General
-
Target
70ca11d0dfb726a0c141e05253a1b42d.exe
-
Size
581KB
-
Sample
210219-wlmz86vgve
-
MD5
70ca11d0dfb726a0c141e05253a1b42d
-
SHA1
3b8ff05941e2acebf7fc071c70b18ea9da83326b
-
SHA256
0b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6
-
SHA512
dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478
Static task
static1
Behavioral task
behavioral1
Sample
70ca11d0dfb726a0c141e05253a1b42d.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
70ca11d0dfb726a0c141e05253a1b42d.exe
Resource
win10v20201028
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
kassmaster@tutanota.com
kassmaster@danwin1210.me
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
kassmaster@tutanota.com
kassmaster@danwin1210.me
Targets
-
-
Target
70ca11d0dfb726a0c141e05253a1b42d.exe
-
Size
581KB
-
MD5
70ca11d0dfb726a0c141e05253a1b42d
-
SHA1
3b8ff05941e2acebf7fc071c70b18ea9da83326b
-
SHA256
0b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6
-
SHA512
dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478
Score10/10-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-