570fbe91fdd6d1eb8cfd2f03c032cdde.exe

General
Target

570fbe91fdd6d1eb8cfd2f03c032cdde.exe

Size

872KB

Sample

210604-q1mqz6zlf2

Score
10 /10
MD5

570fbe91fdd6d1eb8cfd2f03c032cdde

SHA1

59d07617c682fed330d82b1d97f1bf32c30c6ff1

SHA256

b4a1845a21726b4826eb4157114d424c9a0f1c3112f67f587cbea352dd33ac61

SHA512

e0cd9f67e26140b22dbcee760b0690e5dd2bb0242091d3c759c123789c6b2bb8abbf1c2a80d6b4e1b00f9097f4f782ba2035041c92afc2280dd75a9dc21f7fb6

Malware Config

Extracted

Path C:\_readme.txt
Family djvu
Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-B0FsLNO3fN Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: helpteam@mail.ch Reserve e-mail address to contact us: helpmanager@airmail.cc Your personal ID: 0300ewgfDdLQbDo3EfIVHxGuJOWRJdmxgY66rD6kiyqz4tzyt1
Emails

helpteam@mail.ch

helpmanager@airmail.cc

URLs

https://we.tl/t-B0FsLNO3fN

Targets
Target

570fbe91fdd6d1eb8cfd2f03c032cdde.exe

MD5

570fbe91fdd6d1eb8cfd2f03c032cdde

Filesize

872KB

Score
10 /10
SHA1

59d07617c682fed330d82b1d97f1bf32c30c6ff1

SHA256

b4a1845a21726b4826eb4157114d424c9a0f1c3112f67f587cbea352dd33ac61

SHA512

e0cd9f67e26140b22dbcee760b0690e5dd2bb0242091d3c759c123789c6b2bb8abbf1c2a80d6b4e1b00f9097f4f782ba2035041c92afc2280dd75a9dc21f7fb6

Tags

Signatures

  • Detected Djvu ransomeware

  • Djvu Ransomware

    Description

    Ransomware which is a variant of the STOP family.

    Tags

  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Tasks

                    static1