General
-
Target
10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e
-
Size
21KB
-
Sample
211025-mdafnsgac3
-
MD5
a60c5212d52fe1488d2f82989a2947d2
-
SHA1
0a744d6c76902d28eb6687d66c18b0a354f29b9d
-
SHA256
10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e
-
SHA512
afd14daa5bd9448e09f25d561e8be34e16f93a2825129d165e817a4a2a3ffc339efefd6f26e78c4853acfbce7f51c88b81601324b123d8c377d72da15dcf9327
Static task
static1
Behavioral task
behavioral1
Sample
10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e.dll
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e.dll
Resource
win10-en-20211014
Malware Config
Extracted
C:\Users\Admin\Desktop\readme.txt
magniber
http://a6b48ea8e0f4da80e8dihlxbl.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dihlxbl
http://a6b48ea8e0f4da80e8dihlxbl.uponmix.xyz/dihlxbl
http://a6b48ea8e0f4da80e8dihlxbl.flysex.space/dihlxbl
http://a6b48ea8e0f4da80e8dihlxbl.partscs.site/dihlxbl
http://a6b48ea8e0f4da80e8dihlxbl.codehes.uno/dihlxbl
Extracted
C:\Users\Admin\Desktop\readme.txt
magniber
http://16c42048e27ca270c0dihlxbl.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dihlxbl
http://16c42048e27ca270c0dihlxbl.uponmix.xyz/dihlxbl
http://16c42048e27ca270c0dihlxbl.flysex.space/dihlxbl
http://16c42048e27ca270c0dihlxbl.partscs.site/dihlxbl
http://16c42048e27ca270c0dihlxbl.codehes.uno/dihlxbl
Targets
-
-
Target
10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e
-
Size
21KB
-
MD5
a60c5212d52fe1488d2f82989a2947d2
-
SHA1
0a744d6c76902d28eb6687d66c18b0a354f29b9d
-
SHA256
10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e
-
SHA512
afd14daa5bd9448e09f25d561e8be34e16f93a2825129d165e817a4a2a3ffc339efefd6f26e78c4853acfbce7f51c88b81601324b123d8c377d72da15dcf9327
Score10/10-
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-