Description
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
Vr.rar
8MB
201125-xeckn6wq3s
65db9d146bda563ec5749ec53091b2aa
220b5f4edfb7310ed96020cdbac22f13911304ab
cf1b38106e42989ddffb99e0163787135e7b294c5d5e88e3b47ca1b7cd0d6681
ddd8cc9178b2f5605d28dc6110bb23ba56209677c29089ee8977b11333ed677be8439183c1181f2d75b5ac97357aecf6d7fcc50748ac724e79ffd5f3a7aa46b3
Path | C:\_readme.txt |
Ransom Note |
ATTENTION!
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-jydQMZP2Ie
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
helpmanager@mail.ch
Reserve e-mail address to contact us:
restoremanager@airmail.cc
Your personal ID:
0267OrjkgUGkv6TOoEMNyhW6VCgrizkAUg4XiClXtVqLCdtl
|
Emails |
helpmanager@mail.ch restoremanager@airmail.cc |
URLs |
https://we.tl/t-jydQMZP2Ie |
Family | smokeloader |
Version | 2020 |
C2 |
http://vintrsi.com/upload/ http://woatdert.com/upload/ http://waruse.com/upload/ |
rc4.i32 |
|
rc4.i32 |
|
Family | smokeloader |
Version | 2019 |
C2 |
http://10022020newfolder1002002131-service1002.space/ http://10022020newfolder1002002231-service1002.space/ http://10022020newfolder3100231-service1002.space/ http://10022020newfolder1002002431-service1002.space/ http://10022020newfolder1002002531-service1002.space/ http://10022020newfolder33417-01242510022020.space/ http://10022020test125831-service1002012510022020.space/ http://10022020test136831-service1002012510022020.space/ http://10022020test147831-service1002012510022020.space/ http://10022020test146831-service1002012510022020.space/ http://10022020test134831-service1002012510022020.space/ http://10022020est213531-service100201242510022020.ru/ http://10022020yes1t3481-service1002012510022020.ru/ http://10022020test13561-service1002012510022020.su/ http://10022020test14781-service1002012510022020.info/ http://10022020test13461-service1002012510022020.net/ http://10022020test15671-service1002012510022020.tech/ http://10022020test12671-service1002012510022020.online/ http://10022020utest1341-service1002012510022020.ru/ http://10022020uest71-service100201dom2510022020.ru/ http://10022020test61-service1002012510022020.website/ http://10022020test51-service1002012510022020.xyz/ http://10022020test41-service100201pro2510022020.ru/ http://10022020yest31-service100201rus2510022020.ru/ http://10022020rest21-service1002012510022020.eu/ http://10022020test11-service1002012510022020.press/ http://10022020newfolder4561-service1002012510022020.ru/ http://10022020rustest213-service1002012510022020.ru/ http://10022020test281-service1002012510022020.ru/ http://10022020test261-service1002012510022020.space/ http://10022020yomtest251-service1002012510022020.ru/ http://10022020yirtest231-service1002012510022020.ru/ |
rc4.i32 |
|
rc4.i32 |
|
0x000100000001ab86-55.exe
e2e9483568dc53f68be0b80c34fe27fb
262KB
8919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9
205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37
b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e
0x000100000001ab87-47.exe
f0372ff8a6148498b19e04203dbb9e69
71KB
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
0x000100000001ab9c-70.exe
5c6684e8c2b678de9e2776c6b50ddd72
977KB
7d255100d811de745e6ee908d1e0f8ba4ff21add
bb5d2c07ce902c78227325bf5f336c04335874445fc0635a6b67ae5ba9d2fefc
f627ca67610f9d5c137bdae8b3f8f6c08ff9162d12b3e30d3886c72aec047d34e31b5f0e17120dc99d71b0c316e43bb946fc5d40a9babec7229ce3a3c9292acb
0x000100000001ad02-313.exe
7f1c0fe70e588f3bead08b64910b455e
620KB
b0d78d67ee8a703e2c5dff5f50b34c504a91cfee
4788a1207c8a83d6051a12d1bbc63e889fbf142e9479c8d2919e8dcb0e4a6cc4
e5c5227943683851d393328d41c86066ece40f6813533f010963f5515d369d3aa57175f169aef9f428deca38810be75ee8d40b735a0af8826fd7c1bb444b1a84
0x000200000001aca8-173.exe
a6279ec92ff948760ce53bba817d6a77
61KB
5345505e12f9e4c6d569a226d50e71b5a572dce2
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
0x000200000001acb5-183.exe
6b32791ddadc54b2e770a881eb83c260
10MB
d5815c8b204c47ebbb9f91c4f66e459e14136a32
23cb1064049da1e64c231cacee9908d9c1aed6a57b786740361d206d14bd2973
3a7334533bbcf4b1ad5b6200a9ef4c319a72ea06659e42c9b857e8e02c9115b04e63a61fb892f475456d53b907a7b7fe7fafb09d9e66cfc51481c2f170ac86fb
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
XMRig is a high performance, open source, cross platform CPU/GPU miner.
0x000200000001acdf-236.exe
996ba35165bb62473d2a6743a5200d45
274KB
52169b0b5cce95c6905873b8d12a759c234bd2e0
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634
0x000200000001ace9-240.exe
637a8b78f4985a7807c6cdb238df4534
602KB
01c47b02ec8b83a0a29590c2512c844318af8710
87dc2c320339840a39ae63d4a53a406d2c091573c9f75aa28ea614b454fcfe95
0eef7aec2cd0de345299bccda7cce486d65bde9d8d1dcfb6a90ffff79bb32d2be36452b064e4bd5da7aa5998e3398dca4bc1bf1ead863c324f7111a8ebfa0682
Email clients store some user data on disk where infostealers will often target it.
Infostealers often target stored browser data, which can include saved credentials etc.
Uses a legitimate IP lookup service to find the infected system's external IP.
0x000300000001a5a2-209.exe
185749ffbb860d3e5b705b557d819702
842KB
f09470a934d381cfc4e1504193eb58139061a645
1c5319523b316c789c5c29e87675e580a9016b4624f197df889cb942c9a32bfa
0bb85d296bdcee1fd50200af1924c73f751b08737256178052f46a8937a1a9be5656b4ea465b97ef798e48a0f600ceb7d2e18feb4026426112642d3b9213cce5
Uses mpcmdrun utility to delete all AV definitions.
Ransomware generally changes the extension on encrypted files.
Email clients store some user data on disk where infostealers will often target it.
Infostealers often target stored browser data, which can include saved credentials etc.
Uses a legitimate IP lookup service to find the infected system's external IP.
0x000300000001ac90-122.exe
ceec23bdfaa35e0eeee0bb318f9d339f
411KB
69337754824f165accef920ec90d25aae72da9ca
e6ba7316c20de986784a205b13617c3c13ce4daa628a26d0c2d4bbf0fe7a21c6
7d401409ab447ebbcd1412e192815a8f257e4fb947feb5f69834e4a97efa7031b4ff1fcd5f1d97277a465a96b12c78ef6ae79795e416cb14f4beb3dfa0bc6e47
Agent Tesla is a remote access tool (RAT) written in visual basic.
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Infostealers often target stored browser data, which can include saved credentials etc.
Looks up Uninstall key entries in the registry to enumerate software on the system.
Uses a legitimate IP lookup service to find the infected system's external IP.
0x000300000001ac99-126.exe
ca58d4cf4a5e0725f844c8eae3f8ae67
300KB
fbce92619ce23f4594846f2f789e513dab9f3239
0e3774d65577253a820f1ee272d7a0c96e4c6a869ef8f749fe7f83d2fc49f054
32bdfc2e72fff79c075d5f9ead8268f1e9e0648635fd977f6d8db62358c48d5451b64e639b1853bd87220a1157e74754e1109b3f1797f98ef02d5151fb09f4a9
Modular backdoor trojan in use since 2014.
Bootkits write to the MBR to gain persistence at a level below the operating system.
0x000300000001ac9e-134.exe
fdde60834af109d71f4c7d28b865c8a1
311KB
4f721105161b74e07b5ccd762d32932989bfb03a
b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87
fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778
Modular backdoor trojan in use since 2014.
Agent Tesla is a remote access tool (RAT) written in visual basic.
Simple but powerful infostealer which was very active in 2019.
Email clients store some user data on disk where infostealers will often target it.
Infostealers often target stored browser data, which can include saved credentials etc.
Looks up Uninstall key entries in the registry to enumerate software on the system.
Attempts to read the root path of hard drives other than the default C: drive.
0x000300000001ac9e-206.exe
fdde60834af109d71f4c7d28b865c8a1
311KB
4f721105161b74e07b5ccd762d32932989bfb03a
b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87
fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778
Modular backdoor trojan in use since 2014.
Agent Tesla is a remote access tool (RAT) written in visual basic.
Attempts to read the root path of hard drives other than the default C: drive.
0x000300000001ac9f-141.exe
5898d001eedb60a637f9334965e241a9
19KB
59d543084a8230ac387dee45b027c47282256d02
08eb269d6c3bfaf4d3cde53a987e0adc96a171235d3c34e3c6e9422920e793dd
d8be87bddd9f289597221d864370dfdd1ea94d2910837e211f34eec0fee56477672d98bd0565059389ff6d9ac79002f0ffa792feb84db02b18f432c6174e71e0
Agent Tesla is a remote access tool (RAT) written in visual basic.
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Infostealers often target stored browser data, which can include saved credentials etc.
Looks up Uninstall key entries in the registry to enumerate software on the system.
Uses a legitimate IP lookup service to find the infected system's external IP.
0x000300000001acec-245.exe
801a4e85faeb41919a0da6fa174ada04
482KB
cf6a3be6cf3130a0d2a92ac9eec392e43029a06c
23a96527c86ed75232f146343a612a96b8a6e70433cbdf39c9a611aeb3191ddd
319b835e51c98e710a9bea852b79796f1516a5f38b092a2319e65cf21ca63be25621a8a89bd33fe32bc75fde5e115597d141fb68897738daccf476e9576dd54b
0x000300000001aced-248.exe
7f1c0fe70e588f3bead08b64910b455e
620KB
b0d78d67ee8a703e2c5dff5f50b34c504a91cfee
4788a1207c8a83d6051a12d1bbc63e889fbf142e9479c8d2919e8dcb0e4a6cc4
e5c5227943683851d393328d41c86066ece40f6813533f010963f5515d369d3aa57175f169aef9f428deca38810be75ee8d40b735a0af8826fd7c1bb444b1a84