Overview

overview

10

Static

static

DoppelPaym...in.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DoppelPaymer.RANSOM.bin

  • Size

    3.2MB

  • Sample

    211020-n33zyshaa8

  • MD5

    8c54bbe3f191a8627bfeeb4cb02634a9

  • SHA1

    2fc2ecbed153344557386e80a2fbd097bf795559

  • SHA256

    f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555

  • SHA512

    752d4bb22765373f7ee185acc42b73d5f2b75ae46ed995bf2f59486038a512eca30c5ecf040541cc2833df005ee17db00a0ec5ae802b677ff468f256ea53ecd2

Score
10/10
bitpaymerxmrigbackdoordiscoveryevasionexploitminerpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA CAAAANAnUh+HCaXNAQIAABBmAAAApAAAh+SvG4V13HxJAN+D+R9ECeZXWRZVt1Yh/Y/dC9m18ePU 06iq815SzIcrA0YQeew0KRFltd8NEAdYTzyrcZPdjZZwMO7O+o6K9M3IB8g3ZIDYjGK8YNWhHvg6 w+f/5KMmKbSr0D7Lfolb5JFY3qxLoGCM1aUT5XOU+I0hK9CRra3vx5sRZIWlPGk9zs49DLL1EpGc aCJid5qzxoJox/Yh5WxxDwaMFYoVqEC4qnkhijyiUdzGL7XImjnMaPUsHGcylaLxed4R8ypM5voa 2vEgtJnqdck1R0lzzCvXDPMo6E8VtSG9om2l0I4UvS/sMmPb/IAFMZysBuJq35SCwtVHMQ==
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2010_x64.log.html.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA CgAAALl+TSbtNVm6vh8BAgAAEGYAAACkAADY3he4J6RnrsL/cfqcMmE9j7gdx3kAR8aMShyRYpji 4Q9XlQtVfPrM2F6iDWnl+NnUL9RBiJv6z5Orcoiis0SGcdwd6eQ+u/65HfDp6kZljJkltqblgyci kHhbnP2NHAMbtdCRI498Z2D8GTtbJsx7xjL0bzbMIt6uzIdY0d6JYUG0lCwp6XNBdzjvrzREFBlf 94yeVabcPw3i1pUtI0Q/CxEJyg56jxf+dA4UhSUs8fqGLG3k2RMXprFVS1ehkllJF6GTD86CmwS7 jvz1USV/ZheYsLPC3fBbQvFFe/G94od5QVZbo+NNPTHVsSsbggt4nrJ/LpaBj/AelNlvOxU3
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA DgAAANF79F1zumbpnhnraycaAQIAABBmAAAApAAAgLZF4ygjFgf/pJjvw0QtXV62MxJ7XPeutww1 0wL7AEKfCWuyQF6wvJ/D81K9kiYRnrj61HHRHPr9QvV0SJJD1rsdHGO3ty8pFQN1UU+RqAkzi3/k Ud26mJJiazw++fzZHx1S62+lHqy2OcpIckSi0daKp1FEMEkpjU2RRDoiQ1BixpbeFcWnwW54SdC5 Oc/9zG6Kg4e4AvATCGHaLC/b1N85q4LR//QGYLknv7BY+13j3U6C47DBeGwWjlAcLGxNSNK6tTdG 3Ik65uNoCrHzKnvgizxS3hfKFca4OK3I6PP7yzyhvgDLFfNEnrnnQRUydTbb9aW06Qo2wfnSBkBs aA==
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA EAAAAE7uyE8UmPCqKg/EnmqUeQ8BAgAAEGYAAACkAACKGYe7h7trBIljuAVhCUSJKuXWYr6rwyV0 lTpSxR29AQ6RGeSU4QRfVBEUo4nil134bHUanxdIJZbxk+0wIx8B3LT05pFfPsUUqkqoryQqGM5F xbGDTCB6RCz1pi53gFzTqCYMDoOKL21RJKveckzDTp1O0WsbMXLCAGi7RqH3VWUnWrJhPh20NCPD BN62Cd1B8oj+AWX72sgpQcHD4WzakzsnuRguk9JeGHCCja0G1SDys5oVf9Q+QrE/vzJlfDoDcABE IJ9P918fJ655DCP8QkReIt+3rGZrD+ADaT1JvnP7OIMFPV8Vro/h7btQLhlrTrmaXBqAAMNs4Ya7 +j6m
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA DAAAAKqQZWtOoChiN21AUQECAAAQZgAAAKQAAHGzNlSF+cwl3xGpV6DhXIN8YiDJVqWYtLS4GBrt TffRLmoe/htKkJEarsKf/wkWRuUTNWqJ7TFz7igoW556TQ8HbqEVQUoI3KdHuFEi5mS/O3Z3pGgB M9syc5Hhk+NFCJnsPIsnYagZ/Cqa8l2N93gUwLRinh9tNSUe71lUKyEfz0x5DRqAh/vWNAeOvvtZ /zbqyM+Yyr8rD8qJSHDgg41GGgQkuZIwV9uvjintauRl77MPvQy68+0WTnrGjIQ377JlaM5m8yF2 cCU6FMPDzgBc5OBjhb/PVX3O7nIBlXrLq2LVbIdXOyEuGguZEcBpKd0AdZ0BIbIlrCHn1StTEGM=
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA DAAAADTLu/TrqPpa8mphSwECAAAQZgAAAKQAAP/a1g3woTcIOv2GWMJ0cHoyY0Z3FfDFgatfFBGR awIkgEoFelfwkCO6Ys9p/fFuR6mqq5InB8jdKG/8wfnaoFzrLITO+O4DZ6EeUnbUbna+bHEmUGUs M7RqF4QtZnvjrEmtB9ttjZPnr0fw+I2Dh1mz9GnXxkpg2l0lioUyTM8D1uTdxKenpyNbr7JyvaM5 GV2dUpN/MkvGHZSuubejLAerY6+hKEWBTOALE6A4WIlrH2e+EL+aTrZop5zhIUYkOm07g+4n2E0K xI6MOkm1hUN9KJrl1ohx2FZmojlnrqTzh2AUdj/O6d3KJ15I3oagSaUZLNcaPR11EX5kDIPpDhU=
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2019_x64_000_vcRuntimeMinimum_x64.log.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA BgAAAJTSxZEmXQECAAAQZgAAAKQAAPoApyl9LMaXVeD/PRWu9XT4YrZPBpaiZ6/h0d4NRZkVxVyy nAUW+FiY78l525ZSJ5OxvDVHyyHU863sCiePSKFrI5ahEIy7kwVrQQMvpjAfJ09r9Ov/6swOYWgY kfYKAqxDCh0udo9Aga1Uc3Z1LqCjC5bpRiOcjJamhUYLWRoYxUuO33Yic7uh7MOzjGacC3M34NCp CrMwJbSJGrn4xRrnY92parXDYZgzT3nvx8V/YNSDOyCZb8JGGRLtTYADVcXhgLdr5eHzNF0MbZnl 1jcsZutiY/vJza5tSrkBX4Tgs+PMWdphXfuOBUv5ipXAtzvFq01aKWTOCGO8s/V+d7E=
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2019_x64_001_vcRuntimeAdditional_x64.log.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA CAAAAMrNiyki2biXAQIAABBmAAAApAAAUj2gzdOtcGCuuQ/5AfeMvZNJ4qPGNsTGPXVY4ZCoMFkg iEo6XeM4KQ1qgoIY5RF71o7xf907I4UP/8SHnSPr3c0V3xeqNEUr9d+/kukM0jD/2K06Q0+ITgZl qFMQBYRg/81sGcJ4wHL9eI7baFK+739j8GQ7GZU2tVCvvknJcoqVJ88GEtNdO3lUEmqnaV+KhOuU z84VkZf7KFxEJanMLlq3M10ZDwXIRmXXu/qS4xyxWiYszfCJc+5Ac3WyAHzHQCHllxTVbLf8Q0zj 94k3oLg744i0b3WvysW3AJIltSeTzaEZb/clrX3VngHM8nUW8KitqkRBTzwipx8lme2nSg==
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\Boot\updaterevokesipolicy.p7b.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA CgAAAJqyDCn44WQTxocBAgAAEGYAAACkAABg7Q1bzxI/DEBN3N5OJjclJfK+xeiBKRdY7MKUH/Cn 4dm35H4UZsK/YFCkEv+Q7417sQ/QGlNrPUYaOvqHszyj7vPDaGs8N1/Hs9KD5CpP75b4Ki1M+0x+ SibX3WicgvK6RFEzN4w0a34FqhqJXlY7iuTowMGtE2eUi+qEmFmJjWCPbvyxztfJGqCBT4Z4XMg3 WLnvB8tzZrlGH5GasIsL2GwAgQBcsHkqd+B75fL1WsxlL4jvyfC13qeiBUVmhkLUwsQd5RvWTCBd FOs34s0HiMGt2AVq85D5H7ssu49GTiLkCkMHOSsVevmrN23/10SMxnvDTgR0mSTd8RKulcE2
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\Boot\bg-BG\bootmgr.exe.mui.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA EAAAAPF6LnOdXM1ZjXQZNRwQE5QBAgAAEGYAAACkAABWI5sgI2Gz3+8TPrdC+GdwdVdQ7y+F3bOZ LSq3Gv9c3CFojYqXzGWts4vhdhAtIbJ3pxN+k9XfxekrT9o+fx0JtGiTWSrdGt5gUz6fooFnedhs x7V6km6RdAOMYb1x2bUUMY28puH9OfkKmzJia6bLsnL+8RZDhNQcbMhg4/DxtmzX7w8N6Clc0CbB Ps7kVogX+YlsG3XUa3/vt346y6O3yEjpFX/YQ0WX4VkdKfyf43v+cLBo06btpIAMJrYLAFzvz1u9 LccHkWusrpbvscrUh+F10QLbhM/oXyB0Yk8xLgSHP1jroGlE1WKKEaJ27JS3LM4vvvMs2ip2ex76 QtGD
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Targets

    • Target

      DoppelPaymer.RANSOM.bin

    • Size

      3.2MB

    • MD5

      8c54bbe3f191a8627bfeeb4cb02634a9

    • SHA1

      2fc2ecbed153344557386e80a2fbd097bf795559

    • SHA256

      f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555

    • SHA512

      752d4bb22765373f7ee185acc42b73d5f2b75ae46ed995bf2f59486038a512eca30c5ecf040541cc2833df005ee17db00a0ec5ae802b677ff468f256ea53ecd2

    Score
    10/10
    bitpaymerxmrigbackdoordiscoveryevasionexploitminerpersistenceransomwaretrojan

    • BitPaymer

      Bitpaymer is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorbitpaymer

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Sets service image path in registry

      persistence

    • Modifies file permissions

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

File Permissions Modification

1
T1222

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks