General
-
Target
mesager43.exe
-
Size
511KB
-
Sample
201104-ygmkxrn8ma
-
MD5
3163bba8a4861d47aafa1667d3082fee
-
SHA1
32824014c8740b8fef306e742c891bec0ef068d3
-
SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e
-
SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450
Static task
static1
Behavioral task
behavioral1
Sample
mesager43.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
mesager43.exe
Resource
win10v20201028
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
kassmaster@danwin1210.me
kassmaster@tutanota.com
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
kassmaster@danwin1210.me
kassmaster@tutanota.com
Targets
-
-
Target
mesager43.exe
-
Size
511KB
-
MD5
3163bba8a4861d47aafa1667d3082fee
-
SHA1
32824014c8740b8fef306e742c891bec0ef068d3
-
SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e
-
SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450
Score10/10-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies service
-