Overview

overview

10

Static

static

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

win102

windows10_x64

1

win104

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Lenovo.Easycamera.6.32.2018.05.key.generator.by.aaocg.exe

  • Size

    6.4MB

  • Sample

    210511-8kafljkqka

  • MD5

    cdeeb6da0244476be71ebf88fa76ecdc

  • SHA1

    f26b35c822187292bc1c31c2e61b2a714daa5334

  • SHA256

    634f7f210c081e0d54fb348a921db874126736503cf7cfcf2f605c484aa6635a

  • SHA512

    149487c0ddf5c847c1e5182a921bc9d527b4bfcb525de1a129bd10c25a8119e7de153eadc6fdb157e95999ae20557aabe872c1b6ae8a8fb1a25bfe25478d30e1

Score
10/10
azorultplugxredlineservlyladiscoveryevasioninfostealerpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

redline

Botnet

ServLyla

C2

87.251.71.193:20119

Extracted

Path

C:\Windows\TEMP\RESTORE_FILES_INFO.txt

Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: ____________________________________________________________________________________ You have two ways: 1) [Recommended] Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454 and paste it in the Tor browser. c. Start a chat and follow the further instructions. 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a. Open your any browser (Chrome, Firefox, Opera, IE, Edge) b. Open our secondary website: http://prometheusdec.in/ticket.php?track=141-5D9-Y454 c. Start a chat and follow the further instructions. Warning: secondary website can be blocked, thats why first variant much better and more available. _____________________________________________________________________________________ Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: urqeyGZu6Ui/gl3tJjng9271fFrMoyBRrycUad5CD+Kabkj9qBLX3MqYXt1TZY4Fqr+g7ri0Vy4I08eP1glh5j3KVN/V4fF2gQZ3QHtp7htw8pLBtGBKOv2C2k+4boivlOMMqZjN7Cxq/EXUTC344k5gZBCM49v74vIP5+Nr+YKL2mIQoyQz/cingl08cZqTd1WpFB8E4g9sZlF5UqBS9wQCB9IIkR/bn4/q8zYRaEzQxeNlyc/X/C8QZv6H7MWBGXIWAgiLQgc76joWSt8aTDqNy9Q2GgADhP5NsmoC1dDw2mL/z2cMRNjoDhFFOKrqT52Jha6vhzMSfRGx7ftiajIx8YylZZjXWfsw+dnjy9nPZVLCIfuBY5yWQTFdGLAUMHHtzzxnInTjRDT4QkbIuncI7ctiAjH4c0yGu3vVrbVOBexLZmnyfpbBmYeNp3P0h8fcN2rss+m1Gt4veqj+YbfpAijxlfSsmsvNBw3L4FkKhOJCWdr6N7gO5a00qVkWnPMISNVzES2MVOaSA9LBGxB/QcZpin81c66DUi0PojWWRHMDlA21wwwLNvN8q8fMsPZ4VD0IKc4OyMedg/biZg8lBH9VBy2UyHuB2gApPdDZedr+PVGFM3tIJ6hlZaCryhFnvIYco77NOxomqw/+FURE1f/whlpEYUlJffdkvAM=
URLs

http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454

http://prometheusdec.in/ticket.php?track=141-5D9-Y454

Targets

    • Target

      Lenovo.Easycamera.6.32.2018.05.key.generator.by.aaocg.exe

    • Size

      6.4MB

    • MD5

      cdeeb6da0244476be71ebf88fa76ecdc

    • SHA1

      f26b35c822187292bc1c31c2e61b2a714daa5334

    • SHA256

      634f7f210c081e0d54fb348a921db874126736503cf7cfcf2f605c484aa6635a

    • SHA512

      149487c0ddf5c847c1e5182a921bc9d527b4bfcb525de1a129bd10c25a8119e7de153eadc6fdb157e95999ae20557aabe872c1b6ae8a8fb1a25bfe25478d30e1

    Score
    10/10
    azorultplugxredlineservlyladiscoveryevasioninfostealerpersistencespywarestealertrojanupxransomware

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • PlugX

      PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

      trojanplugx

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks