General
-
Target
4085.zip
-
Size
473KB
-
Sample
210810-zltdy216je
-
MD5
5de02f78f0770567af9c1394dacaff85
-
SHA1
789fdf4a4f55a8731b5726250d8ebd4603a64e44
-
SHA256
1b6d6a929b270d3fd04c33dd11e0517bc96d6bc17f39ba9dc521e75209e1f410
-
SHA512
fa4689350c6d069d9daa48a5f99fcaae5f853f22bea23dcb3fbd025d3686d624437e95eb55536874dd85cf1f9015b95dfb16f6ed3db4e429d6a7828c4c83992e
Static task
static1
Behavioral task
behavioral1
Sample
4085.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
4085.js
Resource
win10v20210408
Malware Config
Extracted
https://erzurum.us/65376345273497600381/tjTyjrjywrdmJoaaenvF/dll/assistant.php
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
kd8eby0@onionmail.org
kd8eby0@nuke.africa
Targets
-
-
Target
4085.js
-
Size
776KB
-
MD5
b6e9c6f1113c92ad6757266ae75769a2
-
SHA1
9190e8d268db4deb7cd97624b17cba6617244699
-
SHA256
9fca4b9bb2238dec26fc6b6161dc9d62647883966f1cfd661537fb8c097ff4fe
-
SHA512
1684c2350b540da9326159455cb57937a2fefc1b97f1231c12cc66ffa601f71ce52096d5c37737d644c49b1c9ae7b5e33eb86890b1405a79d2aa364afbc1f09b
Score10/10-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-