General
-
Target
eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5.bin
-
Size
212KB
-
Sample
201106-43ex7ajtxj
-
MD5
da997e4d9f1fa7f863aabc3f0dc32216
-
SHA1
b5e04a9003c57598ed64afa4fef7ac16c09a43a4
-
SHA256
eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5
-
SHA512
40d01957a62a9de6897416e1cd2dd65bc1725c23167c6f31681ff43f069361a023ea3cb4ced19c079bff8f7fbe233ee81d8d1d024f035cd26611fe60827c19e7
Static task
static1
Behavioral task
behavioral1
Sample
eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5.bin.exe
Resource
win10v20201028
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
zeppelinz@airmail.cc
zeppelinz@firemail.cc
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
zeppelinz@airmail.cc
zeppelinz@firemail.cc
Targets
-
-
Target
eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5.bin
-
Size
212KB
-
MD5
da997e4d9f1fa7f863aabc3f0dc32216
-
SHA1
b5e04a9003c57598ed64afa4fef7ac16c09a43a4
-
SHA256
eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5
-
SHA512
40d01957a62a9de6897416e1cd2dd65bc1725c23167c6f31681ff43f069361a023ea3cb4ced19c079bff8f7fbe233ee81d8d1d024f035cd26611fe60827c19e7
Score10/10-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies service
-