maze

General

Target

2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6
Size

348KB
Sample

220216-23689sebf5
MD5

d444509ad9103c7b53886c25f7a0db7d
SHA1

5815f849de39537e54d080d6875dd886191afaf6
SHA256

2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6
SHA512

7a36df9119a2157bf5c74e73bc160e46e0add8d178cea26d5395ec3e5677ceeb887bc1de1957c54520e04af47b499b98256649d4b7d5bba427f3b8ceb508a259

Score

10^/10

Malware Config

Extracted

Path

C:\DECRYPT-FILES.html

Ransom Note

<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000080; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <span class="left" style="font-size: 14px; font-weight: bold">CODE: <br>------ <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 </span> </td> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><s>0010 SYSTEM FAILURE 0010</s></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> <br> </div> <div style="text-align: center; font-size: 18px;"> <p>The only way to decrypt your files, is to buy the private key from us.</p> <p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p> <p>In order to receive the private key contact us via email: <br> <b>yourrealdecrypt@airmail.cc</b> </p> <p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <br> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">ChyLa4FCt5Nei1727EXRNItWliDXrM/v1UwgkjGoiM2SNqRUifXuasikGcJUFlrm54pGgAoQBpG5pIolJrtMEhvaderizdUSDGF9r6tVFo5QMIlnpXxyHU/cyBRnSGWskvEv4+xIIcaclmxgBmbjYHAYd10cJN51JlaGmK9LRJiBFSrgwOAbMHehiMYCVC/gBKnRvPnTpwGxdyKWiWvKxdnfgxaMcaUE20pT8wogMPUlEisqaRSE7aN59uAh9l00FuENHkkYe61RYSnpzvP+0Fwte6LJlqu6PTaBf3WVoKFTfna2BUAmjaoQ9QQX6muXIearTFwXai0eJh1QGbZ/pypyL5ZnMz6y9Ir65Ykar5HHCK2iee9xOuaApFrDfJc1famN1ThHS5sEOpRW2DGzAHSB3+m6dgh8YiAK73Ps/UGzwrLjccvoILj5pQxlD4JzUyGPC9tdr+pKcJXVH9P6wN9p7T0XfQ4V9j3a0P5jDOlfkyuK2whljXUsZRdzCk3gqJTw8KbswP3dlkiGuzCJmnLlKOVXXBB4c0Vbvgirzl4kFZpalv7m2J0PqMBzjskGvVUAr0bQMR/PGvSXofZLXkik0FAosyE2QnaV3NobxGxXeRvXrGnXTBBYd3mCRhdpNjZNhWGPj25kiE0r6cT5x3MlLjpqWKyYt0NvrBfwT9CXVvPmnDIasOh0Y8K7KKvVv2+BSFdUMbwFUFbmRay8VUFnqyg6iCFsYv7UTcDLC2cAZ6u05amgbYjeVYogNjsjxWL1qNphuzW1bwn7DrK9k5AFy+5zriJnWRXspgBYW8BIDtiP6ck3S90E5/kvCONCMzCRbgewwsuV2Cgh60aJKWdLzksQB4v7vncly5jps+yOLdGNDQhRCmmfydQVuz5w/ejc9C9+Mc1os5mC0F6h5X1yixAKZD0Glc/5eMGGDSrzgGhSfJ6euh3SJa7AyMCeoTxga6cG9i3NcrkPhu4n0Lv/GNWgFOLoLXFx+7chjFObuA8dh3C8Jxsw5bJf9nCHGgq+puR6bDNKh+VqP1z0AnCNyLhg2SRramL4t/3VXj/f8Xi+L5+KNHBGPHBEy6j/Q2TgKmm6OLEGTB3dIftPqAyOaMAXUcfGsHhKq+9exO7j56JUnWydmJrKUWc9vyjhY9IYo95y8Q7FpS8hdyboVMctGNUiwpr4otJupVt99S0tfYjXu/gZZG/r734BHGxkthVXA6cKxQxYOY1bfsHlSE9RlR6MS9mUgRMuiQkXvnNBIKT2DjZduheW/1cdNU9nk/oDrFMi2Rh+CnFd3ymvrX++z59AAIRBcPuwv+WUwZavrNCtKJX36EAvoDre6ZiYAelwAYm2okiQB0HqhYA8182N293BabvW3HtqWib+xo/SPRzlgIC/WqjpsrRIpWXRYjY7Z3igDZXzPbEBGoNLAYkIx46OnzweeanLpivPFYVVBobqUurjF40X606a6v15U7KYi8017NFdOZTpN1A9uaSq9xK9YsJlwHjjAlxMcM+4ZHkN4EbFErxwQhP8E2+tU7KvicIvn8HPWycgFhGTd935wFKNgc9/mV+Uoo8C7bTPpfoQFTkNxDABSB5i0ohMFExpfRx4rq7lGuzYsnszJAxn6iGFZgtpmkySFDf0FhyljvgJmoV3BRQPtFaEgRCN2C5Y5XYxw2GDgh1h2I/DEY8Jq4oLJmMFfOSiMMWevolNmN8oa4l6tl3DLsSxJMAJp5Llm2xxPGILq4qe3R2eUF0d8abJhJlrt7J0JwaepDI05SHgN17NeI79uucoR7YXZzJsvrHk82/D9g9SxlNwuH8DoVAlki6Oso5ZuqredrKyj40vhlqeRuCkiTybLF6mPURYDJ1nxoZu+2zzGPxhL2EBdNNu+kL65H9fu+oP5mdhxsVS0onGOuN62SEPgl2hnyy7peqlqwdhrNcGN1JNG+tSZV2kxR6gWjYX74YVpBzQsiZOceX4UrDagdLe5pPKV0cxPO6GNWIZfBo1trZnNcHOAMvDRt3LadLpnwOZpnHsHEHO5PKrxef7FLYKatb5934ZMTMbrb8gt4dTC5//Qlh28RzYSbr3YGtnHESrfI5AmtcJSbyz7vi/qBAKVvgwTtXWBDD2WTpkc/tHDPch7TrHa/nUQ3VASL3/SMTnYAqYyEz4Z/iyX9mFQOaMJ8cGxT65JsLkAPBULEPqDx41huW9X8yP1ndY1KVK8YlMTuhgogxEAGngaYgBPFXkOlNG3kc8VAoiOAA5ADIAZQAwADkAOQBjADYAZAAyAGQAOABhAGEAMAAAABCAYBoMQQBkAG0AaQBuAAAAIhJWAFEAVgBWAE8AQQBKAEsAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCNnwAQwBfAEYAXwAyADAANAA4ADEALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwv87Ye3gDgAECigEDMS4w<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>

Emails

<b>yourrealdecrypt@airmail.cc</b>

Extracted

Path

C:\DECRYPT-FILES.html

Ransom Note

<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000080; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <span class="left" style="font-size: 14px; font-weight: bold">CODE: <br>------ <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 </span> </td> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><s>0010 SYSTEM FAILURE 0010</s></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> <br> </div> <div style="text-align: center; font-size: 18px;"> <p>The only way to decrypt your files, is to buy the private key from us.</p> <p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p> <p>In order to receive the private key contact us via email: <br> <b>yourrealdecrypt@airmail.cc</b> </p> <p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <br> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">kDi3AFZSRwTSW41bbtcMvwA4Njhad2fIpi4WOTuO+uvlgtqq/oT3PA+DCNDZOAZkQ0xhtdHFyy4bwDYBVgJWw73Vbt1TNttFSkIlkFDccfrmdg5o3jicWJhn//bY/wse73QXp3N9q706SSNWWITS+6lo+GDRq2DCNzpQ8fHH8kyPLNH8LCiMI6FOD+kEzqY67xKg2PMDmQ/1i1eW7+R9Yvwcv9o8S0ntABt2sltd6BaY5LxjbnBWBvW0Flkt9kqeO7oP1caclvaEJCaSxulA4V+xhb0KrD39qOjS6y+gwWvxF2LmVu8GsKaRPSTkbp56WXDsUWYazuYdlDOXX464jxZvUA57hBXlvOTuN8C9glr+CJtvuKUXK9HoALaf3QhdfaDFHVJ2LB22lO2uy+VceXaM4U6NzLP5J+PVOCl96D4znofY5kJcSzRhs+ic8x26Mcxaw0Lrrn2MtvwAyS7BsLZ7XVxlmsG6j5btMsqhA0X9oqtakYLGGXqzhy4C22X6DWjyNuSMRjIjaNtAEaNbj5h7KEynPcHK4AJnagRQU2WoPO0/LPtOBDamF32mTWeMicPfHiysE7TsUcyl5/oHY384LFj49TR01KY6V9+bLu3/DER0umncWEXD11dOFRISD36SjCuq0t+KWTSCxc62al5IAul6Y6fUu91Lju1oVf+SWeeUp6eHh6Ez4gbezhhiuqB4Jt/15RKw65G4N/oDYD9+lScYVWMdcttfEYN3Nls6Z2d5jkqtNxNyX30o9K64g85xaeeILzXjSQ6LXcqGZHNrZHkIlv0DfXxWc2/sjQ9pX3CBWCOh+XUylYpDM3gsShjaaqDHsM/zjdQWLcdCgRpvtLHJ9ymSXOD8DytyXJx8WrHatMrxYzneVf4tpTeboOI2+i1xU0scRkzUjqBAb7RiQRx6TpO+tY+SvATs8JhSIwCRuexCo7U+guFmhQvOz+bbWQVbyK8mYxko3cCgcseFg4VXgjvXneYok6MIsNp3P83erI79MijPj75tSJO9o6H24p7GluDQYEV9sgByZ9bXim/i1rly7NL6e4rc11dwXx1D/OrbjAZ0hP4uIr4+7m2Y0m5H1XQZk+Gp9IV8Actar7QmiWiWhini2fnfbQDr1jNrSkIZO9F7W3E6nWs1yEb/q/hZ7JT6ub2X0vNV2qfRmDNY9R5JfBQq2EglYYwcBck8jutZehIOJXvgPLFdLfcSV67Q2GbJKXwkzmQkGqFWuYp4aegHD7gYrl7JX2VubHyrANmeo4T6596tAT768B9nVOdZzdmgEOKS5KvXmt7bfkGfQBaD1IkcCFVxuehYBfypYwtat0OIYesvqzhICYgi7X8dwTfKzXmHNSctxovsimbIaTeBkrOUkQJHyC5vZ0pS4SgwBh5VO58spnsMj74lseZYvI65/DCd8wmFJc4AdJ8b9m5Sn0swO+jmb9x8HEIsUlpE2MUkXY8j1Wh1ufFQiBgcLJOH5tG3lLJ7iFhiNFdfwV+z6jqi7UTW9AmQAOGiz/A431k+r7G1hzljiqa0k6mlkb3NmmAI87kfLjbi44in5mwT0oABhbJP+zgfbN6vSGpNO47qf4EIwx5+mVOwTDGg6rTe+D2vWXeX2XTzIThqmbkptc77MpR18kHrtfGTBqgTrnLsaoyfvj7IdZRnbOTKdjDo9KsD5QERBhO07mP0OAzh61JWF4yFygoW72haTgNyWEpKKp0c1HAXsCeXKOibQ8Q9BD+YjN3e3VxrekRlVwwmAoSDlzaO/c1hlqC6jGw38nhvyEIMWh9gl3UCui9gzuuheg+OfofcBuegefxXF0Xedd15wT5U4BNHOwkXxRGaHLUsD9g1C80BQAc3Ni0/Kh4OebEaM0Bk8lfgd6RW8C4mw8YUkNF+0PbKW35FBzfFx04/vtUmMoQ6oNaWiRpAfnw4NuvUf0+gaM+TrhjwgcS01RvBUnCjpJHQtQ8N/IjoYBtcBZdRE5usF9dqWMPo8DobLXnlt29GECFHtgZwIUCdWFz79gqdw9LVopTGL+/o3a92NOuGtlgKLQW55OMvsqj1geFkoqcOHt68xNyv3mAn2NNPx0egIJyCCO7SPkOBQGYKd1JmF5ho8bEdy+3c3Q1wg4LsVaKuNuxMRfy8h45Xnh3rXY51M9GQzACuV+0Emu/UojLUoQhNtXn5J6r1b9PIf6H2P4Q7fvq0OZhqYsWPER3dw2CVVq71RvAR/eHxPbHdeRrRcUkwDpPw3gogOAA4ADAAMgAwADkAOQBjAGMAMAA1AGQAOQAzADYAAAAQgGAaDEEAZABtAGkAbgAAACISSgBEAFEAUABYAE8AUABSAAAAKgxuAG8AbgBlAHwAAAAyLFcAaQBuAGQAbwB3AHMAIAAxADAAIABFAG4AdABlAHIAcAByAGkAcwBlAAAAQjZ8AEMAXwBGAF8AMgAwADQANwA3AC8AMgA2ADEAOAA0ADEAfABEAF8AVQBfADAALwAwAHwAAABIAFBAWIkIYIkIaIkIcPObuA54A4ABAooBAzEuMA==<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>

Emails

<b>yourrealdecrypt@airmail.cc</b>

Targets

- Target
  
  2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6
- Size
  
  348KB
- MD5
  
  d444509ad9103c7b53886c25f7a0db7d
- SHA1
  
  5815f849de39537e54d080d6875dd886191afaf6
- SHA256
  
  2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6
- SHA512
  
  7a36df9119a2157bf5c74e73bc160e46e0add8d178cea26d5395ec3e5677ceeb887bc1de1957c54520e04af47b499b98256649d4b7d5bba427f3b8ceb508a259
Score

10^/10

maze ransomware spyware stealer trojan
- Maze
  Ransomware family also known as ChaCha.
  trojan ransomware maze
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2