\# HELP DECRYPT #.txt
http://6liso4fbnupevqsn.onion.to/7A31-E440-5D43-0006-4244
http://6liso4fbnupevqsn.onion.cab/7A31-E440-5D43-0006-4244
http://6liso4fbnupevqsn.onion.nu/7A31-E440-5D43-0006-4244
http://6liso4fbnupevqsn.onion.link/7A31-E440-5D43-0006-4244
http://6liso4fbnupevqsn.tor2web.org/7A31-E440-5D43-0006-4244
http://6liso4fbnupevqsn.onion.to/7A31-E440-5D43-0006-4244);
http://6liso4fbnupevqsn.onion/7A31-E440-5D43-0006-4244
Extracted
C:\Users\Admin\Desktop\# HELP DECRYPT #.html
http://6liso4fbnupevqsn.onion.to/7A31-E440-5D43-0006-4244(Get
http://6liso4fbnupevqsn.onion.cab/7A31-E440-5D43-0006-4244
http://6liso4fbnupevqsn.onion.nu/7A31-E440-5D43-0006-4244
http://6liso4fbnupevqsn.onion.link/7A31-E440-5D43-0006-4244
http://6liso4fbnupevqsn.tor2web.org/7A31-E440-5D43-0006-4244
http://6liso4fbnupevqsn.onion.to/7A31-E440-5D43-0006-4244);
http://6liso4fbnupevqsn.onion.to/7A31-E440-5D43-0006-4244
http://6liso4fbnupevqsn.onion/7A31-E440-5D43-0006-4244
Targets
-
-
Target
828dcdae96bf3729e803d09bdcb637d5
-
Size
625KB
-
MD5
828dcdae96bf3729e803d09bdcb637d5
-
SHA1
2ecb0685626d6e7bd322f4d59ce9f1d34902fdc9
-
SHA256
33f51bc65501f737c3411ddc0645a26b0777c912bf6b66a62e8cf7b433d04e9b
-
SHA512
ec5db19410b5cf3c2b98e840384bfe6c4b23bcf35ed57fc4ee9e89c5a2df5af6c12be63532f60b1777f1860dffb8df662f9c285506963f80e2c3b4466cbbd51f
Score10/10-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
JavaScript code in executable
-
Modifies service
-
Sets desktop wallpaper using registry
-