azorult

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .NMOCWROPZB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/6e509012a873ad6d | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAJINzjVO6G50R5Z6qAVdXWh3/KfkOo7Zn5xmnP53VPwi6ON04VVEeCfJRjUX61fQ5Jcs2kZ87sQJe/keevu3m3RbhzWVPej0heGHOYgFSql/pfJX10BOGtqEsPPE731JciISddFs1F8fYkrSMRNLuqsHwRZPUL24XeDrUOLJiPEq2xU8+aIuz3FAlC+59hi3DWEpDtrqJXeOFkiwtJ14VRsa5+2bNRMQL70QDJlufLsINFd+Z+Rr9+UO1LRK/8c7arcHMwzbHiN+44KJnUHDkrVtDSTDsD/eiraRemYxHdTt0PoQzV3kkuieRBCMXd3Gp8rt9/i0dtZKnjPEiFR6ioaXbqVjhuLY8KLh1eA8WQ7XsQJIx9h3ZaeXSr+PtmOJ5S3M0hxzZvMtgyL0h45iT5OJRaGDo6F1QMjKynUdkMu0ff0B5PH7XtmRl3ZIHw2R6V2ah5f1aWpD+F+KbiW8UvINUmyJ3JgUdx8eBUgzHqutSgIVU1679tkSIyk4i3HT0zqKmvxA+C+wIAdNG8zUsA18bzOcevBrxfrP7skB4pSNcF9OLeYk4k5+UFdI+hetZE/GE2D3WSoqjXzfbyqLi3qz2ahqOU5Sve3SN6nGy5rxN6+jeuo8eID/2Am+5/aERw1L7hEgMK0lGuV6njw8lkBP8RRzaMlmZFHiiMTByv8uNpcQ69t3D1Ukp+T2SBuFMZi3Xe6wRPzVWfYQrNf2+tI/7odrnkDYpLcJKGUsVvtnVua7lIfL5+SoSDqf9HK91NJDPr6yLeaD47v/FoJdvyixDRYFbXFQE2zTiAroPoKOA4whMaQcGS8aMIjqLXJ7h/wqIIqS02eRC8dHnno461+e1Jb2f1/1kSmIODOUeZyAkY2Kh0qAdIHzwAns5swdIgfxs6cVKns4U5lfvfz5DtIMnyPQR0fvFxnnjz9ZWcUmqqE4C02UWuj2gn9Hh0s4icOqGQ/v/vtFZ/uqk7Jcr+hK+0FJ/WPW9gh2UEDys1HalnT+A0DV3xa8oI9XGbNYjz2AXDqKPxlRvtpKX1f7tbWe0xC3RZfq7I2G1pQMvyc3XS09G/Af9HkGfFw3XjU/znI9/ffzZ2hRkAIyPzUEccXuNVhMpgzuHKlBeM7eFF3iXe3mf1k6E2cH7IyQjDeK6IMZsqFmigU15JFqSWcNvuX7Baon/HzD9ZY/QhEIOuS8FrX3BVJwk1RfQYpsfg1Rcy47kT5IaIc2995XomjCkDfjXyO/s//XwlRFCeiPWFNJ+58EVN4lZ7LdmMz+gJz++RtqMoPcbteMcnS0V8R37qHTV9l/dEl1+Ouzlny3HlweTWVTexqog0w3YPVU9SN+BprgXdsiEQ8C/ttJGqcOv8wySmJKZCxcbcmVMfVBSsXoC7hQeamIVtLtPd32RXG5DX1Yj6YMxG5Mj2UrFvz2GuPhmBpbVJyxLidWrVl7IkcrxqZ6+dxC4pq4Cl2xRzWN4xLSKgEgAxLe7r5wjgEvmYSeI4cfU9nQcS2u5evPOA7wgNTlBcQQ8WcL5dTNBx+7Bx1xLegSyFefX+hoTd+N/uiRVHyjesnLx1zDkXeOqn0tp+aYtDdRCxWSXfW7995rhAD5yPyvuV6p8zvx6OKGDkRUjAWTJk0cnU7wY9cXOgVBvBm4uZYffB5hiETTuYQfGK1AHh3emWEL8nr9UCDS9oi9SVPgBEXFROgkHExd+NzqjwLlwQxgEg0SbIxMNWDmSoXIdgvduc3OwZn+DskN1uYDPbSJuNI2xFIzgF0cf9TzSV9/tj9sMK0TB+mdg/qbDLZ633o2NltdxPGQtpJYmYmuLndCXitUj80tD1bEMeC55AnAaK90SI0IyjFEU6GQpMpY1oQgAAQ5+aruuCFSztSTYlNcNGaIaB5P38WFMsL6fgHW/3Skenca6hufIPvFRudUNO9OKRS6nvkdiHEnyvw3Rm0fvSu5fzE6Oxx58I8t2CRHzrl/UfsO0G8T0Rg7ORJTjrW0wmFokfeuGomOuroFl5QeOZ1gIwBFztiUkzkHI3ELDryyCn8joubYnAQr3Y4nVKFvXZn3RE3ToG4lKKjlOI7a/dr838mXIAWZdIEUjyCPqD23IwhkrY6sfcIk4TvBqEUUfZPe+2FcFjeC+NcMDMWRKGgYDCOpVv2HxfhzU3CCk4VJpwfXBGZKbTfpaBKw5kqo0fOEGSWJPST+fMFnrqL4Ye7aM8A6OUo+uU4rIaMCQJdiqe1VtZTrZ5G6tjpqgT4= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDz9NTJN5DRAuyVsODZRWLIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNxjWLwyoIX95yRHFXKdMI+BkVChenio/1q0nJSZoF9ASQvO7zBnmOH7+ICDGAMpA6ikRWUVdPec00lSDyDFtLuJf9BcBixqqcY9R7G3ZbHKmYCRmkfYP43yqPNoLMfjU6OUr3FW3eYJTzTJsPa3LzF0vPeKSzSzgqAooTDFrJ2MPDmx5ShdudroMVoJ6iqVzOmrqBpvYrwLrtwypC8B1eylBjnF7qJ4Bew6gT+wIUybb9cf69w/LTGj/LjfwF3i+DPbKPSgkY3ZWPH+rAlXvHei0oEFEvREsCMnANjh09REIB31FEHCybeMMJ0F1lg/qeRPezME ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/6e509012a873ad6d

Extracted

Credentials

Protocol: ftp
Host:
109.248.203.81
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

lokibot

http://blesblochem.com/two/gates1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  https://www.youtube.com/channel/UCn2OJocEFxegDrjKZMIfnLw
Score

10^/10

azorult badrabbit fantom gandcrab lokibot rms agilenet backdoor collection discovery evasion infostealer miner persistence ransomware rat spyware stealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Fantom
  Ransomware which hides encryption process behind fake Windows Update screen.
  ransomware fantom
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies visiblity of hidden/system files in Explorer
  evasion
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Detected Stratum cryptominer command
  Looks to be attempting to contact Stratum mining pool.
  miner
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Blocklisted process makes network request
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Modifies Windows Firewall
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Sets DLL path for service in the registry
  persistence
- Sets file execution options in registry
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Modifies file permissions
  discovery
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Modifies WinLogon
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1