General
-
Target
jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
-
Size
58KB
-
Sample
211112-lbfz1adab7
-
MD5
1cc5b508da9567f032ed78375bb45959
-
SHA1
c31a0e58ae70f571bf8140db8a1ab20a7f566ab5
-
SHA256
315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9
-
SHA512
cef3bdf76e94904e0d170d3d208accef9ff8e50b85403130b12914ee6b20f0e49f58aa840757c7855b656cffa4400b83cd81fc5196fea66045a5724886970d61
Static task
static1
Behavioral task
behavioral1
Sample
jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
Resource
win10-en-20211104
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2955169046-2371869340-1800780948-1000\BackFiles_encoded01.txt
http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=rWtm070iCyddsgPzYb6%2F5sYFDOWmHktCPIVBvwDe0pfkO1viiBYlEWycNMJPj4zAyBNepZJPa001jyKIRYqO1ZAfN7HOTExUafRunSj18tWZR36Di0hpHzngbZUQ38uR%2FjtX8%2FRuMRR9yjXHQZb9k8YNVerVED9BLZFynkKbjt7DVlf9jQw9ATvbZ84y7si1lyRcoLNFSQRA53G%2BUY2Rh9QCKYDbGlF0MeNEmCX6ytPWIFicjgM9MkGAfqNWo6HyiFkkmNV0OU0LgVKyMc3NqfUiZaqJa1YDcOc3l0iFtf3jWS%2BZ9nZydzPaT7sP2vKuwll3qq9SShtH0XatAqqigP8tArjWVT9QKoFLvg3a2q3IDV6foWFkNDTzRd4CqpH16x9XuP5bXRAa80mkJNea1Ok5SIiOb14hcvUhyXaO0dvMEg23yHF5bRDDMaVW7tfTnhtIqYlkfAk28U6sabmowN8CJ4uNVWNVFoJywC3VmtTtDnDplkx%2FQ2L4b6Fdsr7XyCgH5OVDYGo%2B9GC3DP2Nq%2FtTBYmVV004YdN9nEe8hNScLEPh%2F29gU2zwdqdS8te2%2F1l2mtIXfgdV3DGuSLyS3cIZA4fuTH0UPNp0iTnIiKOfUAOmgVNfA1z2XLlFidXT3xtekZgQSWsQ%2F3C3G9P0w50nYJyxAz02Q9gzvUGLqeGIWSSnzlpTcjP%2FYcQmy4qo3C596KdEOBtGjj3ParvXhsYPHLDFFU9vF4FZhC39%2BMOdI0WGtEF6P2OBNblxuILo9C0Uto53OGlulzG1UtjY1Z9EA5aYYVcSNvttvlmx1NXkXiKJy1VYchviQr0W9N211gMAhJFCQUlO3WWwW5%2FUhvRdVrDve29iG%2FFvpUSM%2BcOdJ3Cg0FNtFnfEd5x5zdX3y14DqvdGRkoV%2FmbFWOzRtckEX%2BOBd142d8FytAiA0N2bCSuC2XBjZhz6SIYCj%2BuoyBBDk7pVTDxx%2FV2BZqCJ4spYCoLOa0lzCttuvlj7%2FojFNmupk0JMAFXzRpoEv7Xf3jwxpdNbQlQ%2Fik6FM8nclsEKdfXQZE01Vfh3o3%2BbotLDUkPh%2BxY%2BHxPEeoUIjY6NyA5FoZdnKkJC4zTOR42d68JOVJXVblpxNOBxggSbjaDuWF2F1EhbFmjNPLdFvLHc6gkL5Nx2Xn4z9TS1V%2FTokPtEA5bHFEkmY8d9w2Kb0Nv6XiKwik5HEir4WYAt1%2FaI3hgU4qRqOiVvhjaVYN%2Bj251OVZc%3D
Extracted
C:\$Recycle.Bin\S-1-5-21-1042495040-510797905-2613508344-1000\BackFiles_encoded01.txt
http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=mMuO7yV2SabitZONNkW5UPOl5NlDMwuw%2BIWgw1YloCHRm7PeEEJnkNObpLwYcIh2%2FbO2mQobKcyKiLL2EnGIY6W%2F341WGA7V1vP%2B438O9GOs55a%2FExwrnobn%2FetHK8FO1PG9z11AfYbK9%2BbkWiGDaajx6cVcBCiDyNn761oizze2%2FaiJTBJ09dLF1%2BZGKfwbwLGc1TFXf7P6hfLpACGyRvOH%2F7sARA%2FntcDe1UUW2ir1loOJHDt5lMLR%2B%2Bs2IYZA4KfHpHURf%2B6J%2FMHJAzCBJ62ioI84Rie5%2FoHY91VFh2%2Frku%2B3RjwOkdTN6%2BZCDOoU9JXuhF9AD7b06P%2FgK12Fftf%2F%2FdhjIB7epNGg9XsLjSjN9YiZLSckmp6C0sA1fac0wZK7jUggLIPQ99vLZgfDH%2BO775kuOTuw7YTloFVRlGH8mMueHE5w0ImM9stsCtI63feOmBwXeZ7Y%2B%2B7xDGHSfvW6%2FblqLnDCieziz0Qf%2B2bb%2BK25GSgiw56C1v8ka9lf7oDCgHMmbJSghtnYbhT6Jsq5oJ4zCCCkzub3wBR0hm7AgceCV1N74IuB3N1uD4oB8YiA2k4EH7DM18PsDSWGQ%2Bu4uo59BHHSg9br%2FBN3%2Fxz5j%2BylOScUm%2FjK0LYpeJAiqo2r3Wc9AeuogcXhQ3yPCuCnrp0VOjuF7Pf9sxRJgnHNu6vdZxMm743lys4Od%2FEFqJTslRUILpeegtbWM0C0bamCyahjRznk1vnSyQ9yzWXYiJvYTwYZve7K0fQNNtNBqqb3tk0DcJ%2FV1%2BPCBnfrE%2FCkkN4iFQW%2BjJWmwz5bhmv9kbnYaz8GyqP62fpGEIl1qIOYmEM%2BA7XM2v7wDlC5UNSx94JLPSrxrdnlvwQx4BzVtYjJSDQVmNnypPwpNtNBq57ArQBED%2FOk1MnFBnzeHKukjN4jSxm17PzF4SJD0E%2Bt8tTWXyJ7xKjjx%2BoDL5xi2KTvyUg0Gr2DwObGKUGvTtnuvKl8MQvLjOXq63kxyjv3sI2JTRM8hN%2F2rNUrW6giqonYhlFGG5bQz6G8RA6NB%2F6Dv6k%2FPCeCweDG0ShFs06rh9uhdgZ59Kjz5OcEd%2F8R3qazqjEwBbrf%2BOPzNVu4NvSx6o5mIyXnuM2gvn83yxLrqvzePEd0tcHUxOwfNtNF3r63lnUyD5e0xsS8WT37PtDxipo4BSDB%2FpWmxx9QlEbWvPa9VwQC0ojh6cZFF8gqooiPjQkQfJ%2FX%2FuzwAFnZUr34yg%3D%3D
Targets
-
-
Target
jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
-
Size
58KB
-
MD5
1cc5b508da9567f032ed78375bb45959
-
SHA1
c31a0e58ae70f571bf8140db8a1ab20a7f566ab5
-
SHA256
315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9
-
SHA512
cef3bdf76e94904e0d170d3d208accef9ff8e50b85403130b12914ee6b20f0e49f58aa840757c7855b656cffa4400b83cd81fc5196fea66045a5724886970d61
Score10/10-
Bazar/Team9 Loader payload
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-