Overview

overview

10

Static

static

dll64.dll

windows7_x64

10

dll64.dll

windows10_x64

10

eiavW.exe

windows7_x64

10

eiavW.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sample_No1.zip

  • Size

    113KB

  • Sample

    210417-6cqh23njps

  • MD5

    e007d203eb070e1f35fb2c791343a9e2

  • SHA1

    fc1f90411c94a59edf6cc42af77ecb654bce973a

  • SHA256

    e88f86634b1a30b45429d6f721fef75902fb55a78629f1c0193e1629e955a55d

  • SHA512

    260d804b6a9a086b01c68f70f246fcab011eff30cd6bc48006d08c1479554b9bf6bcacd0b1e0f749e315837ebdaf46f99bba9ff5c9a105ab42a28cf40de8d56b

Score
10/10
icedidryuk2642071409bankerloaderpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Family

icedid

Campaign

2642071409

C2

netmoscito2.uno

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails [email protected] or [email protected] BTC wallet: 15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj Ryuk No system is safe
Wallets

15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj

Targets

    • Target

      dll64.dll

    • Size

      43KB

    • MD5

      cfad79ca83be1a597222a14d4afb8dbd

    • SHA1

      4c2f0f0fad519bcbe7616fd0452dcfb9b0fb2081

    • SHA256

      e53d34c5a00e62c90781e918fd5a198475d259a9017cd2b1b5d9b91350c1e876

    • SHA512

      8abf010ebd670d90f06e0d2a8e92d84ff8dd3ab3cac03bb11cc5e344a26fb19afae033d86e8f77ecbe2ed0c5b960b42fe7b59a2cbd160f88fd091cd5904f1af4

    Score
    10/10
    icedid2642071409bankerloadertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • IcedID First Stage Loader

      loader
    behavioral1behavioral2

    • Target

      eiavW.exe

    • Size

      172KB

    • MD5

      c0202cf6aeab8437c638533d14563d35

    • SHA1

      5767653494d05b3f3f38f1662a63335d09ae6489

    • SHA256

      8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b

    • SHA512

      02516128d43914d6ff1b7e702d25771aafd2edccee1729f88ad621cea15a648bb2737b87f564e0711e6f8f99c43eb406b3b6137c68086774f1417642d51c07c0

    Score
    10/10
    ryukpersistenceransomwarespywarestealer

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks