maze

General

Target

9fcab81f339b7e009a40e9f263f8d2e56fcf1ec5fc230ee47c69e0b672b7c272
Size

381KB
Sample

220216-2ppgasdhh2
MD5

6405a2a713548111aa9a1a807fff6df5
SHA1

a8eb4ee46b792072347a73b21fad832f200128c3
SHA256

9fcab81f339b7e009a40e9f263f8d2e56fcf1ec5fc230ee47c69e0b672b7c272
SHA512

f0b576ed89c04541b7a6a2b5ff8a5ab7c8911ddd3573c9653bf536d337e9ef219c9465372ba061e5133ebb38feeebfad1a9e9d25c9fc9471c8c10ee0341747a0

Score

10^/10

Malware Config

Extracted

Path

C:\DECRYPT-FILES.html

Ransom Note

<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000080; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <span class="left" style="font-size: 14px; font-weight: bold">CODE: <br>------ <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 </span> </td> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><s>0010 SYSTEM FAILURE 0010</s></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> <br> </div> <div style="text-align: center; font-size: 18px;"> <p>The only way to decrypt your files, is to buy the private key from us.</p> <p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p> <p>In order to receive the private key contact us via email: <br> <b>[email protected]</b> </p> <p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <br> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">TadmhGOBNfJH8gZy4VPtPKaMhVNZ0pSTXJq3XiQ17D5rsYTbjE+TUgwpB6D2XaXMrHnKPkUfStsRtSaxRzrHTwXvokt0oq3vrbxQHw1rymmO1nC9Bkv72G780oJ+74rdBeNjMkNYKmTzq3JCN6CiopSg/zfCMDKVyU/LDELL2q63oW17ccIOWd46DSgTx87GYSgrM865j95AH29knjGN0sOm74l4kZaixq3YOo+c5H+jlNn3NQ/tySnn+FBhh09cx/lSNymOBEM7u24as68d/LgYW7onbw6+nAFduXGWc1/RWP4SwRFHvKYJbbTddEK+ujx+TIE504mOYAN5NUdDiyy2orauClGcz2Js5xkryh9B+Lnki6XrJKHvDvHQun47MVGLrgcMHuPW9PF2nP3ExPvKnGNBFpICxPB+s85RcpMU4MPpsjU5WRjmtD3aSJCCI5rQdeLAxkzQvxc7WRo4Fhy3aoy9+L3pFOELGBs5wyIMzjm2NhV6s8vh/Ypd+ZTUnwl8NTYfN4g4rmA/R3IvxbRKnJIa3hPG3030uQUsqc2GiP7nQvpZQK15Cv5VKIocc0c3ZR0Fv8ucANO7P9XVvVW3dvmLRM2kQ4ZD5hDsQMhtzirA4TmkaGlIRCOpmJYo8gXt0ahJXo0CYxrwsYcFgYr5oQDxjg/974SkbLrZps8508mTX9TD0+KsleVUrkA6btKsu3lxBBZDH1MD17BKezd3rvEAViQ6WPRuoEqXMHpCoDaQ4GiuZZXEP0WPsg6mTrBdxDeqnn0iKKmsvaNf0n45NtjFcgiNDry8S38eTNWfmEtvCGm+89qUQ4AURzI7JS9LlCKd8QJi7i59Q1upiZ+LjSz+9TvxA/ubr9oqSgL1f8NTr5Z0qZAIdBWTS7BuwSosnXziteyJUP0ZiCSIJMViVJShKOxrLeOhStho9GqhTT0flN3jzn/nd4i4znEUBm7uieuSSiyTBmzFtZpfaw20XpqWAVcbN9FCwS5r+QCtYmbDNq68YkO/OKiYl8tRqZYTXRuD9Sujg40nbU5K3+H+8NTkWzJvdzFQKyMkiLxFFU6kFBhZryKXMwvwBE9X0lwDaAKAN0SpO/kfqofxDaw3/GPh6sRqIBSUgD2rEMqU6dfDhNURBJK3F0fCpf0eYeZZz+OHS78NoQ+F7XAERVzxBodkvBPThfavOHUGVNxfihPeZDg/xBeYtl/LBYU8XjRRZa3UzSvVa7JFAbp7vtYtyVAEYd416H5T46AGgTwLzOx/qx7h6NBZPuIPEJ5E5Sh1DncsIUOid/dCSQPIwbk3fTm/Oj5iW46Fm3jx4NbU5xux1MHlpzQeDyAK6IEdjErCS+hB71PnGxCSAjNygDKRdGQNVebqB8JWafjRVICJPqmZwKE47WbXxKjDcqh9GeMzQHDN1n4/rp9xuMvxyb0cfFmqQq6BAlu9FzXIk7T/4JwF49mekGZcydpCPjGj46d64+A4kXZrhI0a1Mq90mzDQtKCMGxdyupht8ARxx8q0YpnaNLkovm+GqPiXE+bhh+FARPRH95U87e1sIS0ChhbcvwxEm7JryM0fLBKRue8hQjm5X5c1fXRE2KgrGvRFHAG57zYxnEbCAA6GBhzya5GJGB2JfTskMfSXfkJrlDaVeUq/oBMsUPZejUSzwqcRLVzns/egjf7nGJO+dj8z6cCUZBgXvKlDSK4DlpcYB5G2BxUXA3b4xXmlZnfqFUIImKeO2z3ji7YKMLTHyvyTIp2pfcFz6xRORiiMwA07Dv8lwKpbxrTbzYovh4mA4WLehsVsoyKpeFGsPJ/5AlDnH0UxqLo0nIfd4qA+exosktpQtCLPacAm1Wa6oyoOdfSw3cAg+HZT4SN7kvTp3MdLy8Ysu3FRd1fYzwoXXz3ZZgpRnCBfiPEngeydfVdGqY0CK00b1Amt1sshrGSCQN0972UA36hQxWFK/CuK20qjRh2bgufU68Q9U6uW1PwKjiMc6APf6XIBZLiYu5Sa7Zvf4foSlN3z30pyB1rIKpiq9g1GK/oYaOkKSLrpJ1nyr8TLY9brwc4rpIkkRs878JWgTaccZvdMpYMeDeWTUkdqNB98om3RkiY0+H+/noPbzyZ1g9jZNQXUOunmcdlJ29PVC9tHigpPZ4IOoSJw/GAuuU6Ud3Zray18wafIqHBzEfsK+/1IXZvZAwVCswXpuSqNQedcGE8i5aEPqc8Ir/VtYEm9DViAbw5DwGB0UgGQjIpAlt1cgoiOAA5ADIAZQAwADkAOQBjADgAYQA1ADEAOAA4ADgANAAAABCAYBoMQQBkAG0AaQBuAAAAIhJWAFEAVgBWAE8AQQBKAEsAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwyZ/Ye3gDgAECigEDMS4w<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>

Emails

<b>[email protected]</b>

Extracted

Path

C:\DECRYPT-FILES.html

Ransom Note

<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000080; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <span class="left" style="font-size: 14px; font-weight: bold">CODE: <br>------ <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 </span> </td> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><s>0010 SYSTEM FAILURE 0010</s></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> <br> </div> <div style="text-align: center; font-size: 18px;"> <p>The only way to decrypt your files, is to buy the private key from us.</p> <p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p> <p>In order to receive the private key contact us via email: <br> <b>[email protected]</b> </p> <p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <br> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">cZn6gDRAXyntZRotKC81mylbvPBc9QKetoiVjU0BxPfBxljA8YlNuis39WZZ9r3Y6DU7PdEyGYvdVSAX4OTdRqUmh6845qAfiagBLI3UGn8Ny09Rv/phY/m4GdMnslZFbEj7wb6hah/8JIP7MBc6jDGEU51r5Saf7+gHpaKswcB4iB7amOkOTBJ4uWjQG0XLdrVF6XChnU7whliUPgaOQqrYhHuRK6Sz1sg1T4muVpYXFxNL9in+ADpnHP6rS+0nijwBtW54nDqpInpRChzLDUN84CfWNIwraJslXqzn1POjnKWNkYkLQ27dkdFPE7h09zrnrnV5vb0AZSPJI4skXLfqS6HznuzBOE43IrSO8YTJdjK+oLgMG0UXB2BRUxBGj/QIUM5pCD2bE8at90G9Ir8I1CCWaeS6nMACD9IyrMp08+qI2GBsYKEv2EEUUkt40dTO0RynDUZvGMb03wULx5gMZW9DyuV/vM7jPGZSHfdXSDRfHXZK7nbf2jTb6hT8DNut44f8v+KKHuFuUg5tc8CRQ7AEOE9KZgLkHoegtgOA9cZIwGF0HlpgMZyZC/C5/PeKHzZt4MWPyyQKdJRCCO8jDQHegj1hCGKBa1I0Y89LYMmym0o9KZi4vdaHxNsuU/s3v1zYJLEy2nQqMwbtFF9kSNAqWx2rhePVphMeblMgkO3jQGqFN5xxaL5BF+zCZqzXuJdZisRMtM/z5DEdjMAeUlq+o61lAFgCavQyEepQim0wa2MizUft5H/nBUcviJgBqcpHgJWzgXM/FO13IY5Jnyj9Rk8vdfYsHSx8wpLA5X/RZ+qWJ9Q4b5ROjTulYUU84l5vkG5/XmE4+rhnvZh7Y/NBh+QtYeQ4liqT4oZNen2EmoCRWAgrw1SXJTc4G832cGrVSJ7CxXU6hI7DY+F5BGhUtXnoR15NJVK2fwOCRYZBRSqHU8tv85wYTsVLEVGbSX4sfDnKNrZFvSha289QpSZ8KLS+/KuuLThShpYAXvdUF4pledqEjxZw/pTxnu52NZ6H8jKlFuaK9RxCpl8wHGthMTLgRpjdUItncOhhp92P6kdaAL+mA9Mq0GZrnc5BAdFyXNRGAC7etiPC9S6Se08JFEX1ESPvjMA5rY/Sejzd7akHkHDe4/QoXCwEjwGvTi1JkMoHxm1lPcPo1AkOjwzHECMoQ61A3NHriO3Mk3PrHA95w55mcaFTQd4DjsDVXDh7yrE5y8cBlYZcvbU5ic1W94KMIdl8PiTCzOPAkTCuMBwF9blw72fpaTkfHTuWzJffdCY2eXq1NoEu3MArvRqScHa7HrD2FkvBuQCNeuKwCNPMziLlTimHsSG2QwQyENrPkxt9ZuhHyZJpLboATbObnB4dxPV/TyEWROgV6eEcfSoDY3mgOlKKNB84uzP7DyGZTBFM9AfCdK8TK/xA9LWn7FfHrSMjVR6fP97aDWqx4QQJdo4xQFRXd2ii9xrCPcKiQmfPD25xmBa2rPi5DXxfDGbeoWMasL8nQG9sCOZwrAO0y1PRSA3MCB/yoej8coly94ssAMGMVJfxQkLTcv7VgQie4M6SFwBoOFt8jTQS8rtmw190jStZ4m8/wBTks3VwaV5YgTzUhn7tV2D/ytdOLKWWO0a2WaeTVY7g0M2SDFkztUwPR/b3DoxwarkOPV6MtheQcRWhN8WnVgN+m1VaTqn20sZf+3HR2pAhoO2lBqr6lAhFp6dfTjkHqQe7wlTSvjIlsVAcWlxDMyGsOWbYkxEW+BAKSWJK+60DVKBPsL11R+onGKfuSMUQ2dHYim/qxSfndobOFUKXXbVJbMqSIputMTuk/zKnfMZKc4409M879TT2n4QSRFzibqah9kSPpIHCqZfq495RskwjNy8CW+JaJAEbqYL3yGLDUb+FIREtEyl2DLqcanREbdZi7DZojqwXinYlOL+FJjKi3XV0D3ymaF46K5cAnpN2/QnxQbYZT2W1SRhs6anZup1EXF7I6O94hzaR9OQByb7LotC5kXrKxOggteN0uRGAby4ms1G5YlxHZ9XX9ZXpLmI7dDrBafsM5eHkpvNvgVWalyrmS4/R4qSUZOrc0Im8Eg92Jc/uQdaopv/VSTdUtaEm4xrM3rHJg0JmNvHh8mxMyNQRcGjs7JowBBkjbgz7h1e8udLgtdSkgQFwd6O/2nMqPNZJ2oX2mQFyfdUiNI7A4nyKEbOT/pWltZxe63eF60auClhAZqkGQ3xzl0wlX3EC3QoiOAA4ADAAMgAwADkAOQBjADgAYQAxAGYAMQA3AGEAMAAAABCAYBoMQQBkAG0AaQBuAAAAIhJKAEQAUQBQAFgATwBQAFIAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADQALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhw5p23DngDgAECigEDMS4w<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>

Emails

<b>[email protected]</b>

Targets

- Target
  
  9fcab81f339b7e009a40e9f263f8d2e56fcf1ec5fc230ee47c69e0b672b7c272
- Size
  
  381KB
- MD5
  
  6405a2a713548111aa9a1a807fff6df5
- SHA1
  
  a8eb4ee46b792072347a73b21fad832f200128c3
- SHA256
  
  9fcab81f339b7e009a40e9f263f8d2e56fcf1ec5fc230ee47c69e0b672b7c272
- SHA512
  
  f0b576ed89c04541b7a6a2b5ff8a5ab7c8911ddd3573c9653bf536d337e9ef219c9465372ba061e5133ebb38feeebfad1a9e9d25c9fc9471c8c10ee0341747a0
Score

10^/10

maze ransomware spyware stealer trojan
- Maze
  Ransomware family also known as ChaCha.
  trojan ransomware maze
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2