General
-
Target
6503144517435392.zip
-
Size
10.1MB
-
Sample
210924-mhbvasgffl
-
MD5
e90c800f2489917906e3ca934687e2fd
-
SHA1
49cc1676e1471600c447637a4f31d83035293672
-
SHA256
6eeefc25fe1d24d3f46b554a31aea357a4cd04635db5c32dfddf28b5446c09d3
-
SHA512
fcb6cc91bdb19a6fe0dc389cabafe3ae68eb84cb9b1fda35ccf42b5a3cbca832fac7bfb63cb33e9f1e6b81ab121289698842b22a6e7b76b62e0c2605a207739f
Malware Config
Extracted
C:\Users\Admin\Desktop\readme.txt
magniber
http://30b89af86aec44d00celtalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj
http://30b89af86aec44d00celtalkfzj.jobsbig.cam/eltalkfzj
http://30b89af86aec44d00celtalkfzj.boxgas.icu/eltalkfzj
http://30b89af86aec44d00celtalkfzj.sixsees.club/eltalkfzj
http://30b89af86aec44d00celtalkfzj.nowuser.casa/eltalkfzj
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Extracted
C:\Users\Admin\Desktop\readme.txt
magniber
http://f26c5ab89af4da80faqwfekni.n5fnrf4l7bdjhelx.onion/qwfekni
http://f26c5ab89af4da80faqwfekni.perages.cyou/qwfekni
http://f26c5ab89af4da80faqwfekni.aimdrop.fit/qwfekni
http://f26c5ab89af4da80faqwfekni.soblack.xyz/qwfekni
http://f26c5ab89af4da80faqwfekni.sixsees.club/qwfekni
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.best
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.best
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.xyz/
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.xyz/
Targets
-
-
Target
1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
-
Size
22KB
-
MD5
7906dc475a8ae55ffb5af7fd3ac8f10a
-
SHA1
e7304e2436dc0eddddba229f1ec7145055030151
-
SHA256
1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
-
SHA512
c087b3107295095e9aca527d02b74c067e96ca5daf5457e465f8606dbf4809027faedf65d77868f6fb8bb91a1438e3d0169e59efddf1439bbd3adb3e23a739a1
Score10/10-
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Suspicious use of SetThreadContext
-
-
-
Target
2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751
-
Size
195KB
-
MD5
2c550ec2c56516e19f88a5228b1e4555
-
SHA1
31801a310f5aad8154f8b3e69027f068c76152f4
-
SHA256
2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751
-
SHA512
b52a93a5a8feeabc3c5f23a208c7cecfe8a619dd73c45c1126796269f5aa67e36594d9a47e1fca974ff9685d7421189a33fd33e1addd89e9bfbca3bca6573d45
Score10/10-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
-
-
Target
3db6e8df73f12b6a9fa9adb6ad87b017d530a9d736909338042735ed00a9463b
-
Size
190KB
-
MD5
6a97f8afc1151619d5b119407faeb1ad
-
SHA1
185d65eb755cee888508d07adad60b39e0be2210
-
SHA256
3db6e8df73f12b6a9fa9adb6ad87b017d530a9d736909338042735ed00a9463b
-
SHA512
6e46da8df1ea210b8458f690b9b9951d02800190571a29ed71ac5f1d613bd77525cdf129a450c9bf155e4ca957a11ab5f254aeaa06b66faf62dcb36d2dfa94f1
Score10/10-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Drops desktop.ini file(s)
-
-
-
Target
3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5
-
Size
194KB
-
MD5
91185817b6a6c96f9730dbe0cab30a8a
-
SHA1
af9d4627271a3627ead14999857e19d3925264e2
-
SHA256
3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5
-
SHA512
36543836a6b855d186058b10255fde814777b7ab3f18ce4622ef31277192381098c4e13162763bdeec3dd7dc6f314c39e77c1cc30214a47fc3616524dec6290f
Score10/10-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
-
-
Target
463b34821a8eb219ff5980787d95bc2cfdd2d7f82720163394973814cd5dfe40
-
Size
125KB
-
MD5
f9bf85cfb68d9e5f68bbccaf683af15c
-
SHA1
a2eae8c1350fcfa429d2af664d8320edbfabe5d3
-
SHA256
463b34821a8eb219ff5980787d95bc2cfdd2d7f82720163394973814cd5dfe40
-
SHA512
07032679f19bba5690b59a6b689859d0b3611995cca6f990d2eee4b2f586493b29e70b4525e057abefe79a86695fa934f52e175a12098e0eeef7c1e3d049066a
Score10/10-
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Suspicious use of SetThreadContext
-
-
-
Target
4f4a33f70099855f5f503716515f388da3a5daa1e2fac59ec6c881e89ef7d072
-
Size
5.4MB
-
MD5
fdf9641f354987fe4683a27c5eb160a7
-
SHA1
ad738fd0a7d076575ffb7ab338fb784bab739435
-
SHA256
4f4a33f70099855f5f503716515f388da3a5daa1e2fac59ec6c881e89ef7d072
-
SHA512
e0f251bd52b38ecb41a001f117de7d14e702b9aca5090bc01df96eb24679d32f68cf4a7da6cb961a147a67202cf4267dca44f4a2acc0bf1dedaf30d555d13315
Score10/10-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
-
-
Target
53b1c1b2f41a7fc300e97d036e57539453ff82001dd3f6abf07f4896b1f9ca22
-
Size
190KB
-
MD5
290c7dfb01e50cea9e19da81a781af2c
-
SHA1
8a52c7645ec8fd6c217dfe5491461372acc4e849
-
SHA256
53b1c1b2f41a7fc300e97d036e57539453ff82001dd3f6abf07f4896b1f9ca22
-
SHA512
be2f45b5cc110bc9c4e61723eb111e53d70f3e32757915a9a945589a5296e3a667afdf5978f7002869005f961d705058ffafd2076d44471b7826237c76e11d4d
Score10/10-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
-
-
Target
62b28222159f1b1abe80bec49c89444448c41623a93895afafb7563fe82ffdd3
-
Size
2.7MB
-
MD5
8c9f6311f6c49a27f0d5250d76f3004b
-
SHA1
d4efeaab6b62b7ceb35a1797ee8dfcfff10cbdd7
-
SHA256
62b28222159f1b1abe80bec49c89444448c41623a93895afafb7563fe82ffdd3
-
SHA512
64acfb4fd407098c200951282c985ae9670b237d18c9b91b08a04313a503e3956cfddecf6d4341dbc67887918578454ad0c014061fbec4732ebc4cdcce20c9b9
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
6bc6f60b873ea406022459edcd2df278cb2ec7bb4d994ebd4fc02af3a57ec6bc
-
Size
197KB
-
MD5
05512c1698a075b6a400b8c7d387c4ad
-
SHA1
44022c2f5e39afb1a2c808c54cf3885ffbfd66a3
-
SHA256
6bc6f60b873ea406022459edcd2df278cb2ec7bb4d994ebd4fc02af3a57ec6bc
-
SHA512
87215bd687526b8dc31299bbae75b0e64e6976773a848af684c22a45a8eed852afb2ebfd2cec8ae62af0339f2949c9e94d5402693d7dfe96baa4b2447dd564bc
Score10/10-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Drops desktop.ini file(s)
-
-
-
Target
6f7043b24d9b4c30006781402f0cef2543c8f3e9087d79f6bcff43b1418ad21d
-
Size
200KB
-
MD5
d7bf01f9fb24176f2d42d770d79e8c2c
-
SHA1
9b8eeaf746cd5d903f70c3b245b9466c40b74c5d
-
SHA256
6f7043b24d9b4c30006781402f0cef2543c8f3e9087d79f6bcff43b1418ad21d
-
SHA512
0f299b9637c92098eda3a0d27a384e62d9fbaac4a2042cce84f5b1437eea1a17534331931ea5e6a68d79077cefb8678411900165b79fb4040578afaef354ee79
Score3/10 -
-
-
Target
706a8a4fc4b9f8b15c6bf1ee0fe732eaa5e069615ea126b931166672a8a5b51c
-
Size
195KB
-
MD5
2d819423ee1b9a5cfa10f0d6d3f7d88a
-
SHA1
dbec744594b5bd73ebb63258fd1d950392d435c9
-
SHA256
706a8a4fc4b9f8b15c6bf1ee0fe732eaa5e069615ea126b931166672a8a5b51c
-
SHA512
abdc7543152a1abd6f0fe1844674428482d4ee4228a7792cd892c75f011896469feabf611dd4ba16e5f14d431e8a30f976c9a8c6ef7c96f9fd6c063b288692ad
Score10/10-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
-
-
Target
7236c8098c55ea1d144f4d6646e8cab8c7fdbde1d127d409b0d6a4ff1029628e
-
Size
196KB
-
MD5
4bb476c98b3bf1e4fa6212728b354160
-
SHA1
0c7ce8f80ac786cbd1c1c4054d605d366896d36b
-
SHA256
7236c8098c55ea1d144f4d6646e8cab8c7fdbde1d127d409b0d6a4ff1029628e
-
SHA512
26df60690db131ae396c91fde7d5d95ebb67975cd2adf0189c2b136cef43314c32fd133dcafee9c353e9a54c609751b27e179f3e7536bddfa2aa6be0d78d59e7
Score10/10-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
-
-
Target
74ebfcd116fdd39217935d11ae62e48a0c44dfab822edea62ac7f611aca969dd
-
Size
190KB
-
MD5
33e977a44164db82bfef0c35c436f1f4
-
SHA1
36a855d68aaf368c543707714afca78217815cbb
-
SHA256
74ebfcd116fdd39217935d11ae62e48a0c44dfab822edea62ac7f611aca969dd
-
SHA512
9ba400ecb65b8166fab1bc9199115845ee62cd5e30e1f3d5661ddbd62d4e0da91232c548dbb1ae9ee1ed0d296e5eb5a36f19776c7cb6715e2376e1e096a4fdc8
Score10/10-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Drops desktop.ini file(s)
-
-
-
Target
7fbeac1dca907f4c04fec45a1228c9277f03930355eeac30d101bbce7e2733de
-
Size
195KB
-
MD5
efc8f8172303ff78d207b2eb8c78511e
-
SHA1
bdf1d7e889905e4df8485fc7dfbb9bdfb91e676e
-
SHA256
7fbeac1dca907f4c04fec45a1228c9277f03930355eeac30d101bbce7e2733de
-
SHA512
056d2289776db4f7ede6076d5e932e9641f3885f6096c022a7d1d06662881d7bb464d3a0605c5b40e50175541d5b370f814a4c2900b9172156161b43a8bb7d67
Score10/10-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
-
-
Target
87e6f7b20ea2bd35d947d9100fe6291dfe186cfedea5d451be14bab5d2518e89
-
Size
191KB
-
MD5
197e526a91e1a978dbdac0abc3bfea97
-
SHA1
32baad03bbcf6c42250a723ab78961fea1fbe8b8
-
SHA256
87e6f7b20ea2bd35d947d9100fe6291dfe186cfedea5d451be14bab5d2518e89
-
SHA512
aa4241a8d748e5c1fb38bc0ca452e8ff2d1fee2c75654b9bbc3a4261bcf97601e507bbeeda2959e7e1b432f8b3f9ea3142cedf7ef90bda4046b25d82f86db923
Score3/10 -
-
-
Target
918127c59ea7d9c0095a0add9bc93739a393d9fd64132446e7997952db07f93d
-
Size
66KB
-
MD5
589fcc4c9cfe26b7e6d54756112ab260
-
SHA1
3aed07b9cf58a45a7379d92559b3a1a2241248a1
-
SHA256
918127c59ea7d9c0095a0add9bc93739a393d9fd64132446e7997952db07f93d
-
SHA512
9c274e688996ffe6635d5303694e52979c07783bb184bf99940490296157b521d3433c7f29ea863d5e9769b52671ffdb3da4e1e64757b432ae3dda4bef46ecd2
Score10/10-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-