General

  • Target

    arceo.ai_6815e1e06e29863290319eb3e814ae2a394271aa2f95cc7c31a649c4c2f4fd04_ezt_vxc6.exe

  • Size

    196KB

  • Sample

    210901-eslqy6b286

  • MD5

    ad496fc24e5dcb74a04dd1ec746470e7

  • SHA1

    ffa9aa91954f2b7d5136a1d1b711e18b889475d0

  • SHA256

    6815e1e06e29863290319eb3e814ae2a394271aa2f95cc7c31a649c4c2f4fd04

  • SHA512

    e6f378fa7aefeb06a998b598481e5aea486115a404517264af0387ec253a56531547e1fa2ae8c4534c1c1419a17a1787721967a41d86ad39eeefca91d38053dc

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.xyz YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- xxZAPxE42h59xub5F9hlWoy2sNb34G4kkl5slkkshmhsiFrVk8NVJJZJGJoz1KeW ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.xyz

Targets

    • Target

      arceo.ai_6815e1e06e29863290319eb3e814ae2a394271aa2f95cc7c31a649c4c2f4fd04_ezt_vxc6.exe

    • Size

      196KB

    • MD5

      ad496fc24e5dcb74a04dd1ec746470e7

    • SHA1

      ffa9aa91954f2b7d5136a1d1b711e18b889475d0

    • SHA256

      6815e1e06e29863290319eb3e814ae2a394271aa2f95cc7c31a649c4c2f4fd04

    • SHA512

      e6f378fa7aefeb06a998b598481e5aea486115a404517264af0387ec253a56531547e1fa2ae8c4534c1c1419a17a1787721967a41d86ad39eeefca91d38053dc

    • Conti Ransomware

      Ransomware generally thought to be a successor to Ryuk.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks