General
-
Target
Archive 2.zip
-
Size
1.1MB
-
Sample
210528-dxr93gxbxe
-
MD5
8a28ff9a7824a4b446720e405b80acf6
-
SHA1
6a6d05680726ea4edfe7e1b32cb312308ff4c9e3
-
SHA256
2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22
-
SHA512
5a33f2eb6b861cab43a9eb39bc6ae7cb8b4a888b6ccdb8f4927c2dc49b23222bcfd90d2e861f53377fab97939b2d879e52bf1d63af440203dc1a7617c9398ef4
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\Instruction.txt
Ransom Note
Hello.
Your files, documents, photo, databases and all the rest aren't REMOVED.
They are ciphered by the most reliable enciphering.
It is impossible to restore files without our help.
You will try to restore files independent you will lose files
FOREVER.
----------------------------------------------------------
You will be able to restore files so:
1. to contact us by e-mail: [email protected]
* report your ID and we will switch off any removal of files
(if don't report your ID identifier, then each 24 hours will be
to be removed on 24 files. If report to ID-we will switch off it)
* you send your ID identifier and 2 files, up to 2 MB in size everyone.
We decipher them, as proof of a possibility of interpretation.
also you receive the instruction where and how many it is necessary to pay.
2. you pay and confirm payment.
3. after payment you receive the DECODER program. which you restore ALL YOUR FILES.
----------------------------------------------------------
You have 72 hours on payment.
If you don't manage to pay in 72 hours, then the price of interpretation increases twice.
The price increases twice each 72 hours.
To restore files, without loss, and on the minimum tariff, you have to pay within 72 hours.
Address for detailed instructions e-mail: [email protected]
If you don't waste time for attempts to decipher, then you will be able to restore all files in 1 hour.
If you try to decipher - you can FOREVER lose your files.
e-mail: [email protected]
Key Identifier:
SLdaGCF4ew8t/9t0D4EHVnZF4HNwA9H0Ll6SD1DvUrhjH3w+qSQ7E7k63GZ7g78iOL7PZ5u3WlLOYFYXzIVDtCRq1aplveI6YC4NPS4vkRhZR9YMlt1hBkjlshxKVW4A1f4mtEv2EVjfZso+cd1hrOhln8MCNnh1iXkvBi+4/8E5Nn3ugCFRb2o6MxsQsUc6hGzSr9te6sJwOV8CEDKcwpyRgW9tzgs0Mrudw0OpgZHrgHohBvBYmP6588VKISli8yDQAt9BtRGcEgMpnULhA8i75UggGUwuYXXp9tCNeaG/AS0Zcctg30e/bh45gI9cuDrEhGAKCt5kGgB+7YZDTkAak8RFRMyZPGtjP2LKowDn76iGpRsiI/g0uIDQauvGV/bdvefJJXpfG4uF47xUXJTqeayShdkthpY13JqX4Tfi4QW2Ybyx7ve7xCLi+L16q1oF4HS02fIb+ArJ5gkh5IkEA6U6xXgfIgubPKjZsNnx+fsV5rB8pzBFNQ4lK3ZiIVZYHym6DaTcYmjcPvjpErOSkgGfG4y/SD3fEnmvKEUoegUyimBZ9aeOTZxsRcgErjXhDOdcIvy9EHKQO2KH4M47/wFpsAjnvuKlq1rbMbY9gJIbN3qY4Z41EpuMmgyr7ZIPkp6LAGdvUU2ZhHeJD6etxW4dv/nxmOsMibxThaQ=
Emails
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\Instruction.txt
Ransom Note
Hello.
Your files, documents, photo, databases and all the rest aren't REMOVED.
They are ciphered by the most reliable enciphering.
It is impossible to restore files without our help.
You will try to restore files independent you will lose files
FOREVER.
----------------------------------------------------------
You will be able to restore files so:
1. to contact us by e-mail: [email protected]
* report your ID and we will switch off any removal of files
(if don't report your ID identifier, then each 24 hours will be
to be removed on 24 files. If report to ID-we will switch off it)
* you send your ID identifier and 2 files, up to 2 MB in size everyone.
We decipher them, as proof of a possibility of interpretation.
also you receive the instruction where and how many it is necessary to pay.
2. you pay and confirm payment.
3. after payment you receive the DECODER program. which you restore ALL YOUR FILES.
----------------------------------------------------------
You have 72 hours on payment.
If you don't manage to pay in 72 hours, then the price of interpretation increases twice.
The price increases twice each 72 hours.
To restore files, without loss, and on the minimum tariff, you have to pay within 72 hours.
Address for detailed instructions e-mail: [email protected]
If you don't waste time for attempts to decipher, then you will be able to restore all files in 1 hour.
If you try to decipher - you can FOREVER lose your files.
e-mail: [email protected]
Key Identifier:
PmtNWUcg5SNNI/aVu32e6wdJXByFW8IMKQa9/PuRH11pBCuqGZocihgFuIlbl3l0Pkaolh+IDHP5xx4Me0y+6o26AH9f5plHGWXe0WVW0cqT7QYxTmNTBcXZkQCmTrUVFcR4LwIYt7uj5minig4ldrv08gRu7biYm1jXcgEsBkQgv6Fu3WEbP4kv3Ys+n6WDFW3iS3jxzOhp0PmY2VHW4a9D/frelrENadoPuZC9UtDBrv/j/CuaEPSOBOD39RNVPunHATT+7NUGQNYD/Mo1HNd1CAMArdkHXshpVXK7Tb9UF6JtIZtEyXfCE3II8QjkFXwxSowijtQIwdXC+S1DfdXHcliJV+wYoA0e+0P9J6HqZBUFLY7XRu5hrB2bKONZsM3GIovKSavVMv8Bv7DPn1K94qp7GvcTZn+5B8Qdewz6SO7UqdPx/lLqqhlAshRs/TKFTosd0aDGFiygs7zvynhYY2ivI6euVt0efpisX0DMnesxFYjudIOSIzd/vc4QVJfbVF7lcplNn07B9rcH+3yh0QuO+1lmO6J6S8mWKEP1OZ5XEHzG66Z/APccE9BY6LNbeMScYRkegP7cok8pkrOLaaGHf3Bv0/XN7m9MWXy9iwuDND6QeQZC4+TzA8BVkAQKCkeIi8YH62amQlDnCIhFp+doAr8iIw8R/DUsbdc=
Emails
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Ransom Note
Hello.
Your files, documents, photo, databases and all the rest aren't REMOVED.
They are ciphered by the most reliable enciphering.
It is impossible to restore files without our help.
You will try to restore files independent you will lose files
FOREVER.
----------------------------------------------------------
You will be able to restore files so:
1. to contact us by e-mail: [email protected]
* report your ID and we will switch off any removal of files
(if don't report your ID identifier, then each 24 hours will be
to be removed on 24 files. If report to ID-we will switch off it)
* you send your ID identifier and 2 files, up to 2 MB in size everyone.
We decipher them, as proof of a possibility of interpretation.
also you receive the instruction where and how many it is necessary to pay.
2. you pay and confirm payment.
3. after payment you receive the DECODER program. which you restore ALL YOUR FILES.
----------------------------------------------------------
If you have not been answered within 24 hours by mail, use the backup link.
To do this:
1. Download TOX at https ://tox.chat/clients.html
2. Sign up (takes 1 minute)
3. Add a contact.
Our TOX contact - B9131B8B3AAB24F72F0DBB1783AB54231E1756277455F52BC404AD769BF83B372F13A039708F
You have 72 hours on payment.
If you don't manage to pay in 72 hours, then the price of interpretation increases twice.
The price increases twice each 72 hours.
To restore files, without loss, and on the minimum tariff, you have to pay within 72 hours.
Address for detailed instructions e-mail: [email protected]
If you don't waste time for attempts to decipher, then you will be able to restore all files in 1 hour.
If you try to decipher - you can FOREVER lose your files.
Key Identifier:
i4owRhbeLHl50VZKaHHkoZFP0ebjIfqQnoe2zf6ziooPwo9MW9OmubGukHsn+ex0KZjeLk0aT1/mUC5AnanHFocxgIoXL0o2lnRUqf40g5C3kNbVhxYn3OyldNOY9l0d8eFx3/oA6RqLi8O4uqiTbFiMCJhBwn3/v4jjLW5hVFw2GuIsFp7ZizmCxb5axs15dz3Ogrg+EDv+3mH0SQwgRAQDzPKNfOxAkJuMMObVCieCWBKVeBXlI+Vtak3HGzChWrvmmj+tJ9b8Qxokp6rjlZvyUOmYojtw0XyMsOmGGP4sritoAQfpF9bs1JzWrbdhFhA9MImV6U2kAmBlQcjWS4Stuc9Xqwyk7cG4JYiSqkDBBUaA5nH2yeDIoWYJVnX2/XvgzR5YYFpQB+Zh3f7gpa7oT+2mZwoUxSYmnwYllw3k2mQ9NXgc2xeWj3DXjziZvbnS8r0tXVTHTaoj+Zj+EQc2GVkSUTLKQEJXkulP3vuHjfMJpXHyYx/gH1WRaKLFVZOZw5SxULBOdrTZZUXHaV6fc4dJjzZNVceMVo3oAfs+U8zWqgjRHIYH7yGr3dG5NWlOfgawFsG0uiSM6emBsTgch5wdcr8Ze63hOn/j5mq6WVsQr1ZNnpCEBNQ+JkZJtucnctebITOLHbmefSF7f/H/vipZzzPwkyfE2bPPW8M=
Emails
URLs
https
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Family
makop
Ransom Note
::: Greetings :::
Little FAQ:
.1.
Q: Whats Happen?
A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen.
.2.
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay in Bitcoins.
.3.
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee.
.4.
Q: How to contact with you?
A: Please, write us to our qTOX account: 7BDD546F7524089A930B12F793F4C1D1B4470A15A4CBA85AA0DA6D030AFE2E48B8799204F004
You can learn about this way of communication and download it here: https://qtox.github.io/
Or use Bitmessage and write to our address: BM-2cUbGd124Dcs1Jdc5VfSa2GDMC1iaNTesC
You can learn about this way of communication and download it here: https://wiki.bitmessage.org/ and here: https://github.com/Bitmessage/PyBitmessage/releases/
.5.
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files.
.6.
Q: If I don’t want to pay bad people like you?
A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money.
:::BEWARE:::
DON'T try to change encrypted files by yourself!
If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Key Identifier:
G5uSIqrXHFcaeqZZwri6skRdvIb/VMvUODWoLy4kMxo3WYL6X82rpz65SIZq3m68FoUDvbQpqBFbySMA5ilV376vNaqdNnWCJ0gaUwuXCr5dTC+YF0LvkntT7esI1UobUFQ8L/qDKkjzsvGdx249mMKcyNI/lGN0cQlrwAGXrh8vV5P8ToGhMlz2WUTHTZqzDfRIRS43EirDylKwe34BwvF+ttol871tIMcrGdIqjdgVdnsM+T6H/u/uzBj3l8WXLQEDSPyCxAkVoa0p3Wqnw4zLJAYclO3Hsu997OBNsIoLvoYK0CKTUQwZKmkOhBIzAp3FEKVtGGOfT6jkFBRmSGgREjpBIVKC4o2rdsQ9HAnYCYIBRsTkWlvmutoN1WdzJ7wupGQX9eHLCeo8PgbmLoF1hg6YGlRYZta+az8c03Ogjxi7tFu5h1VwFXrXXHFpaTFdpTeYbAv2BUspDgmnYsP0U7/dV9XVQ+QcIKK6JVaHqkwW50/rdU/WobLVyc3Kr7OBo1b2Ej6dtRVIthUWVlew19EMZ1bo0uHEb7flRvspEU3OmtbJ/ydKHG9DW81xczwh/im6zEVTy0rahy+eWTYhmO/O376yIm3Wud5gkJ7eOdyRLmV5Ic+mSHke0jyYVqEVxpEd3ehULTjnpNXDKZw2UHiO42PY39QA4uR02rY=
PC Hardware ID:
40707513
Extracted
Path
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
Family
makop
Ransom Note
::: Greetings :::
Little FAQ:
.1.
Q: Whats Happen?
A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen.
.2.
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay in Bitcoins.
.3.
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee.
.4.
Q: How to contact with you?
A: Please, write us to our qTOX account: 7BDD546F7524089A930B12F793F4C1D1B4470A15A4CBA85AA0DA6D030AFE2E48B8799204F004
You can learn about this way of communication and download it here: https://qtox.github.io/
Or use Bitmessage and write to our address: BM-2cUbGd124Dcs1Jdc5VfSa2GDMC1iaNTesC
You can learn about this way of communication and download it here: https://wiki.bitmessage.org/ and here: https://github.com/Bitmessage/PyBitmessage/releases/
.5.
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files.
.6.
Q: If I don’t want to pay bad people like you?
A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money.
:::BEWARE:::
DON'T try to change encrypted files by yourself!
If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Key Identifier:
G5uSIqrXHFcaeqZZwri6skRdvIb/VMvUODWoLy4kMxo3WYL6X82rpz65SIZq3m68FoUDvbQpqBFbySMA5ilV376vNaqdNnWCJ0gaUwuXCr5dTC+YF0LvkntT7esI1UobUFQ8L/qDKkjzsvGdx249mMKcyNI/lGN0cQlrwAGXrh8vV5P8ToGhMlz2WUTHTZqzDfRIRS43EirDylKwe34BwvF+ttol871tIMcrGdIqjdgVdnsM+T6H/u/uzBj3l8WXLQEDSPyCxAkVoa0p3Wqnw4zLJAYclO3Hsu997OBNsIoLvoYK0CKTUQwZKmkOhBIzAp3FEKVtGGOfT6jkFBRmSGgREjpBIVKC4o2rdsQ9HAnYCYIBRsTkWlvmutoN1WdzJ7wupGQX9eHLCeo8PgbmLoF1hg6YGlRYZta+az8c03Ogjxi7tFu5h1VwFXrXXHFpaTFdpTeYbAv2BUspDgmnYsP0U7/dV9XVQ+QcIKK6JVaHqkwW50/rdU/WobLVyc3Kr7OBo1b2Ej6dtRVIthUWVlew19EMZ1bo0uHEb7flRvspEU3OmtbJ/ydKHG9DW81xczwh/im6zEVTy0rahy+eWTYhmO/O376yIm3Wud5gkJ7eOdyRLmV5Ic+mSHke0jyYVqEVxpEd3ehULTjnpNXDKZw2UHiO42PY39QA4uR02rY=
Number of files that were processed is: 502
PC Hardware ID:
40707513
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Family
makop
Ransom Note
::: Greetings :::
Little FAQ:
.1.
Q: Whats Happen?
A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen.
.2.
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay in Bitcoins.
.3.
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee.
.4.
Q: How to contact with you?
A: Please, write us to our qTOX account: 7BDD546F7524089A930B12F793F4C1D1B4470A15A4CBA85AA0DA6D030AFE2E48B8799204F004
You can learn about this way of communication and download it here: https://qtox.github.io/
Or use Bitmessage and write to our address: BM-2cUbGd124Dcs1Jdc5VfSa2GDMC1iaNTesC
You can learn about this way of communication and download it here: https://wiki.bitmessage.org/ and here: https://github.com/Bitmessage/PyBitmessage/releases/
.5.
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files.
.6.
Q: If I don’t want to pay bad people like you?
A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money.
:::BEWARE:::
DON'T try to change encrypted files by yourself!
If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Key Identifier:
m95+iwjPW3df+Q5Af9nNgODdSnq45sS4gC3xS6DqdYcMtPchvhm/id0X/o+JThF0aLSP5jEAmrAU1fXkXVZZe7Z8Mi1rLjnzYrLQuy+kZnncD5oKVWlKetzCXAOmbmL8hjhBB9Tv+fIalOwDQI774GjcL1pUbPUw9MVCTyKAxo4VWSV6r9cBzKfyrbUjWynh1ev3iXytcuF6sAddzQRCMCZAw7mZWavQ5XUPH9OAvVJPDjlASNKvN5tqhQL/tlssT2jJ5cIqWwVIqH+pin8AKYNDJluRHzQxIe70WnrQUkZtIhsAPCNgoM8GesBXDErOk/8w1OgKKQuBKuwgOj0vA1QEyab0wZVwLF5JYrFHZH6fsxiqjaEugwPrRLSXNmdm9MRdtxv228xgEl3ZaoPKR+mpyiLFwjgh7dhgY/kbk2Fgdvk2X4nJrYycU3x5pfDbQlsjT4jD6a4glEOHj3CQhQn0O+xb0W0co1BVgt+xTXtELPR7LLRF+wanDF234v1Qnrnro2AYOqJX9rwgLSuUM1VMorNS6jsgi2N+f/zVFwp9jaTo635cJ9qg2///SBuZr5hCcOgxBHE0sBkrwv3D1nYZRotzOHtAV9Pt/aDdvrDxMFRJUWNZHtEc1pnjzHC2y5/F0H4WnMSncGdGRTj6dNAa6w3bLsWb5bT1WBvpQzQ=
PC Hardware ID:
A2C56C1C
Extracted
Path
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
Family
hakbit
Ransom Note
Ваша система была зашифрована. Для того что бы получить доступ к Вашим файлам и расшифровать их Вам необходимо связаться с нами по адрессам
[email protected]
[email protected] (обращаем ваше внимание что могут возникнуть трудности по дохождению писем на протон с мейл.ру и яндекса) или телеграмма который мы Вам сообщим связавшись с вашими сотрудниками.
Так же у нас есть данные от ваших баз данных, бекапов, телеграмы ваших сотрудников, личные данные ваших клиентов и доступы к платежным системам.
Key Identifier:
nyc7naPl3Tm4IRaasMrJmW6GvDXvcYATJ8lWgUAe1Aj1Yu/M+ZMH95DAbtZVCFD43yREV8rJCipgLiK7g/qp0QZCAqur0OKu+pBhICkuKEzw1PGhelvUsd0d6iIKD4m/vZo9B645SVPIuDlbiGaE3dBjwGeJHDkCj5G1JNEKn2nd32tzBrwejWIwSBBKaD7DN1Th0lVpatR1lP7sC3f+NFbuzwc1qJAsFvYuXVXbT4JVWBWUL8pzbkUMSN/a2g/QArJluDkrt3fEwosrxd1r6EX0lUGAesWO7QRMURS/fDA5osEtQWodtxGsDAAK+as4ThVEcjWxquhFiVyAtiq0dyNIU00QMXtW514o0NZUry4tuRAGaeK4PhxkkET0Q3VPeuEb5f100s7fz+fV59x3uSO5QZ9V7JJFLGMTA+wB/136u2VJt7XDFrTH+7IO5VzJk/A+9inL9sbmGI0HzLE9H1rqwDjfEjd8+x2NRshl3H85+SoPljuvvt+a/uP7bdqUoppOEcyCN9kakRqRT3p3qitiJyrv02cASLeJa1ZJp4IJ5cSspAabHsFgvAG2FCHoAp8nW3PXDT8IklO0YorU66FJPXRCWUog2Jg6Xu1IjKrUKG9gyFqVWvKzjO2p0WEvOfC1S6esvGqp4OEccRF++09opeh0wip0IcJYovnM0bI=
Number of files that were processed is: 162
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED
All your important files have been encrypted!
Your files are safe! Only modified.(AES)
No software available on internet can help you.
We are the only ones able to decrypt your files.
--------------------------------------------------------------------------------
We also gathered highly confidential/personal data.
These data are currently stored on a private server.
Files are also encrypted and stored securely.
--------------------------------------------------------------------------------
As a result of working with us, you will receive:
Fully automatic decryptor, all your data will be recovered within a few hours after it's run.
Server with your data will be immediately destroyed after your payment.
Save time and continue working.
You will can send us 2-3 non-important files and we will decrypt it
for free to prove we are able to give your files back.
--------------------------------------------------------------------------------
!!!!!!!!!!!!!!!!!!!!!!!!
If you decide not to work with us:
All data on your computers will remain encrypted forever.
YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!
So you can expect your data to be publicly available in the near future..
The price will increase over time.
!!!!!!!!!!!!!!!!!!!!!!!!!
--------------------------------------------------------------------------------
It doesn't matter to us what you choose.
We only seek money and our goal is not to damage your reputation or prevent your business from running.
Write to us now and we will provide the best prices.
Instructions for contacting us:
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.
2. Press "Download Tor", then press "Download Tor Browser Bundle", install it.
3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser.
7. Start a chat and follow the further instructions.
Attention!
Any attempt to restore your files with third-party software will corrupt it.
Modify or rename files will result in a loose of data.
If you decide to try anyway, make copies before that
Key Identifier:
P40rMDHNMpJJZpoBUoqJzoFVgJKfCw95Tfq8EyDXyuTUOWgtvXkGTzr+CGZHg3HEGh/ghbhTCMJBlb/Raup6yXnYismG2oDwbFE2qVTarverhMFFq6DWhbYFIlxASISDHulTlbA8lYMnC+pZhL3GTGZNsXbdZndvKJfmYT4pXBbWwDba+nOGPgSXnQUXBZ9iu4UBBKzED7vUvPlhzd6sOTvZuI/iD9i6rlnRf5P+lAUTI5TKk0SeX45YmIpPhDbGXR5rIOfBc+Q3uay1HvcXxUjSTYo7K3QR2Dv7AJ8jvbbFmK8fIzAXvTIA7/WEidHtmzrF0NKzjEJSiFuwNsXq9jy9lmheeFopQ+fP7vocIdsKvoAb6aoarSb2rXFHn69RxJRTPdeZaYhZHAM6CeuYfN0PYlylhYDnLKrB55Ut3eGakMiOWFGwLGMAwU3BAH33KlarikAjr67Hb5Cec3nw2q9vQyS4BevPgUAYo81RcHHBytj/rnSvEY5SNYu5skW/s/PATWLYV5m2mSyk+PtsBeYErXwfGycsZBUjmExmOs+2Kwj59rKTKNxDSAzjQSf3o0MAXODZe2+jecw4oso5l7HRyZiAZfSTfkDu3Qlkmcp5x8UHoU7PnepOu99sxS0vvmGkA1FBqKrYFW+a76RJ99EW8KUtRk5ZAzGWZTG2nGc=
URLs
http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD
Extracted
Path
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED
All your important files have been encrypted!
Your files are safe! Only modified.(AES)
No software available on internet can help you.
We are the only ones able to decrypt your files.
We also gathered highly confidential/personal data.
These data are currently stored on a private server.
Files are also encrypted and stored securely.
As a result of working with us, you will receive:
Fully automatic decryptor, all your data will be recovered within a few hours after it’s installation.
Server with your data will be immediately destroyed after your payment.
Save time and continue working.
You will can send us 2-3 non-important files and we will decrypt it
for free to prove we are able to give your files back.
If you decide not to work with us:
All data on your computers will remain encrypted forever.
YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!
So you can expect your data to be publicly available in the near future..
The price will increase over time.
It doesn't matter to us what you choose.
We only seek money and our goal is not to damage your reputation or prevent your business from running.
Write to us now and we will provide the best prices.
Instructions for contacting us:
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.
2. Press "Download Tor", then press "Download Tor Browser Bundle", install it.
3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser.
7. Start a chat and follow the further instructions.
Attention!
Any attempt to restore your files with third-party software will corrupt it.
Modify or rename files will result in a loose of data.
If you decide to try anyway, make copies before that
Key Identifier: P40rMDHNMpJJZpoBUoqJzoFVgJKfCw95Tfq8EyDXyuTUOWgtvXkGTzr+CGZHg3HEGh/ghbhTCMJBlb/Raup6yXnYismG2oDwbFE2qVTarverhMFFq6DWhbYFIlxASISDHulTlbA8lYMnC+pZhL3GTGZNsXbdZndvKJfmYT4pXBbWwDba+nOGPgSXnQUXBZ9iu4UBBKzED7vUvPlhzd6sOTvZuI/iD9i6rlnRf5P+lAUTI5TKk0SeX45YmIpPhDbGXR5rIOfBc+Q3uay1HvcXxUjSTYo7K3QR2Dv7AJ8jvbbFmK8fIzAXvTIA7/WEidHtmzrF0NKzjEJSiFuwNsXq9jy9lmheeFopQ+fP7vocIdsKvoAb6aoarSb2rXFHn69RxJRTPdeZaYhZHAM6CeuYfN0PYlylhYDnLKrB55Ut3eGakMiOWFGwLGMAwU3BAH33KlarikAjr67Hb5Cec3nw2q9vQyS4BevPgUAYo81RcHHBytj/rnSvEY5SNYu5skW/s/PATWLYV5m2mSyk+PtsBeYErXwfGycsZBUjmExmOs+2Kwj59rKTKNxDSAzjQSf3o0MAXODZe2+jecw4oso5l7HRyZiAZfSTfkDu3Qlkmcp5x8UHoU7PnepOu99sxS0vvmGkA1FBqKrYFW+a76RJ99EW8KUtRk5ZAzGWZTG2nGc=
URLs
http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED
All your important files have been encrypted!
Your files are safe! Only modified.(AES)
No software available on internet can help you.
We are the only ones able to decrypt your files.
--------------------------------------------------------------------------------
We also gathered highly confidential/personal data.
These data are currently stored on a private server.
Files are also encrypted and stored securely.
--------------------------------------------------------------------------------
As a result of working with us, you will receive:
Fully automatic decryptor, all your data will be recovered within a few hours after it's run.
Server with your data will be immediately destroyed after your payment.
Save time and continue working.
You will can send us 2-3 non-important files and we will decrypt it
for free to prove we are able to give your files back.
--------------------------------------------------------------------------------
!!!!!!!!!!!!!!!!!!!!!!!!
If you decide not to work with us:
All data on your computers will remain encrypted forever.
YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!
So you can expect your data to be publicly available in the near future..
The price will increase over time.
!!!!!!!!!!!!!!!!!!!!!!!!!
--------------------------------------------------------------------------------
It doesn't matter to us what you choose.
We only seek money and our goal is not to damage your reputation or prevent your business from running.
Write to us now and we will provide the best prices.
Instructions for contacting us:
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.
2. Press "Download Tor", then press "Download Tor Browser Bundle", install it.
3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser.
7. Start a chat and follow the further instructions.
Attention!
Any attempt to restore your files with third-party software will corrupt it.
Modify or rename files will result in a loose of data.
If you decide to try anyway, make copies before that
Key Identifier:
OP410sm/Zu/hwIaK+r04opH63hmJ6HYEJ3vx14YZ3Xrdmvn9PUkLTUIBcLi1fPBhnKuX2wZmofEzPpHZKxo5GzMml88FOa3FwAoY4JK8KvlC2Lge4NYk0rmrSTYspFXUHLkhA3scXzyu9C0Qb8EnHW6TvFX7zkyuQ8b4vfbSER4rKxcx9DTPJByns6ju7+Rme//9I3UKR58o0w9L9JnudfnAyupCiGR0pqIFbtsxIWmPmepLhuOaootyhYF5GQ0gUbZdE9WjIcHJs4wVW7f2h2GDN9F0KPQtnMxK6bsCxubXNFq0osz/6XgqkdZF21YyxqR3Wvi3LO0189yHoebhRgIo8W1K2SO1J3oM5vikUDxZvR03dxVm+6OkEn8dcI9tcjjCyv2V5ENJ35dn2FUoXn29GomorLuEAmI8yTQ+ZwFBPr3p9Fu1PVY1vqMOUtfR4qPUeESQTvP8rDSqR+44bB1aM2UQsS1v7iGQ27OXW9WOpV0jY0nl+wSKbsVWfUn9wGulDvgMgMYiPZyWPPfYFf0yYN3gsKPgqQBENVjXTFIZ6uzvEdok6WJBMwZ9o9BOUNNXu8RUUw1hMX8UE48vXpEVA5zv6ySGWQAQhzljrShrFDbqcAmya1/Tu4bqPDt4h22/yC0m1jOM4UKIiREeDyZLC/Ir7623L5McbR32dRM=
URLs
http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD
Targets
-
-
Target
0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample
-
Size
346KB
-
MD5
aff561dee3b750728a4f2f8681cc252c
-
SHA1
f3a3ee6042c819ae00d028437c5f02ebefe0eb08
-
SHA256
0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454
-
SHA512
6b73be255c3616dedb8c5c37254729526412967e886f3aa27038dfadb268efeb048ef3099575e4214b797c6fd555e2bcddb5f6c7b890903d0c6ca3b5b948d847
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Modifies file permissions
-
Windows security modification
-
Modifies WinLogon
-
-
-
Target
02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample
-
Size
481KB
-
MD5
50379b825ba54e395092a73fb4b6e399
-
SHA1
8171cf970cbd3746c74143d4933e4f2a69e1ea7e
-
SHA256
02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f
-
SHA512
42015ac9b4a3b33adda1d1c538cc33126d72f6f8ccbd4d72b58485971a0b03b9e17908d304f6e9d3a2fe389741995618ce3ce6520bec3e62930fb11b741f090d
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
Windows security modification
-
Modifies WinLogon
-
-
-
Target
1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample
-
Size
367KB
-
MD5
b31f6216e6bc5a6291a0b82de0377553
-
SHA1
0afdc5359268f7e78a0ca3c3c67752edd304a742
-
SHA256
1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb
-
SHA512
7044cae1da196e1997fd21cbac41ff0d8e7dd5da6ebcf14e4ecd26ff53f65936430c009e473c17a2eecabbc5645e2d1fb32c5ef8ab036d045b5941a52e2982f6
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Drops startup file
-
Modifies file permissions
-
Windows security modification
-
Modifies WinLogon
-
-
-
Target
48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample
-
Size
353KB
-
MD5
3de060c1a25fb75735767e9450ed797d
-
SHA1
8c0e899fc89aa8e0201aa8ee4ba41cd05702116e
-
SHA256
48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698
-
SHA512
4792c3c919c87269544bbe60b62930059f71421eae0a736113e4472e14cfebf95b16ebc430e441a88655fcb84397d5959367061e59d58deaf26de43915eea37b
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Modifies file permissions
-
Windows security modification
-
Modifies WinLogon
-
-
-
Target
714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample
-
Size
107KB
-
MD5
ffd507c308ffa09e21aa937bc631421a
-
SHA1
7938ce37df604cf807e9d2767acf33984a1776a3
-
SHA256
714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409
-
SHA512
b48721c1e57152afe16576e7f54084e52d88d594c12203e5e56316bca8a7bc44c29b790e2e358ab0b7220b2d6e098a288b0fa602af84dda9cef16104f72d2970
Score10/10-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Drops startup file
-
Modifies file permissions
-
-
-
Target
79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample
-
Size
165KB
-
MD5
1407b521eded12eca22dc4a12421be59
-
SHA1
031cf6f7f62cbea5753b3d6cc7ee113f69aa43a3
-
SHA256
79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249
-
SHA512
79ed739a0ad7f9b45150f491dc9e1cd9f8d4b828fc0ff82bdc23307c4e31efefb862d163ded840438759805b3a792b3fa569d3cce13e4702987a107bc85d3406
Score10/10-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Modifies file permissions
-
Windows security modification
-
-
-
Target
aa3e530d4567c1511126029fac0562ba8aa4ead0a01aceea169ade3e38a37ea7.bin.sample
-
Size
128KB
-
MD5
9606a0bdc7a04dcf4d8625345c2875cd
-
SHA1
34c37511ef2105aedf55eda054e89210757f51ec
-
SHA256
aa3e530d4567c1511126029fac0562ba8aa4ead0a01aceea169ade3e38a37ea7
-
SHA512
64796dde9fe7791e166cecb622d7713ef3a6947e404919eaba27c532fdf3be799f8ead904402a5b9dfff27977813c77e1c86954801c7bc4a867265d6aa36a595
Score10/10-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
-
-
Target
b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample
-
Size
358KB
-
MD5
625c0b381462e729abdcca12d424e50a
-
SHA1
9e20fd6588a16b852d5b1f5ed122706aebce58ac
-
SHA256
b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32
-
SHA512
48b289d17752bacbe65f46eee9b016264120dff5858bb87609bdfe2a10a1a1c6d12c395dc1bfa6adc8fe24b2b5da48957beec7eb0f38eaa244566ab0ac27c58d
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Modifies file permissions
-
Windows security modification
-
Modifies WinLogon
-
-
-
Target
b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample
-
Size
393KB
-
MD5
104b68a8b7e2913139049b30847f990f
-
SHA1
0f25791a039298be94a3d024f5a3d1796e13a587
-
SHA256
b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424
-
SHA512
cba38f93247621cc38ea33f72efc1147e0a6d1a8b9256a26853ac3c1c8c3c9444d2d3a5af586e934febad1822c93fbc1e9c538759b4587720ba03a92792ce04d
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
Thanos Ransomware
Ransomware-as-a-service (RaaS) sold through underground forums.
-
Thanos executable
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Windows security modification
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon
-
-
-
Target
d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample
-
Size
97KB
-
MD5
212614aa34906a41edd51491c7980529
-
SHA1
671f1031d3b2cd242a270e17718cc0fe20122ad0
-
SHA256
d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00
-
SHA512
21a57568c090f0ed72b599168a16d1bfb2073e639972fb0268e6d91143f5bb54292fd6a15fea20f6d90ee817eafebf771b6c7771318a90de148fd95692f49d6a
Score10/10-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Modifies file permissions
-
Windows security modification
-
Modifies WinLogon
-
Drops file in System32 directory
-
-
-
Target
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample
-
Size
290KB
-
MD5
a6dcf23059f6e61fa683907c47baf73e
-
SHA1
1d55396b26d97b18256513607dcbe3f308569d5b
-
SHA256
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3
-
SHA512
72ef9997b814807e677e7861a94de3c8c2b7cb350ab79c887de61f505f23ebc2e3db177b34e86f1dedb3017f468e5c6c0f34d188c574e4cbe20410ff1bf596f7
Score10/10-
Modifies Windows Firewall
-
Deletes itself
-
Drops startup file
-
Modifies file permissions
-
Modifies WinLogon
-
MITRE ATT&CK Enterprise v6
Tasks
static1
Score
10/10
behavioral1
Score
10/10
behavioral2
Score
10/10
behavioral3
Score
10/10
behavioral4
Score
10/10
behavioral5
Score
10/10
behavioral6
Score
10/10
behavioral7
Score
10/10
behavioral8
Score
10/10
behavioral9
Score
10/10
behavioral10
Score
10/10
behavioral11
Score
10/10
behavioral12
Score
10/10
behavioral13
Score
8/10
behavioral14
Score
10/10
behavioral15
Score
10/10
behavioral16
Score
10/10
behavioral17
Score
10/10
behavioral18
Score
10/10
behavioral19
Score
10/10
behavioral20
Score
10/10
behavioral21
Score
10/10
behavioral22
Score
10/10