Overview

overview

10

Static

static

8

d85188c58a...in.exe

windows7_x64

10

d85188c58a...in.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a.bin

  • Size

    2.5MB

  • Sample

    210317-6vkqva8c6a

  • MD5

    1a2978ce842c0d4c2fc309801cbbcabb

  • SHA1

    45adb2e2ee26e9221b76e71180dc955b7c9eff70

  • SHA256

    d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a

  • SHA512

    5cefd6c89153259835cdd0e4be1c68bf61ccf25c63c8a2bcf78e0bcbde354ca588e39e06699820ca4da488f3e69a14e04f89d25cd1be6c01c80fb210f9da23ac

Score
10/10
snatchransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
Hello! All your files are encrypted and only we can decrypt them. Contact us: legalrestore@airmail.cc or master1restore@cock.li Write us if you want to return your files - we can do it very quickly! The header of letter must contain extension of encrypted files. We always reply within 24 hours. If not - check spam folder, resend your letter or try send letter from another email service (like protonmail.com). Attention! Do not rename or edit encrypted files: you may have permanent data loss. Do not edit or delete any virtual machines files To prove that we can recover your files, we am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups). HURRY UP! If you do not email us in the next 48 hours then your data may be lost permanently.
Emails

legalrestore@airmail.cc

master1restore@cock.li

Targets

    • Target

      d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a.bin

    • Size

      2.5MB

    • MD5

      1a2978ce842c0d4c2fc309801cbbcabb

    • SHA1

      45adb2e2ee26e9221b76e71180dc955b7c9eff70

    • SHA256

      d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a

    • SHA512

      5cefd6c89153259835cdd0e4be1c68bf61ccf25c63c8a2bcf78e0bcbde354ca588e39e06699820ca4da488f3e69a14e04f89d25cd1be6c01c80fb210f9da23ac

    Score
    10/10
    snatchransomwarespywarestealerupx

    • Detecting the common Go functions and variables names used by Snatch ransomware

    • Snatch Ransomware

      Ransomware family generally distributed through RDP bruteforce attacks.

      ransomwaresnatch

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks