General

  • Target

    b.zip

  • Size

    184KB

  • Sample

    211020-lnvnxshger

  • MD5

    0a52ead0a3bb3ceb1eb2413298ccf5f0

  • SHA1

    be7068221f82072313118139e6392f4e906bc24a

  • SHA256

    698de5b6086e09811c48e4967f28e4ca38cdc79fd85e0bd399ffd150e81f572d

  • SHA512

    f9ef969597de6fb4ca182c310bec4b147210e09afb9a3905987d8a7b67535ea539e104ee105ceebe40a9b9d992000ad9f6357bd6cc73ffc4f5a0474488966075

Malware Config

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">����������12 64 8C 0D C2 49 7B 8B 35 61 40 B9 9D C0 0E 32 29 98 16 01 8C DF 50 E4 35 0F A6 D0 CE 24 6F 55 95 7B 52 2D C2 2B 45 0C FD C8 24 62 05 F9 39 68 0A 76 7B C3 61 C9 72 CC D3 E3 11 FF E7 3B 5D 18 E9 57 1A B1 7A 41 49 03 D4 1C 73 AA 2B C3 D3 1C CF 02 39 3C 13 6C 13 98 CF 09 02 45 13 E7 AC 06 23 8C AE 1F FD 9F FB C1 09 13 7A 1C C1 FE BE ED 8D CE CE 2A A8 2A 30 A0 86 92 EE 70 BD CD 93 EE 19 E7 0F 8F 8E C6 E9 2C 31 26 37 96 E5 9D 8A BA 94 2C 0A F0 1F 0D FC 6F 71 56 25 EE BC 34 A5 DA 2A 12 29 D2 F4 F9 42 9E 6F B7 71 6F CF 50 8E 7E 78 3A F3 C0 E6 BC A9 78 C0 56 5A 0F 68 97 A5 0E 38 F6 AC F5 0A BD 87 71 F8 45 67 B0 94 EA DF 19 D9 64 F5 59 4F E5 F1 FE DF CE 17 AA 74 7C AA 29 C1 7E E2 F0 C3 63 5A 0E C9 F8 A5 48 26 B0 85 6E 0F 22 23 25 34 4A 2A E0 61 D8 A4 B7 95 81 0B 52 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="behappy123456@cock.li ">behappy123456@cock.li </a> <br><a href="chinchoppa2299gayspilsss@yopmail.com">chinchoppa2299gayspilsss@yopmail.com</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> �����������
Emails

href="behappy123456@cock.li

">behappy123456@cock.li

href="chinchoppa2299gayspilsss@yopmail.com">chinchoppa2299gayspilsss@yopmail.com</a>

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">����������72 A0 2D A3 7E 28 0A 26 E7 E6 3B A4 4A 6A 5D CB FD 8B 81 25 9D ED 18 45 C1 15 A4 49 91 7D CD 10 1A 85 63 8D 49 9E E0 21 DA 52 65 63 42 89 1E D1 5B BF 97 3B 26 AE D6 92 90 80 44 6A 62 C9 66 0A 88 F9 62 53 42 68 97 42 8F B0 8F F6 EA 5D C2 DA 21 43 A6 58 E1 D1 8F 02 E5 3D 3F CA 95 96 68 2E 95 E7 A0 95 A8 5C 83 F6 C5 00 30 57 CD 2A CF B4 3B 7A A1 89 C0 64 4B 7C F3 4C A6 1D 9B 80 CC 11 34 CB C4 CD CC CC F1 C5 1E 29 0C A3 9D 2A FA 31 5A 62 D1 54 BF 1E ED 89 11 CC C6 2D 8A 57 F3 82 45 95 DC 12 36 31 E4 2E 76 58 5B 50 2F 4A D8 8D D2 62 57 C5 47 05 81 43 59 78 11 08 DE 6F F3 76 54 32 90 83 45 45 9C F7 6A 2A A6 B5 C9 69 CD 96 89 F0 D3 30 C2 DB B7 85 26 E7 C7 AF 25 5E 9A 41 9A FD 19 A9 4E BB 06 C7 2E A6 7D 21 E3 A7 23 F3 02 A9 3C BC 40 83 99 D8 6A 15 52 2E 17 17 EE 7C </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="behappy123456@cock.li ">behappy123456@cock.li </a> <br><a href="chinchoppa2299gayspilsss@yopmail.com">chinchoppa2299gayspilsss@yopmail.com</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> �����������
Emails

href="behappy123456@cock.li

">behappy123456@cock.li

href="chinchoppa2299gayspilsss@yopmail.com">chinchoppa2299gayspilsss@yopmail.com</a>

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">����������2A C1 D5 CA E5 F2 CA 35 B4 D9 42 EB F9 13 A6 15 84 F7 E5 D2 5C 7F CE D5 35 1F D5 E8 BE 0A BD BE D9 7A E8 28 0F ED 76 40 6F 35 D7 AD BD A9 46 C5 80 12 53 66 8B 9D 72 83 A2 E6 CF B5 B6 51 D2 77 BA CF 0B 08 99 D3 F8 74 64 B8 E8 CF 37 BA FC 9C 77 83 BE A3 AA F0 17 71 7E 28 38 92 E5 3C 93 9B 9F 6E 9F 26 9B 10 AF 74 CB C5 02 BE 92 F8 A9 DF C8 BD 5E 71 16 83 CF 7E 37 29 B5 39 56 71 0E 6C EB 59 F6 4E BD 90 D0 61 F8 B6 9E 97 29 18 63 D0 47 C7 50 2D 4E E0 D8 39 54 9A A9 E4 FC BF 73 3F F8 A0 CC 92 90 45 DB 5A BB 64 87 28 26 EA 75 C6 5F A2 E6 E6 EF FA 4A 24 1C B0 D7 8D 54 F9 54 F0 2C BE 12 15 3F 26 85 ED E9 13 AB 34 C1 2B B9 F6 2C 1F 63 20 7E 44 15 81 97 50 16 B9 72 40 4F FE 00 BD 9A 1A 51 B2 68 D7 9A 13 B0 CB 52 7C 8B E2 81 33 CA 8B F8 66 17 E1 38 69 72 54 1A 7C 62 73 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="ithelp05@decorous.cyou ">ithelp05@decorous.cyou </a> <br><a href="ithelp05@wholeness.business">ithelp05@wholeness.business</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> �����������
Emails

href="ithelp05@decorous.cyou

">ithelp05@decorous.cyou

href="ithelp05@wholeness.business">ithelp05@wholeness.business</a>

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">����������31 16 4A 77 0A 03 4D FB FE 1D AD 0C 42 C2 04 92 16 1A 31 D2 FF 45 A3 ED DD 59 1F C0 E1 94 BE 8D 7E B1 36 96 61 D4 5E F3 09 DB DB 22 4C 8E B3 55 B3 9B 41 9B 2A B5 BC 7C 43 0A 36 1F FA C8 20 7B 10 CA DB 54 3D E5 AB 4B 32 6A 4C 4B 71 92 78 BD CC 95 01 E0 CE C3 6D 73 77 E2 55 8C 0C BC 57 A1 62 25 E6 B7 87 6A 4A F3 A9 06 8D C0 F8 E9 59 FE FC 5E 63 22 95 58 A4 9E CE DB D2 46 1E 04 3C B3 1D 13 B7 2C F4 15 53 42 B8 82 3E B9 3E 25 8B D4 B0 71 2C FA 8F 29 DE AE 1E 67 78 10 3B 16 32 BD 27 8B 51 3B E7 53 7D F6 70 49 73 6D 9B BA 8F 95 70 94 36 C5 9F 45 D8 3D 03 79 6E 49 A4 BE 9F B6 AF 77 F6 29 D2 2B BC E6 85 BF 9A E0 99 17 71 19 3A B7 93 F6 3F 11 BB 50 D1 1C 42 0A C3 83 BC 88 02 0A 3F BF 0F E8 25 1F 3A 8D 15 2C 57 1F 12 F0 26 16 9D BB EF E2 E7 34 15 03 DD 18 7E E1 41 15 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="ithelp05@decorous.cyou ">ithelp05@decorous.cyou </a> <br><a href="ithelp05@wholeness.business">ithelp05@wholeness.business</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> �����������
Emails

href="ithelp05@decorous.cyou

">ithelp05@decorous.cyou

href="ithelp05@wholeness.business">ithelp05@wholeness.business</a>

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">����������0E 54 2D CD EC 91 50 ED 13 4C A5 ED 65 00 1E D2 1D 32 52 D0 A2 D6 3E 12 FD 2B E2 EE D7 6B 04 57 E1 46 22 73 EA 28 87 DC BE 78 33 A5 F5 01 37 B2 A8 0A 58 93 17 3D 32 7A E7 C7 AA D7 74 87 BB D5 CC 02 D5 F2 2B 01 8E 4D DB 21 8A 15 D3 4D 5D 11 F4 6B 5B 0C 10 78 CB 54 3D 7C E7 72 94 8B E7 D2 E9 7D 91 1D D7 C6 69 20 1F 31 AF 4D 93 16 3F 53 5A D5 FC 4E B7 D5 37 57 47 B6 E9 98 F5 61 95 E3 07 1C FE 45 80 91 17 78 65 87 D8 C1 72 6D CF D3 4D 93 0D 5F AE 26 FF B2 D6 5F 67 F0 64 44 BD B8 44 17 37 4C 8B D7 15 F1 A0 89 A9 8A F8 4F D8 25 19 FB 70 C1 F7 B0 82 51 1E 2C 2C 00 6C 40 EC 86 CD AB E7 78 65 59 B8 87 23 9E AB 2F E7 57 70 DB F7 B2 04 EE 30 97 23 6A 23 CE 18 E8 C1 BB DC 64 2D 8F FD FF A2 37 B9 13 54 CE E8 9B 15 51 EC B7 95 2B D9 85 9D 38 A7 04 6B 3F 21 21 08 DB D3 93 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="coleman.dec@tutanota.com ">coleman.dec@tutanota.com </a> <br><a href="lauracc@msgsafe.io">lauracc@msgsafe.io</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ���������
Emails

href="coleman.dec@tutanota.com

">coleman.dec@tutanota.com

href="lauracc@msgsafe.io">lauracc@msgsafe.io</a>

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">����������35 C2 F6 AB 1B A9 B5 E5 4F BB AA 43 66 E7 60 62 99 D8 62 24 33 F7 DD 61 4C C1 2B 11 8C 97 CF 7E 49 65 E5 A8 44 E2 7D 90 14 2E 47 5C 71 4F F2 27 C9 EF FD 0F 2B 39 8D A6 B6 06 B2 0C 75 B7 B0 BB 08 77 1A F6 6E 04 92 27 07 58 3E 22 78 DC 3C 0D 12 40 55 12 AC C2 FD 92 2A A1 FE 7D E2 AB 46 D0 2E 0D CC 93 F9 CA A7 F1 7F 76 29 E8 A3 A9 D2 DA DA 21 77 09 27 C1 90 BC B2 7A 2D D6 C9 1F C1 A8 BE F2 69 88 F1 0B 4F 7A 8C FA 9D E6 27 FB 00 26 F5 45 94 1A 14 0D A7 9F F8 85 69 D0 D9 A8 CF 44 68 56 D3 A9 F6 80 0C 4F D7 68 A2 EB D2 B4 A9 49 71 55 86 49 0A 92 3F 53 C0 92 C7 94 52 D8 29 F2 16 D7 F8 F3 2A 32 E3 1E 69 CD A4 E8 9F 8B 94 D8 AF CC C7 95 95 F1 33 90 1E 4E 63 CE 1F E0 EC 6E 09 67 DF 31 69 2A E8 5A A1 F4 98 8A 21 15 E2 98 E9 73 04 3E 5D 1A 77 21 87 BA B9 CD 9F A8 D1 FF </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="coleman.dec@tutanota.com ">coleman.dec@tutanota.com </a> <br><a href="lauracc@msgsafe.io">lauracc@msgsafe.io</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ���������
Emails

href="coleman.dec@tutanota.com

">coleman.dec@tutanota.com

href="lauracc@msgsafe.io">lauracc@msgsafe.io</a>

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\040745947\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "baseus" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: baseus0906@goat.si or pecunia0318@tutanota.com or pecunia0318@goat.si .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails

baseus0906@goat.si

pecunia0318@tutanota.com

pecunia0318@goat.si

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">����������5F FE BF 26 03 CD 19 03 DA CD 9F 7C 95 C8 3A 91 F8 96 27 ED 8F DF 5C 85 DC 9A 6E DA 46 BC 71 EA C4 32 88 FF 6F DC 5D D2 01 67 5F D7 E3 12 1F 04 0C 09 19 2B 7B A5 A8 24 DD 2F 44 0E 2C 21 30 04 5A CD A8 12 D8 4E C2 83 97 5A C1 11 48 38 06 72 E4 B0 DB 0A 26 C8 76 89 A2 9B 74 BF CB 57 DC AC 10 FB AB 06 3B F6 93 70 07 5F 0F 0B 3A F1 36 7E E6 68 C0 F7 CF C9 16 CB 54 A3 A9 BA 8F D1 37 5D 5F 99 4D 9E E5 9F 83 91 DB C7 9E 8F 30 AF B6 C0 B9 CD 84 A9 6B C7 BE D5 74 F6 26 F6 7E DA 9F D9 DA D6 BA 0E EE F5 3E 01 38 EA 8C 25 D5 24 1F 7D 4B 5B BD 38 AF 4A 76 E8 71 FD B1 67 65 2E 49 D9 28 51 26 C1 6B BE 1E C9 3C BB AA C5 B5 1B 13 AD 3F E7 1C E9 35 49 F6 77 86 19 77 03 B8 C3 71 C2 6F 45 4D BC 12 F8 F5 03 1F EC 55 10 2D 71 37 88 B8 44 5F B6 FF 5A EA 85 F1 7D C9 21 A4 1A CB 0D </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="help_24_decr1@outlook.com ">help_24_decr1@outlook.com </a> <br><a href="help_24_decr2@outlook.com">help_24_decr2@outlook.com</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ���������
Emails

href="help_24_decr1@outlook.com

">help_24_decr1@outlook.com

href="help_24_decr2@outlook.com">help_24_decr2@outlook.com</a>

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">����������77 34 73 51 2C 04 94 E6 33 93 71 C1 32 51 31 7C 33 21 DD 54 1F 0D 10 7F 5E 0E 17 00 41 4B DE CD ED 55 EC 14 0E 35 B4 19 06 5C 8E C5 0A 22 C9 8F 2E E8 10 F2 C6 49 93 CD 25 85 D9 65 53 2D 9F 94 4D 56 0C AB 86 E5 1C 0B 79 E8 29 71 37 D2 7C 1E 03 92 29 D0 9E F0 2D 6E FB B7 9A 30 F2 DB 9D 5B 10 F6 F7 84 20 D5 35 1C F3 F6 FA F3 B4 1F FC 42 AD 03 40 4D 72 7B E1 2E 33 2A 39 C0 F9 4C 6B 16 C5 DB E7 91 EE 3E 96 8B E0 B1 B5 26 3C 3A 56 76 6A DD DA 48 9D BD 84 FC 7A 3F 07 C3 2F A5 14 0A 84 57 71 34 85 63 42 76 60 74 A5 39 0F C0 C4 F8 58 44 4C 86 CA A6 20 84 7D 21 5E 57 E7 49 B8 19 0D 30 26 5D FE AE A8 C3 75 5D A7 8B 50 E8 30 AA DB 7C 96 C3 81 36 18 67 C2 37 0A 52 57 59 80 CE 7D 22 6E 06 02 EA BE 77 08 5F 4D D5 03 73 35 35 EB 42 F0 5C B7 CD F1 55 E7 1B 52 87 DB AE 77 84 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="help_24_decr1@outlook.com ">help_24_decr1@outlook.com </a> <br><a href="help_24_decr2@outlook.com">help_24_decr2@outlook.com</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ���������
Emails

href="help_24_decr1@outlook.com

">help_24_decr1@outlook.com

href="help_24_decr2@outlook.com">help_24_decr2@outlook.com</a>

Targets

    • Target

      BS.exe

    • Size

      53KB

    • MD5

      dd8cf1022f30071d6454e56340384f24

    • SHA1

      afa5ab499d41e91d1eae3427232460ebf6293d75

    • SHA256

      b9b81fa1b1e8ff2c42b654855121c7b38d8a876ccfe8b43ac48825a33a748128

    • SHA512

      55aa1b193a6e9a40b252e93fb5d4841ea9eb7da0350c8a053524682e9aab7ebb2e0a6b7a72876631b09eb5c1f49bb06dc2b3595eead4334fb122a6bb8bfc7b0e

    • Blocklisted process makes network request

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Target

      BuildS.exe

    • Size

      53KB

    • MD5

      d0feecd8202129bb9c19823a04cd93ce

    • SHA1

      631b2e3c26dfa53778d881e592cc9e499e7f98bb

    • SHA256

      0dc4a2e2f49b2a6265a3c011d186a6f79ca8356d49d1c687465a5d994b6db38a

    • SHA512

      03676f15ee822f550e2dc5e979d205ce0f154d2e1062a7d8257931ca945c6f536de913f28f4abc0a399a0b1bacd380cbff3f26d0ec597c0d7593f349b121e097

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Target

      READS.exe

    • Size

      53KB

    • MD5

      9bd839a710177cf31625c09e321418ba

    • SHA1

      82ebafbffb2ff94b91c037d5b51561d726ec32c5

    • SHA256

      3e526ba55e9dc43928b592e879aa2ea896681e709a22c6b0b8911d6f264ed63c

    • SHA512

      d3974db692f256f7733ccbf5d130bdcdcc18d18147b0522e8b0a3c10161604c1ee23e651cd132e3e61d81ff99c8af5a24abf465426aedc6dca1baa7adb53fc34

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Target

      baseus_nowin.exe

    • Size

      40KB

    • MD5

      ac64fa0e284f8717e24179768dedfa24

    • SHA1

      fe8da0dcb6ab930841a85d17fba208cab1bb39a5

    • SHA256

      98a668b3db762b0f9bd29a3d35d2f8b55b9922a4f968c1bcf0ef04e2c411f53f

    • SHA512

      b0d1049b85582c4f4503b76133b3cc6549e823a7af474281ad5772a3b0f8081713e7a7574929ca8876c48c0545a75285a82d4a3db11a5a491da3da3987f39ae3

    • Makop

      Ransomware family discovered by @VK_Intel in early 2020.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      rbs.exe

    • Size

      53KB

    • MD5

      c6edb2242607a0e09ac7cddc4d65443f

    • SHA1

      8a09c4f1b8c930b6f3fff304e4fc6dc12639820d

    • SHA256

      4ef4c2b02aeef11ca823584186903598cdf844eb1d089ca94c2aedd776e901cd

    • SHA512

      4a79134da78fdf5e11323ad234764c48adc6c7269d7814b8e17373971d3de101e048a7975fb47bf946b6df71f94885ef80ded8903bf31fae49a8e5d21433d692

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Target

      scan.exe

    • Size

      96KB

    • MD5

      2eeb4f7eea157f327085e3802c981f2b

    • SHA1

      fa250a3440f7d71409f0f4331d4ce5f4fde833ce

    • SHA256

      db68ab7de983dd168dbd4f080a073308a1cb915e9326b9aa4fda4124910d515b

    • SHA512

      3bab5cd6e264ba753b7bc006e1df9ba831cc69695f11b681e4f64305e5a893ee8567e74c35e91278e10573c31ab766697024dc217a3057532f52ef58fb21d59c

    Score
    1/10

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

4
T1060

Defense Evasion

Modify Registry

4
T1112

File Deletion

3
T1107

Credential Access

Credentials in Files

5
T1081

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

5
T1005

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

3
T1490

Tasks