Overview

overview

10

Static

static

5378249a2b...9d.exe

windows7_x64

10

5378249a2b...9d.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5378249a2b439e92691fb87751adc9fc4e2dea1792309d695b7f1d9c6887b09d.exe

  • Size

    14KB

  • Sample

    211024-eabwbsdaa2

  • MD5

    a43ee303f6e4e6870036dad6666cbbd0

  • SHA1

    95007b7c46858107378b9e444c83a772295fc6d9

  • SHA256

    5378249a2b439e92691fb87751adc9fc4e2dea1792309d695b7f1d9c6887b09d

  • SHA512

    78c216ba26fcf3d880c0a3485076fba48e02c4f309b452924214b5298b9582e9af41dc846e830dd5a2e00ef51870c40580920a7f6f020d627269c1ff543bf97c

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\db\bin\#Decrypt#.txt

Ransom Note
Hello my dear friend Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted If you want to restore them, install ICQ software on your PC https://icq.com/windows/ or on your mobile phone search in Appstore / Google market ICQ Write to our ICQ @Whitehorsedecryption https://icq.im/Whitehorsedecryption Skype Whitehorsedecryption Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write, the more favorable the conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption IF WE DONT SEE MESSAGES FROM YOU IN 72 HOURS - WE WILL SELL YOUR DATABASES AND IMPORTANT INFORMATION TO YOUR COMPETITORS,AFTER YOU WILL SEE IT AT OPEN SOURCE AND DARKNET tell your unique ID Wl3pVxUzCgxk1B0FgLQG60X6RVRwOtBtX1CQs8ycjJBjLZf7bTQGroD+kwr/16wP6xqzurp8fkEnWatxAy60ztFxFGfVoVsN5r5UpZ9KN8nLlmCXfjiyiVXh0K2ZpNhb0So9LlMKM3MfPpXk2NTtjOFqsf7jf35Z3LXyup60t77Vq/N+hM/HJSGVpa6wDB9Rf7uD1hZldcMSfeQcUKG9wHx5YGOt3lnMhtsTXw7veXP+JKZXStYt4pep7yi6/2OyxRGG3KrQMBz9nxp1RcwT4bGJ0HhrhXScahRzjfCqHj5B43gtejtGHs20i2iUVIJo7QkI6IDdYp7Vx/pHm+qXTdC3iMEWCyxddcASL9NJpkZG1Ben6gikPU+47rtU35tO8/Sf62wTFEXQ8OIx5bS2iZvY3nreobMMRDY1QZ5rzOzaLN+/qT0uyIUl982bg0SwxxtFyrIqs7bnvMBDC7tBYcTxe7jX1WdOrkfYuYjw9KaRa0q1GROM8+qtrivw9XPnvsqsMbvLpPS58eV/pIvcvDieBshlRbOAPtE4OiTWD0WlBxLsxO1ztj0XO3x9dqUVcquRi/Ho/6kJPPygVc6shcI1NAX2qvNgZnYTpK7/udjSrJ/dyW44HnQQGvoK6DLHXmoEZxbqzoq9vkaGF691VFEE4AiKDayzP0XbLuz71Y8mkAMIk2JI/HvOqvcFjbyzqp8Q6X3lr+aqUjaYiQgeWSvn3uagqOlzQHikxCf7RyO6Dje/tL/dPIff3egy7rltSn5A00AwxnPgEJi2XbwMbPNDGCyYIr2uEY5urMRX6vwMTnILiAOGKU8w70WhjX6YTBUE28dnOrsfNthZMlt13gWLKFmLcYzfrNLsKCMHmn9jXloURqaT2mdJ7+1p0S4PfzQmKoENRC9SCE1Axfs8FJW2KW8vEubFPlRTOA8nIQ+sMZInQRdOMYkfsQAiVC89QdQucn9XKqWLMM1zWFNzEGxB4W2aJLqk7c4rkY5nhg+pzCeyeiBZ6EKXd4DXWMhjHCYIt7w1W+ijUudOCmhx7TE5x15C6tjNw7UYgb2wSUjHHSBqkfKIi+eUniCFkS0LP65SOPE59MptSPZUPSyGzhf3J4dZOwBkId/Ae2sfN2h9bTvy06wdG5SSamme5hf16CGSo059qXDv7U+J9vIG9JN00dq4Oz/FNqhIv1thalc0OfdnoCjr3CM7V8RwhjrbfCMrvZXClr6UNLLWr80zUvARjzMhB0QjjTxIuoiD6pElVUlSSfi3hmLxEJpRXbyU9n89EOUo0+waVR/nBxQclDG+td/Gv7MH7vFGfKZ09ky6vIvXr5fZoPBq51NJAspYV6/CPd8QHqPI1aSMrOdaNg==
URLs

https://icq.com/windows/

https://icq.im/Whitehorsedecryption

Extracted

Path

C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\#Decrypt#.txt

Ransom Note
Hello my dear friend Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted If you want to restore them, install ICQ software on your PC https://icq.com/windows/ or on your mobile phone search in Appstore / Google market ICQ Write to our ICQ @Whitehorsedecryption https://icq.im/Whitehorsedecryption Skype Whitehorsedecryption Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write, the more favorable the conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption IF WE DONT SEE MESSAGES FROM YOU IN 72 HOURS - WE WILL SELL YOUR DATABASES AND IMPORTANT INFORMATION TO YOUR COMPETITORS,AFTER YOU WILL SEE IT AT OPEN SOURCE AND DARKNET tell your unique ID S4oIO8CyBJA+JR7Ac6xM5npK0AuOXM/nWxoNuYGyU2JTQ8doaLxr4mEV37un0f3klwKvJAYeu6xi97xWMnLHYhdNaU8boarIax5kLMOnsPPlI11KPwj7FVkyPgUxXyjNZCQNu7tlZv3E67pnKz5pi4zB06OdEN5EA8A+sbo6SJ23vaS2nTs2Mhlyg0Oxou59XLY2SADvPNzFT21hwUJf3adTI7E/zAG4y65G76CIcX24rh37U3yrwTrlLIpgvP60zOWbPAlhACSGUTE8QanOW8ED0wMrA4YC7TFSYuw947Cz6gAbx3UNvNcC4loSFDrJ+Wd6wRbuqz61HoF3pJSxTd7EQJb3JpHrwaj+VuSZa7BUq2d1VUyioJ+hm0hhXdsfAoSLph1D+8i4rDfsDK3MdPn+fsO1MZXawabcrIyVuMTX0rVtD4JcwZ3Btd9YUduY0w63CsB1MUR5SKfWEA/85rP7nwFqx0w8ho27YaANq+A97wiH+OeXzERtBOCJO3suIMvk2r6xf9o5nYnrIZ9FvL0oYIpG9k5XdS8f11jC/c3Yuuxepa2orDxxxdTIfd3QBkt8oBqx3jp2C0MVL8wAR0JTXyCyyYJ3iEdXS4md34adicR4xI8tv2FZZkBKkYt393quETlF2ooK0oM9p5Owy0nnjzdTdpaCVH7qIAJor8SvusPCBblo0q9W8nwk1lV7KOS2NqhXBGApvlSOHoCFb+ccWuXtjITG+IBhVeZKV3BGirH/4BWwQgY1yWlRr1Dn/+fp5iPI7xdmv2gttvd/ZwHUUNchz3xnPGYBX7SBvCaoQS6BrNzuibExoqlC2Vis/ZAKgm1qLw0amvCsAo6dpwlsNbwS2VXBUhSQxVVNUThJhYm/aYU8EXxnXLEtIbB3Z/xlbe7wveVxL3ZYrHvEk6QHOd/NxB8Ufn3HeOG/Q0XioQRN0w/zOXeOwjIa59p/Cp9tl3yWzAQyKLHLcrftegKiMdXFzQL9Y3nl7xjses/GVWnhOO7RnSKlHSDe6bv/e8V0pSITrdz4rTfqBjb3M/y89Q6gHwRN1xkpZgm+4SrlevbDXRHUqj/86dZIn5/4rxU9USOVKwRxRycHigRxk7SW0Js0cJWosDbTn7x5XosC8b2NKkDETQTLCD74qkAWqKXxyvi8An4vGknA81/tRY/rh8QolazXb125rdddDxuuqI6pC7uqvjrxaLmJbUE2N+j51KC6cHey3P/kXDCD+b7zS0cVybG0E1Sm3/FNLMbBmr+7EMIMF7a9ag8D/mxjldJ1IsiYp28K4igjgJO53HOko0wxk3NA3vyAq7JUHJitg5766NSITQmwWW5Al8EZsG/NKmsD3PLg5m+5C+J+IQ==
URLs

https://icq.com/windows/

https://icq.im/Whitehorsedecryption

Targets

    • Target

      5378249a2b439e92691fb87751adc9fc4e2dea1792309d695b7f1d9c6887b09d.exe

    • Size

      14KB

    • MD5

      a43ee303f6e4e6870036dad6666cbbd0

    • SHA1

      95007b7c46858107378b9e444c83a772295fc6d9

    • SHA256

      5378249a2b439e92691fb87751adc9fc4e2dea1792309d695b7f1d9c6887b09d

    • SHA512

      78c216ba26fcf3d880c0a3485076fba48e02c4f309b452924214b5298b9582e9af41dc846e830dd5a2e00ef51870c40580920a7f6f020d627269c1ff543bf97c

    Score
    10/10
    ransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.