General
-
Target
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample
-
Size
207KB
-
Sample
210726-l3kqpewlns
-
MD5
b961eb350e94cead67efae131b3fff4c
-
SHA1
f22185fd187244b96f96184359b4f7a7ad8542b0
-
SHA256
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea
-
SHA512
d2a1a1255f8313a1125c59218be8fecbb46604663c964477b8cd381c78381ffc0aca518f781be87d355d4d0e043dc5d773ae1bb4af2c8716b0f56f293cd4956c
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\appdata\local\temp\how_to_decrypt.hta
Ransom Note
ENCRYPTED
11100001111011111111100001111011111100
What happened?
All your documents, databases, backups, and other critical files were encrypted.
Our software used the AES cryptographic algorithm (you can find related information in Wikipedia).
It happened because of security problems on your server, and you cannot use any of these files anymore. The only way to recover your data is to buy a decryption key from us.
To do this, please send your unique ID to the contacts below.
E-mail:
copy
Unique ID:
copy
Right after payment, we will send you a specific decoding software that will decrypt all of your files. If you have not received the response within 24 hours, please contact us by e-mail .
During a short period, you can buy a decryption key with a
50% discount
--:--:-- left
The price depends on how soon you will contact us.
All your files will be deleted permanently in:
Attention!
! Do not try to recover files yourself. this process can damage your data and recovery will become impossible.
! Do not waste time trying to find the solution on the Internet. The longer you wait, the higher will become the decryption key price.
! Do not contact any intermediaries. They will buy the key from us and sell it to you at a higher price.
What guarantees do you have?
Before payment, we can decrypt three files for free. The total file size should be less than 5MB (before archiving), and the files should not contain any important information (databases, backups, large tables, etc.)
var max_discount = 50;
var start_date = new Date('July 26 2021 14:43:29');
var discount_date = new Date('July 29 2021 14:43:29');
var end_date = new Date('July 31 2021 14:43:29');
var main_contact = 'cryhead@mail.com';
var hid = '[BDA24E22-3003A7AC]';
var second_contact = 'cryhead@pm.me';
var sd = end_date;
var dn = new Date();
var zoc, ddGlobal;
function document.onblur() {
alert('Attention! This important information for you!');
}
function setContacts() {
document.getElementById('main_contact').innerHTML = main_contact;
document.getElementById('second_contact').innerHTML = second_contact;
document.getElementById('hid').innerHTML = hid;
}
function countDiscount() {
var term_current = new Date().getTime() - start_date.getTime();
var term_full = discount_date.getTime() - start_date.getTime();
var delta = discount_date.getTime() - new Date().getTime();
delta = new Date(delta);
var dt = document.getElementById('pwr');
var timer_discount = document.getElementById('timer_discount');
var discount = document.getElementById('discount');
var hours_to_end = Math.floor(term_full / 1000 / 3600);
var hours_current = Math.floor(term_current / 1000 / 3600);
if (discount_date.getTime() > dn.getTime()) {
var disc_per_hour = parseFloat(max_discount / hours_to_end).toFixed(2);
var cur_discount = Math.floor(max_discount - (disc_per_hour * hours_current));
if (discount) {
discount.innerHTML = cur_discount + '% discount';
}
}
if (cur_discount <= 25) {
dt.style.cssText = 'border: 1px solid #FFC000;';
if (timer_discount) {
timer_discount.style.background = '#FFC000';
}
}
if (sd.getTime() < dn.getTime() || cur_discount < 5) {
dt.style.cssText = 'border: 1px solid #F53636; background-color: #F53636; padding: 16px 20px;';
dt.innerHTML = '<div style="font-size: 16px; color: #ffffff; text-align: center; display: block; font-weight: bold;">Decryption key can be bought at standard cost.</div><div style="font-size: 13px; color: #fff; text-align: center; margin-top: 10px">You need to hurry up to decrypt your data because all your files will be destroyed soon.</div>';
}
var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31);
var hh = delta.getUTCHours();
var mm = delta.getUTCMinutes();
var ss = delta.getUTCSeconds();
if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; }
if (hh<10) { hh='0'+hh; }
if (mm<10) { mm='0'+mm; }
if (ss<10) { ss='0'+ss; }
if (timer_discount) {
timer_discount.innerHTML = dd + ' ' + hh+':'+mm+':'+ss;
}
}
function ChangeTime() {
var sd = end_date;
var dn = new Date();
if (sd.getTime() < dn.getTime()) {
var dt = document.getElementById('lctw');
dt.innerHTML = '<b>Soon, you won\'t be able to decrypt your files. Contact us immediately!</b>';
dt.style.cssText = 'background-color: #F53636; color: #ffffff; font-weight: bold; padding: 19px 24px; margin: 17px 0 24px; text-align: center; font-size: 20px;';
zoc = 2;
} else {
var delta = sd.getTime() - dn.getTime();
delta = new Date(delta);
var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31);
ddGlobal = parseInt(dd);
var hh = delta.getUTCHours();
var mm = delta.getUTCMinutes();
var ss = delta.getUTCSeconds();
if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; }
if (hh<10) { hh='0'+hh; }
if (mm<10) { mm='0'+mm; }
if (ss<10) { ss='0'+ss; }
var dt = document.getElementById('file_lost');
if (dt) {
dt.innerHTML= dd+' '+hh+':'+mm+':'+ss;
}
}
}
var count = 100, interval = 10, intervalID;
function blink() {
if (ddGlobal == 0 && zoc != 2) {
var dt = document.getElementById('file_lost');
var dt2 = document.getElementById('text_file_lost');
var test = document.getElementById('test');
if (count == 100) {
intervalId = setInterval(function () {
dt.style.filter = 'alpha(opacity='+count+')';
dt2.style.filter = 'alpha(opacity='+count+')';
count = count - 2;
if (count == 20) clearInterval(intervalId);
}, interval);
}
if (count == 20) {
intervalId = setInterval(function () {
dt.style.filter = 'alpha(opacity='+count+')';
dt2.style.filter = 'alpha(opacity='+count+')';
count = count + 2;
if (count == 100) clearInterval(intervalId);
}, interval);
}
}
}
function getRandomArbitrary(min, max) {
min = Math.ceil(min);
max = Math.floor(max);
return Math.floor(Math.random() * (max - min)) + min;
}
function Rndom() {
var dt=document.getElementById('rc');
var xx='';
var i=0;
while (i < 40) {
xx=xx+getRandomArbitrary(0,2);
i=i+1;
}
rc.innerHTML= xx;
}
function Start() {
window.resizeTo(850,720);
setContacts();
ChangeTime();
setInterval(ChangeTime, 1000);
countDiscount();
setInterval(countDiscount, 1000);
setInterval(blink, 100);
setInterval(Rndom,100);
}
function copytext(s) {
window.clipboardData.setData("Text",s);
alert(s+' copied to clipboard');
}
function Restart() {
alert('Attention! This important information for you!');
}
Emails
cryhead@mail.com
cryhead@pm.me
Wallets
11100001111011111111100001111011111100
Targets
-
-
Target
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample
-
Size
207KB
-
MD5
b961eb350e94cead67efae131b3fff4c
-
SHA1
f22185fd187244b96f96184359b4f7a7ad8542b0
-
SHA256
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea
-
SHA512
d2a1a1255f8313a1125c59218be8fecbb46604663c964477b8cd381c78381ffc0aca518f781be87d355d4d0e043dc5d773ae1bb4af2c8716b0f56f293cd4956c
Score10/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-