Overview

overview

10

Static

static

26690dae11...ed.exe

windows7_x64

10

26690dae11...ed.exe

windows10_x64

10

Analysis

  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    02/09/2021, 08:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

  • Size

    997KB

  • MD5

    ba454585b9f42c7254c931c192556e08

  • SHA1

    0b530303634283a43d53abd9190106869f57ba5a

  • SHA256

    26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa

  • SHA512

    2cb918eab6776c7cfea031cbb48cc4e33e068489a37f39ba1e246f32fef7a35c3511293b399c81b5b8056bca50d725554866584460f04efe0d65c1d1c625bc4b

Score
10/10
ouroborosransomware

Malware Config

Signatures

  • Ouroboros/Zeropadypt

    Ransomware family based on open-source CryptoWire.

    ransomwareouroboros
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

Processes

Network

  • flag-unknown
    HTTP/1.1
    200
    Remote address:
    10.7.0.1:56622
    Response
    GET / HTTP/1.1
    Host: 10.7.0.57:8000
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Request
    HTTP/1.1 200 OK
    Content-Type: application/json; charset=utf8
    Date: Wed, 01 Sep 2021 13:51:40 GMT
    Content-Length: 123
  • flag-unknown
    HTTP/1.1
    200
    Remote address:
    10.7.0.1:56638
    Response
    POST /payload HTTP/1.1
    Host: 10.7.0.57:8000
    User-Agent: Go-http-client/1.1
    Transfer-Encoding: chunked
    Content-Type: multipart/form-data; boundary=06e95a7bc2b681c64faf73fa7a0fbf9cc16dfeecddae39ab490cf6680602
    Accept-Encoding: gzip
    Request
    HTTP/1.1 200 OK
    Content-Type: application/json; charset=utf8
    Date: Wed, 01 Sep 2021 13:51:41 GMT
    Transfer-Encoding: chunked
  • flag-unknown
    DNS
    www.sfml-dev.org
    Remote address:
    8.8.8.8:53
    Request
    www.sfml-dev.org
    IN A
    Response
    www.sfml-dev.org
    IN CNAME
    sfml-dev.org
    sfml-dev.org
    IN A
    78.47.82.133
  • flag-unknown
    GET
    http://www.sfml-dev.org/ip-provider.php
    Remote address:
    78.47.82.133:80
    Request
    GET /ip-provider.php HTTP/1.0
    content-length: 0
    from: user@sfml-dev.org
    host: www.sfml-dev.org
    user-agent: libsfml-network/2.x
    Response
    HTTP/1.1 200 OK
    Date: Thu, 02 Sep 2021 08:04:43 GMT
    Server: Apache
    Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.sfml-dev.org www.gstatic.com www.google.com www.google-analytics.com ssl.google-analytics.com; connect-src 'self' www.google-analytics.com; img-src 'self' https: data:; style-src 'self' 'unsafe-inline' *.sfml-dev.org fonts.googleapis.com; media-src https: data:; font-src 'self' fonts.gstatic.com; base-uri 'self'; form-action 'self'; frame-src https: data:
    Content-Length: 12
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-unknown
    GET
    http://www.sfml-dev.org/ip-provider.php
    Remote address:
    78.47.82.133:80
    Request
    GET /ip-provider.php HTTP/1.0
    content-length: 0
    from: user@sfml-dev.org
    host: www.sfml-dev.org
    user-agent: libsfml-network/2.x
    Response
    HTTP/1.1 200 OK
    Date: Thu, 02 Sep 2021 08:06:30 GMT
    Server: Apache
    Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.sfml-dev.org www.gstatic.com www.google.com www.google-analytics.com ssl.google-analytics.com; connect-src 'self' www.google-analytics.com; img-src 'self' https: data:; style-src 'self' 'unsafe-inline' *.sfml-dev.org fonts.googleapis.com; media-src https: data:; font-src 'self' fonts.gstatic.com; base-uri 'self'; form-action 'self'; frame-src https: data:
    Content-Length: 12
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-unknown
    GET
    http://www.sfml-dev.org/ip-provider.php
    Remote address:
    78.47.82.133:80
    Request
    GET /ip-provider.php HTTP/1.0
    content-length: 0
    from: user@sfml-dev.org
    host: www.sfml-dev.org
    user-agent: libsfml-network/2.x
    Response
    HTTP/1.1 200 OK
    Date: Thu, 02 Sep 2021 08:06:51 GMT
    Server: Apache
    Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.sfml-dev.org www.gstatic.com www.google.com www.google-analytics.com ssl.google-analytics.com; connect-src 'self' www.google-analytics.com; img-src 'self' https: data:; style-src 'self' 'unsafe-inline' *.sfml-dev.org fonts.googleapis.com; media-src https: data:; font-src 'self' fonts.gstatic.com; base-uri 'self'; form-action 'self'; frame-src https: data:
    Content-Length: 12
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • 10.7.0.1:56622
    200
    http
    722 B
     623 B
     9
    10

    HTTP Response

    /

    HTTP Request

    HTTP/1.1 200
  • 10.7.0.1:56638
    200
    http
    69.0kB
     3.6MB
     1318
    2489

    HTTP Response

    /payload

    HTTP Request

    HTTP/1.1 200
  • 10.7.0.1:40268
    404 B
     8
  • 10.7.0.1:40282
    404 B
     8
  • 78.47.82.133:80
    http://www.sfml-dev.org/ip-provider.php
    http
    364 B
     829 B
     5
    5

    HTTP Request

    GET http://www.sfml-dev.org/ip-provider.php

    HTTP Response

    200
  • 80.82.69.52:8080
    152 B
     3
  • 78.47.82.133:80
    http://www.sfml-dev.org/ip-provider.php
    http
    364 B
     829 B
     5
    5

    HTTP Request

    GET http://www.sfml-dev.org/ip-provider.php

    HTTP Response

    200
  • 80.82.69.52:8080
    152 B
     3
  • 78.47.82.133:80
    http://www.sfml-dev.org/ip-provider.php
    http
    364 B
     829 B
     5
    5

    HTTP Request

    GET http://www.sfml-dev.org/ip-provider.php

    HTTP Response

    200
  • 80.82.69.52:8080
    152 B
     3
  • 8.8.8.8:53
    www.sfml-dev.org
    dns
    62 B
     92 B
     1
    1

    DNS Request

    www.sfml-dev.org

    DNS Response

    78.47.82.133

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.