General

  • Target

    af03b1a30294baaca1cdb803f86a6bed945aa69544cb3d37fb99f1412568b7aa

  • Size

    66KB

  • Sample

    210120-yqwmdxqb5e

  • MD5

    1b033111b8923c12f1d84e09769806f5

  • SHA1

    2ab84be1752574bac3ad0f9a8f9107fa5657033a

  • SHA256

    af03b1a30294baaca1cdb803f86a6bed945aa69544cb3d37fb99f1412568b7aa

  • SHA512

    2c47a5121eb0cd965f29b934a2a8536da7245eee42c7e66987410b537240f502a4b94263423ced8600be9a6fa61540bb218d4fa9f2213b888b28f0e331462c9c

Score
10/10

Malware Config

Extracted

Path

C:\58D8C7-Readme.txt

Ransom Note
Hi! Your files are encrypted. All files for this computer has extension: .58d8c7 Your filenames can be changed too, except extensions for free decrypt. -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. -- For us this is just business and to prove to you our seriousness, we will decrypt you few files for free. Just open our website, upload the encrypted files and get the decrypted files for free. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before; cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. -- *** IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. -- WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_58d8c7: z38QL+1wWY/Ys60f38zFhhL//RVj2KQ+T75jyLtYhvWJeITkCi L7OnXWCpTT7Bg+Ds4oq6CG2ZH4AQBoJyVIOY65hE312QxUt/DL dMnH2FgePqqLSaRqaL2VC9yWgUX4MazkuTlQxwTI2lQhrzDNkb dESUbAmXYXTbhSGRNv3tjHt07RyTKxGn1Qp5aOtB7QLB1ZgZzH HnJPlP7XcPIWkvnzvFxIwkf5Y3k3vqbaX3vYgXRDxt617dm98X rah4Gd+eYL9BlQFiDuygA0TwwQ9719l0VRKLtUvg==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\58D8C7-Readme.txt

Ransom Note
Hi! Your files are encrypted. All files for this computer has extension: .58d8c7 Your filenames can be changed too, except extensions for free decrypt. -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. -- For us this is just business and to prove to you our seriousness, we will decrypt you few files for free. Just open our website, upload the encrypted files and get the decrypted files for free. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before; cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. -- *** IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. -- WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_58d8c7: z38QL+1wWY/Ys60f38zFhhL//RVj2KQ+T75jyLtYhvWJeITkCi L7OnXWCpTT7Bg+Ds4oq6CG2ZH4AQBoJyVIOY65hE312QxUt/DL dMnH2FgePqqLSaRqaL2VC9yWgUX4MazkuTlQxwTI2lQhrzDNkb dESUbAmXYXTbhSGRNv3tjHt07RyTKxGn1Qp5aOtB7QLB1ZgZzH HnJPlP7XcPIWkvnzvFxIwkf5Y3k3vqbaX3vYgXRDxt617dm98X rah4Gd+eYL9BlQFiDuygA0TwwQ9719l0VRKLtUvg==}Hi! Your files are encrypted. All files for this computer has extension: .58d8c7 Your filenames can be changed too, except extensions for free decrypt. -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. -- For us this is just business and to prove to you our seriousness, we will decrypt you few files for free. Just open our website, upload the encrypted files and get the decrypted files for free. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before; cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. -- *** IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. -- WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_58d8c7: z38QL+1wWY/Ys60f38zFhhL//RVj2KQ+T75jyLtYhvWJeITkCi L7OnXWCpTT7Bg+Ds4oq6CG2ZH4AQBoJyVIOY65hE312QxUt/DL dMnH2FgePqqLSaRqaL2VC9yWgUX4MazkuTlQxwTI2lQhrzDNkb dESUbAmXYXTbhSGRNv3tjHt07RyTKxGn1Qp5aOtB7QLB1ZgZzH HnJPlP7XcPIWkvnzvFxIwkf5Y3k3vqbaX3vYgXRDxt617dm98X rah4Gd+eYL9BlQFiDuygA0TwwQ9719l0VRKLtUvg==}Hi! Your files are encrypted. All files for this computer has extension: .58d8c7 Your filenames can be changed too, except extensions for free decrypt. -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. -- For us this is just business and to prove to you our seriousness, we will decrypt you few files for free. Just open our website, upload the encrypted files and get the decrypted files for free. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before; cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. -- *** IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. -- WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_58d8c7: z38QL+1wWY/Ys60f38zFhhL//RVj2KQ+T75jyLtYhvWJeITkCi L7OnXWCpTT7Bg+Ds4oq6CG2ZH4AQBoJyVIOY65hE312QxUt/DL dMnH2FgePqqLSaRqaL2VC9yWgUX4MazkuTlQxwTI2lQhrzDNkb dESUbAmXYXTbhSGRNv3tjHt07RyTKxGn1Qp5aOtB7QLB1ZgZzH HnJPlP7XcPIWkvnzvFxIwkf5Y3k3vqbaX3vYgXRDxt617dm98X rah4Gd+eYL9BlQFiDuygA0TwwQ9719l0VRKLtUvg==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\8D9DA2-Readme.txt

Ransom Note
Hi! Your files are encrypted. All files for this computer has extension: .8d9da2 Your filenames can be changed too, except extensions for free decrypt. -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. -- For us this is just business and to prove to you our seriousness, we will decrypt you few files for free. Just open our website, upload the encrypted files and get the decrypted files for free. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before; cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. -- *** IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. -- WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8d9da2: uha3fmJMXs9V/DqycSH3mQbCVVCsihjve3AGjuVRjablSgewXO 2EUCAf0nSpFsVa5N/mKGkAvLbiKp2QfJCTz0sWWsafZB95t/DL dPSinY360TaeeWzJgVTs26k2cl1sNldtO4G8vUpnbkb5QGnmpN jd54sizOYmx1PHd2ZlM3qOy8a/xJZQGRy3E2uBo5SSq3DL2ROO NckObUHgW5aXHIUs5kOJbGVGgdL3CFkMUkMyHScpSE0PTdqJt8 qH/yyIh7yBzJt2fgCO5xji6vSI2kyHfENIB5sMKQ==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files\8D9DA2-Readme.txt

Ransom Note
Hi! Your files are encrypted. All files for this computer has extension: .8d9da2 Your filenames can be changed too, except extensions for free decrypt. -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. -- For us this is just business and to prove to you our seriousness, we will decrypt you few files for free. Just open our website, upload the encrypted files and get the decrypted files for free. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before; cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. -- *** IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. -- WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8d9da2: uha3fmJMXs9V/DqycSH3mQbCVVCsihjve3AGjuVRjablSgewXO 2EUCAf0nSpFsVa5N/mKGkAvLbiKp2QfJCTz0sWWsafZB95t/DL dPSinY360TaeeWzJgVTs26k2cl1sNldtO4G8vUpnbkb5QGnmpN jd54sizOYmx1PHd2ZlM3qOy8a/xJZQGRy3E2uBo5SSq3DL2ROO NckObUHgW5aXHIUs5kOJbGVGgdL3CFkMUkMyHScpSE0PTdqJt8 qH/yyIh7yBzJt2fgCO5xji6vSI2kyHfENIB5sMKQ==}Hi! Your files are encrypted. All files for this computer has extension: .8d9da2 Your filenames can be changed too, except extensions for free decrypt. -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. -- For us this is just business and to prove to you our seriousness, we will decrypt you few files for free. Just open our website, upload the encrypted files and get the decrypted files for free. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before; cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. -- *** IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. -- WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8d9da2: uha3fmJMXs9V/DqycSH3mQbCVVCsihjve3AGjuVRjablSgewXO 2EUCAf0nSpFsVa5N/mKGkAvLbiKp2QfJCTz0sWWsafZB95t/DL dPSinY360TaeeWzJgVTs26k2cl1sNldtO4G8vUpnbkb5QGnmpN jd54sizOYmx1PHd2ZlM3qOy8a/xJZQGRy3E2uBo5SSq3DL2ROO NckObUHgW5aXHIUs5kOJbGVGgdL3CFkMUkMyHScpSE0PTdqJt8 qH/yyIh7yBzJt2fgCO5xji6vSI2kyHfENIB5sMKQ==}Hi! Your files are encrypted. All files for this computer has extension: .8d9da2 Your filenames can be changed too, except extensions for free decrypt. -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. -- For us this is just business and to prove to you our seriousness, we will decrypt you few files for free. Just open our website, upload the encrypted files and get the decrypted files for free. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before; cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. -- *** IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. -- WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8d9da2: uha3fmJMXs9V/DqycSH3mQbCVVCsihjve3AGjuVRjablSgewXO 2EUCAf0nSpFsVa5N/mKGkAvLbiKp2QfJCTz0sWWsafZB95t/DL dPSinY360TaeeWzJgVTs26k2cl1sNldtO4G8vUpnbkb5QGnmpN jd54sizOYmx1PHd2ZlM3qOy8a/xJZQGRy3E2uBo5SSq3DL2ROO NckObUHgW5aXHIUs5kOJbGVGgdL3CFkMUkMyHScpSE0PTdqJt8 qH/yyIh7yBzJt2fgCO5xji6vSI2kyHfENIB5sMKQ==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files\Google\Chrome\Application\86.0.4240.111\8D9DA2-Readme.txt

Ransom Note
Hi! Your files are encrypted. All files for this computer has extension: .8d9da2 Your filenames can be changed too, except extensions for free decrypt. -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. -- For us this is just business and to prove to you our seriousness, we will decrypt you few files for free. Just open our website, upload the encrypted files and get the decrypted files for free. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before; cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. -- *** IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. -- WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8d9da2: uha3fmJMXs9V/DqycSH3mQbCVVCsihjve3AGjuVRjablSgewXO 2EUCAf0nSpFsVa5N/mKGkAvLbiKp2QfJCTz0sWWsafZB95t/DL dPSinY360TaeeWzJgVTs26k2cl1sNldtO4G8vUpnbkb5QGnmpN jd54sizOYmx1PHd2ZlM3qOy8a/xJZQGRy3E2uBo5SSq3DL2ROO NckObUHgW5aXHIUs5kOJbGVGgdL3CFkMUkMyHScpSE0PTdqJt8 qH/yyIh7yBzJt2fgCO5xji6vSI2kyHfENIB5sMKQ==}Hi! Your files are encrypted. All files for this computer has extension: .8d9da2 Your filenames can be changed too, except extensions for free decrypt. -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. -- For us this is just business and to prove to you our seriousness, we will decrypt you few files for free. Just open our website, upload the encrypted files and get the decrypted files for free. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before; cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. -- *** IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. -- WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8d9da2: uha3fmJMXs9V/DqycSH3mQbCVVCsihjve3AGjuVRjablSgewXO 2EUCAf0nSpFsVa5N/mKGkAvLbiKp2QfJCTz0sWWsafZB95t/DL dPSinY360TaeeWzJgVTs26k2cl1sNldtO4G8vUpnbkb5QGnmpN jd54sizOYmx1PHd2ZlM3qOy8a/xJZQGRy3E2uBo5SSq3DL2ROO NckObUHgW5aXHIUs5kOJbGVGgdL3CFkMUkMyHScpSE0PTdqJt8 qH/yyIh7yBzJt2fgCO5xji6vSI2kyHfENIB5sMKQ==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Targets

    • Target

      af03b1a30294baaca1cdb803f86a6bed945aa69544cb3d37fb99f1412568b7aa

    • Size

      66KB

    • MD5

      1b033111b8923c12f1d84e09769806f5

    • SHA1

      2ab84be1752574bac3ad0f9a8f9107fa5657033a

    • SHA256

      af03b1a30294baaca1cdb803f86a6bed945aa69544cb3d37fb99f1412568b7aa

    • SHA512

      2c47a5121eb0cd965f29b934a2a8536da7245eee42c7e66987410b537240f502a4b94263423ced8600be9a6fa61540bb218d4fa9f2213b888b28f0e331462c9c

    Score
    10/10
    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks