buran

General

Target

522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774
Size

214KB
Sample

220212-gsl55aadem
MD5

82663d9b96e1cb72bab78a9f56a50678
SHA1

29a5bd379073cd3073764a4f45fac283b0febcd2
SHA256

522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774
SHA512

3b2ba0a58482d310a4b3f044bfa88b5ce91b7a293e4241c8dc2e477029cd78e2df7d00dfee8b4213f87a26dce9c84e31807f8e503becbc64a97fe1f3bf5ac36c

Score

10^/10

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Telegram @payransom500 Btc 500$ adress bc1qas8m3c2jv4uyurxacdt99ujj6gp6xt4tqeul8l Your personal ID: 155-9DC-526 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Telegram @payransom500 Btc 500$ adress bc1qas8m3c2jv4uyurxacdt99ujj6gp6xt4tqeul8l Your personal ID: 106-812-35C Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Targets

- Target
  
  522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774
- Size
  
  214KB
- MD5
  
  82663d9b96e1cb72bab78a9f56a50678
- SHA1
  
  29a5bd379073cd3073764a4f45fac283b0febcd2
- SHA256
  
  522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774
- SHA512
  
  3b2ba0a58482d310a4b3f044bfa88b5ce91b7a293e4241c8dc2e477029cd78e2df7d00dfee8b4213f87a26dce9c84e31807f8e503becbc64a97fe1f3bf5ac36c
Score

10^/10

buran persistence ransomware
- Buran
  Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
  ransomware buran
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2