magniber | dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204

General

Target

dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204
Size

38KB
Sample

210915-mpyyeadfaj
MD5

57cc3140477c915e6202e6b1d2f8bb7e
SHA1

69201178ee3bf8bc5b9f8212bb412c7f7a3aa3c0
SHA256

dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204
SHA512

47a0854b4640ba0d8ff69695a0f799af56362a801752a00ada96d1d876ab3f396d81be3ee511b36b2889f213656f2b126ea51077ca6e75cd630810dd20b6a91e

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://4c1c1818c4e08a40addihwvy.ypajgycpauisibmmq6en2xd6z6doiiwxitzhwbu2zmxfxwjcumvirbad.onion/ddihwvy Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://4c1c1818c4e08a40addihwvy.outwest.top/ddihwvy http://4c1c1818c4e08a40addihwvy.coldsum.space/ddihwvy http://4c1c1818c4e08a40addihwvy.datesat.site/ddihwvy http://4c1c1818c4e08a40addihwvy.outplea.xyz/ddihwvy Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://4c1c1818c4e08a40addihwvy.ypajgycpauisibmmq6en2xd6z6doiiwxitzhwbu2zmxfxwjcumvirbad.onion/ddihwvy

http://4c1c1818c4e08a40addihwvy.outwest.top/ddihwvy

http://4c1c1818c4e08a40addihwvy.coldsum.space/ddihwvy

http://4c1c1818c4e08a40addihwvy.datesat.site/ddihwvy

http://4c1c1818c4e08a40addihwvy.outplea.xyz/ddihwvy

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://080866a89ee074f01ddihwvy.ypajgycpauisibmmq6en2xd6z6doiiwxitzhwbu2zmxfxwjcumvirbad.onion/ddihwvy Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://080866a89ee074f01ddihwvy.outwest.top/ddihwvy http://080866a89ee074f01ddihwvy.coldsum.space/ddihwvy http://080866a89ee074f01ddihwvy.datesat.site/ddihwvy http://080866a89ee074f01ddihwvy.outplea.xyz/ddihwvy Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://080866a89ee074f01ddihwvy.ypajgycpauisibmmq6en2xd6z6doiiwxitzhwbu2zmxfxwjcumvirbad.onion/ddihwvy

http://080866a89ee074f01ddihwvy.outwest.top/ddihwvy

http://080866a89ee074f01ddihwvy.coldsum.space/ddihwvy

http://080866a89ee074f01ddihwvy.datesat.site/ddihwvy

http://080866a89ee074f01ddihwvy.outplea.xyz/ddihwvy

Targets

- Target
  
  dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204
- Size
  
  38KB
- MD5
  
  57cc3140477c915e6202e6b1d2f8bb7e
- SHA1
  
  69201178ee3bf8bc5b9f8212bb412c7f7a3aa3c0
- SHA256
  
  dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204
- SHA512
  
  47a0854b4640ba0d8ff69695a0f799af56362a801752a00ada96d1d876ab3f396d81be3ee511b36b2889f213656f2b126ea51077ca6e75cd630810dd20b6a91e
Score

10^/10

magniber ransomware
- Magniber Ransomware
  Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
  ransomware magniber
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2