Overview

overview

10

Static

static

ab6b0d00ba...le.exe

windows7_x64

10

ab6b0d00ba...le.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ab6b0d00ba8f8553c015743b9da8761a9b1fca750d3f73bda573a8fbc47dafa1.sample

  • Size

    6.5MB

  • Sample

    210726-4kqjft2zhe

  • MD5

    58beaa9058c8fc4e3be97806566ab495

  • SHA1

    ed481af02c2909cca3b7a6bb7eb855bf92bb10c2

  • SHA256

    ab6b0d00ba8f8553c015743b9da8761a9b1fca750d3f73bda573a8fbc47dafa1

  • SHA512

    86165e1e115094592e32ab19caa18bcd59ae7164ed1f29dcc8c4ed50efe2e7e953cc32a0173d95b5a27c831170632069b0a98f1e451dc4931ea8965ad0d2c2c6

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RESTORE_HCEEM_DATA.txt

Ransom Note
Attention! Do not rename the ciphered files Do not try to decrypt your data of the third-party software, it can cause constant data loss You do not joke with files To restore your files visit "http://mydatassuperhero.com" website. This website is safe If this website is not available use reserve website "http://snatch6brk4nfczg.onion" in a TOR network. This website is safe. For visit of this website it is necessary to install Tor browser (https://www.torproject.org) Your login: H06aDYShvwb5NXu Your password: 9qYgZuV8p7lUX0e Your BTC address: 13TvbUKYEAqwu3FP7RDu8vZhVucmUg9Zxy If all websites are not available write to us on email of newrecoverybot@pm.me You keep this information in secret
Emails

newrecoverybot@pm.me

Wallets

13TvbUKYEAqwu3FP7RDu8vZhVucmUg9Zxy

Targets

    • Target

      ab6b0d00ba8f8553c015743b9da8761a9b1fca750d3f73bda573a8fbc47dafa1.sample

    • Size

      6.5MB

    • MD5

      58beaa9058c8fc4e3be97806566ab495

    • SHA1

      ed481af02c2909cca3b7a6bb7eb855bf92bb10c2

    • SHA256

      ab6b0d00ba8f8553c015743b9da8761a9b1fca750d3f73bda573a8fbc47dafa1

    • SHA512

      86165e1e115094592e32ab19caa18bcd59ae7164ed1f29dcc8c4ed50efe2e7e953cc32a0173d95b5a27c831170632069b0a98f1e451dc4931ea8965ad0d2c2c6

    Score
    10/10
    ransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Credentials in Files

1
T1081

Discovery

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks