conti | 6eeefc25fe1d24d3f46b554a31aea357a4cd04635db5c32dfddf28b5446c09d3

Sharing

Copy URL

Twitter E-mail

General

Target

6503144517435392.zip
Size

10.1MB
Sample

210924-mhbvasgffl
MD5

e90c800f2489917906e3ca934687e2fd
SHA1

49cc1676e1471600c447637a4f31d83035293672
SHA256

6eeefc25fe1d24d3f46b554a31aea357a4cd04635db5c32dfddf28b5446c09d3
SHA512

fcb6cc91bdb19a6fe0dc389cabafe3ae68eb84cb9b1fda35ccf42b5a3cbca832fac7bfb63cb33e9f1e6b81ab121289698842b22a6e7b76b62e0c2605a207739f

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://30b89af86aec44d00celtalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://30b89af86aec44d00celtalkfzj.jobsbig.cam/eltalkfzj http://30b89af86aec44d00celtalkfzj.boxgas.icu/eltalkfzj http://30b89af86aec44d00celtalkfzj.sixsees.club/eltalkfzj http://30b89af86aec44d00celtalkfzj.nowuser.casa/eltalkfzj Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://30b89af86aec44d00celtalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj

http://30b89af86aec44d00celtalkfzj.jobsbig.cam/eltalkfzj

http://30b89af86aec44d00celtalkfzj.boxgas.icu/eltalkfzj

http://30b89af86aec44d00celtalkfzj.sixsees.club/eltalkfzj

http://30b89af86aec44d00celtalkfzj.nowuser.casa/eltalkfzj

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- 09jQum57GEaC6dXINhoTySXIkkLxxkowWNebpY38DVj9GHasji8TrCvgizYnqkMa ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- 2gRarkVApsbggVSyrETPQ81XrSylLmTR6P6kpgQQW7yzQQfDKtzwtC5IaK9CXMDx ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- lWL5aqUDwBJQsqHmM6OkU1yOTGOiNHcCdTAyuj6A1xKUIz98qMCGpifNoPeYSXBA ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://f26c5ab89af4da80faqwfekni.n5fnrf4l7bdjhelx.onion/qwfekni Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://f26c5ab89af4da80faqwfekni.perages.cyou/qwfekni http://f26c5ab89af4da80faqwfekni.aimdrop.fit/qwfekni http://f26c5ab89af4da80faqwfekni.soblack.xyz/qwfekni http://f26c5ab89af4da80faqwfekni.sixsees.club/qwfekni Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://f26c5ab89af4da80faqwfekni.n5fnrf4l7bdjhelx.onion/qwfekni

http://f26c5ab89af4da80faqwfekni.perages.cyou/qwfekni

http://f26c5ab89af4da80faqwfekni.aimdrop.fit/qwfekni

http://f26c5ab89af4da80faqwfekni.soblack.xyz/qwfekni

http://f26c5ab89af4da80faqwfekni.sixsees.club/qwfekni

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- ZgBgoJLOiFHQWDwueq1qE5rPeLoE7uij5d35sty227lDLOdE3MSdglpkbJd8T2u3 ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.best

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- EdKBszpVz7i9aIrMedNHe3uExMpz8Eot9fbCsY15OEUhJqECuuiljKTgA3E6nPSF ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.best

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.xyz/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- 14piTHGIcvnNJhT08zb5D6UXPoUrxIXaDBaxAnqeL7n47VQE2nCr2pu3syN96vZt ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.xyz/

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- hNnBLLUpXPkzmumguHVoFGptAHEPGFLY9A8KQ8fLb8w40RYCrN0bxZUyUhI9CHmn ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.xyz/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- GmGukC9E0yRlTdXQzcJEdPGtF62io3YPEUGd4wbj0OkVD51KrnXsWYnZlEN8oux1 ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.xyz/

Targets

- Target
  
  1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
- Size
  
  22KB
- MD5
  
  7906dc475a8ae55ffb5af7fd3ac8f10a
- SHA1
  
  e7304e2436dc0eddddba229f1ec7145055030151
- SHA256
  
  1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
- SHA512
  
  c087b3107295095e9aca527d02b74c067e96ca5daf5457e465f8606dbf4809027faedf65d77868f6fb8bb91a1438e3d0169e59efddf1439bbd3adb3e23a739a1
Score

10^/10

magniber ransomware
- Magniber Ransomware
  Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
  ransomware magniber
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751
- Size
  
  195KB
- MD5
  
  2c550ec2c56516e19f88a5228b1e4555
- SHA1
  
  31801a310f5aad8154f8b3e69027f068c76152f4
- SHA256
  
  2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751
- SHA512
  
  b52a93a5a8feeabc3c5f23a208c7cecfe8a619dd73c45c1126796269f5aa67e36594d9a47e1fca974ff9685d7421189a33fd33e1addd89e9bfbca3bca6573d45
Score

10^/10

conti ransomware
- Conti Ransomware
  Ransomware generally thought to be a successor to Ryuk.
  ransomware conti
behavioral3 behavioral4
- Target
  
  3db6e8df73f12b6a9fa9adb6ad87b017d530a9d736909338042735ed00a9463b
- Size
  
  190KB
- MD5
  
  6a97f8afc1151619d5b119407faeb1ad
- SHA1
  
  185d65eb755cee888508d07adad60b39e0be2210
- SHA256
  
  3db6e8df73f12b6a9fa9adb6ad87b017d530a9d736909338042735ed00a9463b
- SHA512
  
  6e46da8df1ea210b8458f690b9b9951d02800190571a29ed71ac5f1d613bd77525cdf129a450c9bf155e4ca957a11ab5f254aeaa06b66faf62dcb36d2dfa94f1
Score

10^/10

conti ransomware
- Conti Ransomware
  Ransomware generally thought to be a successor to Ryuk.
  ransomware conti
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Drops desktop.ini file(s)
behavioral5 behavioral6
- Target
  
  3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5
- Size
  
  194KB
- MD5
  
  91185817b6a6c96f9730dbe0cab30a8a
- SHA1
  
  af9d4627271a3627ead14999857e19d3925264e2
- SHA256
  
  3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5
- SHA512
  
  36543836a6b855d186058b10255fde814777b7ab3f18ce4622ef31277192381098c4e13162763bdeec3dd7dc6f314c39e77c1cc30214a47fc3616524dec6290f
Score

10^/10

conti ransomware spyware stealer
- Conti Ransomware
  Ransomware generally thought to be a successor to Ryuk.
  ransomware conti
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral7 behavioral8
- Target
  
  463b34821a8eb219ff5980787d95bc2cfdd2d7f82720163394973814cd5dfe40
- Size
  
  125KB
- MD5
  
  f9bf85cfb68d9e5f68bbccaf683af15c
- SHA1
  
  a2eae8c1350fcfa429d2af664d8320edbfabe5d3
- SHA256
  
  463b34821a8eb219ff5980787d95bc2cfdd2d7f82720163394973814cd5dfe40
- SHA512
  
  07032679f19bba5690b59a6b689859d0b3611995cca6f990d2eee4b2f586493b29e70b4525e057abefe79a86695fa934f52e175a12098e0eeef7c1e3d049066a
Score

10^/10

magniber ransomware
- Magniber Ransomware
  Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
  ransomware magniber
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Suspicious use of SetThreadContext
behavioral9 behavioral10
- Target
  
  4f4a33f70099855f5f503716515f388da3a5daa1e2fac59ec6c881e89ef7d072
- Size
  
  5.4MB
- MD5
  
  fdf9641f354987fe4683a27c5eb160a7
- SHA1
  
  ad738fd0a7d076575ffb7ab338fb784bab739435
- SHA256
  
  4f4a33f70099855f5f503716515f388da3a5daa1e2fac59ec6c881e89ef7d072
- SHA512
  
  e0f251bd52b38ecb41a001f117de7d14e702b9aca5090bc01df96eb24679d32f68cf4a7da6cb961a147a67202cf4267dca44f4a2acc0bf1dedaf30d555d13315
Score

10^/10

conti ransomware spyware stealer vmprotect
- Conti Ransomware
  Ransomware generally thought to be a successor to Ryuk.
  ransomware conti
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral11 behavioral12
- Target
  
  53b1c1b2f41a7fc300e97d036e57539453ff82001dd3f6abf07f4896b1f9ca22
- Size
  
  190KB
- MD5
  
  290c7dfb01e50cea9e19da81a781af2c
- SHA1
  
  8a52c7645ec8fd6c217dfe5491461372acc4e849
- SHA256
  
  53b1c1b2f41a7fc300e97d036e57539453ff82001dd3f6abf07f4896b1f9ca22
- SHA512
  
  be2f45b5cc110bc9c4e61723eb111e53d70f3e32757915a9a945589a5296e3a667afdf5978f7002869005f961d705058ffafd2076d44471b7826237c76e11d4d
Score

10^/10

conti ransomware spyware stealer
- Conti Ransomware
  Ransomware generally thought to be a successor to Ryuk.
  ransomware conti
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral13 behavioral14
- Target
  
  62b28222159f1b1abe80bec49c89444448c41623a93895afafb7563fe82ffdd3
- Size
  
  2.7MB
- MD5
  
  8c9f6311f6c49a27f0d5250d76f3004b
- SHA1
  
  d4efeaab6b62b7ceb35a1797ee8dfcfff10cbdd7
- SHA256
  
  62b28222159f1b1abe80bec49c89444448c41623a93895afafb7563fe82ffdd3
- SHA512
  
  64acfb4fd407098c200951282c985ae9670b237d18c9b91b08a04313a503e3956cfddecf6d4341dbc67887918578454ad0c014061fbec4732ebc4cdcce20c9b9
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral15 behavioral16
- Target
  
  6bc6f60b873ea406022459edcd2df278cb2ec7bb4d994ebd4fc02af3a57ec6bc
- Size
  
  197KB
- MD5
  
  05512c1698a075b6a400b8c7d387c4ad
- SHA1
  
  44022c2f5e39afb1a2c808c54cf3885ffbfd66a3
- SHA256
  
  6bc6f60b873ea406022459edcd2df278cb2ec7bb4d994ebd4fc02af3a57ec6bc
- SHA512
  
  87215bd687526b8dc31299bbae75b0e64e6976773a848af684c22a45a8eed852afb2ebfd2cec8ae62af0339f2949c9e94d5402693d7dfe96baa4b2447dd564bc
Score

10^/10

conti ransomware
- Conti Ransomware
  Ransomware generally thought to be a successor to Ryuk.
  ransomware conti
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Drops desktop.ini file(s)
behavioral17 behavioral18
- Target
  
  6f7043b24d9b4c30006781402f0cef2543c8f3e9087d79f6bcff43b1418ad21d
- Size
  
  200KB
- MD5
  
  d7bf01f9fb24176f2d42d770d79e8c2c
- SHA1
  
  9b8eeaf746cd5d903f70c3b245b9466c40b74c5d
- SHA256
  
  6f7043b24d9b4c30006781402f0cef2543c8f3e9087d79f6bcff43b1418ad21d
- SHA512
  
  0f299b9637c92098eda3a0d27a384e62d9fbaac4a2042cce84f5b1437eea1a17534331931ea5e6a68d79077cefb8678411900165b79fb4040578afaef354ee79
Score

3^/10
behavioral19 behavioral20
- Target
  
  706a8a4fc4b9f8b15c6bf1ee0fe732eaa5e069615ea126b931166672a8a5b51c
- Size
  
  195KB
- MD5
  
  2d819423ee1b9a5cfa10f0d6d3f7d88a
- SHA1
  
  dbec744594b5bd73ebb63258fd1d950392d435c9
- SHA256
  
  706a8a4fc4b9f8b15c6bf1ee0fe732eaa5e069615ea126b931166672a8a5b51c
- SHA512
  
  abdc7543152a1abd6f0fe1844674428482d4ee4228a7792cd892c75f011896469feabf611dd4ba16e5f14d431e8a30f976c9a8c6ef7c96f9fd6c063b288692ad
Score

10^/10

conti ransomware
- Conti Ransomware
  Ransomware generally thought to be a successor to Ryuk.
  ransomware conti
behavioral21 behavioral22
- Target
  
  7236c8098c55ea1d144f4d6646e8cab8c7fdbde1d127d409b0d6a4ff1029628e
- Size
  
  196KB
- MD5
  
  4bb476c98b3bf1e4fa6212728b354160
- SHA1
  
  0c7ce8f80ac786cbd1c1c4054d605d366896d36b
- SHA256
  
  7236c8098c55ea1d144f4d6646e8cab8c7fdbde1d127d409b0d6a4ff1029628e
- SHA512
  
  26df60690db131ae396c91fde7d5d95ebb67975cd2adf0189c2b136cef43314c32fd133dcafee9c353e9a54c609751b27e179f3e7536bddfa2aa6be0d78d59e7
Score

10^/10

conti ransomware spyware stealer
- Conti Ransomware
  Ransomware generally thought to be a successor to Ryuk.
  ransomware conti
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral23 behavioral24
- Target
  
  74ebfcd116fdd39217935d11ae62e48a0c44dfab822edea62ac7f611aca969dd
- Size
  
  190KB
- MD5
  
  33e977a44164db82bfef0c35c436f1f4
- SHA1
  
  36a855d68aaf368c543707714afca78217815cbb
- SHA256
  
  74ebfcd116fdd39217935d11ae62e48a0c44dfab822edea62ac7f611aca969dd
- SHA512
  
  9ba400ecb65b8166fab1bc9199115845ee62cd5e30e1f3d5661ddbd62d4e0da91232c548dbb1ae9ee1ed0d296e5eb5a36f19776c7cb6715e2376e1e096a4fdc8
Score

10^/10

conti ransomware
- Conti Ransomware
  Ransomware generally thought to be a successor to Ryuk.
  ransomware conti
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Drops desktop.ini file(s)
behavioral25 behavioral26
- Target
  
  7fbeac1dca907f4c04fec45a1228c9277f03930355eeac30d101bbce7e2733de
- Size
  
  195KB
- MD5
  
  efc8f8172303ff78d207b2eb8c78511e
- SHA1
  
  bdf1d7e889905e4df8485fc7dfbb9bdfb91e676e
- SHA256
  
  7fbeac1dca907f4c04fec45a1228c9277f03930355eeac30d101bbce7e2733de
- SHA512
  
  056d2289776db4f7ede6076d5e932e9641f3885f6096c022a7d1d06662881d7bb464d3a0605c5b40e50175541d5b370f814a4c2900b9172156161b43a8bb7d67
Score

10^/10

conti ransomware
- Conti Ransomware
  Ransomware generally thought to be a successor to Ryuk.
  ransomware conti
behavioral27 behavioral28
- Target
  
  87e6f7b20ea2bd35d947d9100fe6291dfe186cfedea5d451be14bab5d2518e89
- Size
  
  191KB
- MD5
  
  197e526a91e1a978dbdac0abc3bfea97
- SHA1
  
  32baad03bbcf6c42250a723ab78961fea1fbe8b8
- SHA256
  
  87e6f7b20ea2bd35d947d9100fe6291dfe186cfedea5d451be14bab5d2518e89
- SHA512
  
  aa4241a8d748e5c1fb38bc0ca452e8ff2d1fee2c75654b9bbc3a4261bcf97601e507bbeeda2959e7e1b432f8b3f9ea3142cedf7ef90bda4046b25d82f86db923
Score

3^/10
behavioral29 behavioral30
- Target
  
  918127c59ea7d9c0095a0add9bc93739a393d9fd64132446e7997952db07f93d
- Size
  
  66KB
- MD5
  
  589fcc4c9cfe26b7e6d54756112ab260
- SHA1
  
  3aed07b9cf58a45a7379d92559b3a1a2241248a1
- SHA256
  
  918127c59ea7d9c0095a0add9bc93739a393d9fd64132446e7997952db07f93d
- SHA512
  
  9c274e688996ffe6635d5303694e52979c07783bb184bf99940490296157b521d3433c7f29ea863d5e9769b52671ffdb3da4e1e64757b432ae3dda4bef46ecd2
Score

10^/10

conti ransomware spyware stealer
- Conti Ransomware
  Ransomware generally thought to be a successor to Ryuk.
  ransomware conti
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral31 behavioral32

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Magniber Ransomware

Process spawned unexpected child process

Modifies extensions of user files

Suspicious use of SetThreadContext

Conti Ransomware

Conti Ransomware

Modifies extensions of user files

Drops startup file

Drops desktop.ini file(s)

Conti Ransomware

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Magniber Ransomware

Process spawned unexpected child process

Deletes shadow copies

Modifies extensions of user files

Suspicious use of SetThreadContext

Conti Ransomware

Modifies extensions of user files

VMProtect packed file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Conti Ransomware

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Conti Ransomware

Modifies extensions of user files

Drops startup file

Drops desktop.ini file(s)

Conti Ransomware

Conti Ransomware

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Conti Ransomware

Modifies extensions of user files

Drops startup file

Drops desktop.ini file(s)

Conti Ransomware

Conti Ransomware

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10