Overview

overview

10

Static

static

1be90c7273...ea.exe

windows7_x64

10

1be90c7273...ea.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea

  • Size

    54KB

  • Sample

    220219-jtm5xsafbj

  • MD5

    c81424677bcfcf9eeafa3504d87e5c63

  • SHA1

    9393744eaf2cd526e3007a0363d2291faba236b2

  • SHA256

    1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea

  • SHA512

    4ac18a81065b70e44052705753e7d5bf5585e05db8618d2758434e7e126dda8b39c010d0521d237c440fe3da766f107992517a542ac9b8b11ac1f98f7958a6fc

Score
10/10
ryukransomwaresuricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2329389628-4064185017-3901522362-1000\BackFiles_encoded01.txt

Ransom Note
[+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension .encoded01. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt 1-5 files for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You can open our site by the shortcut "SUPPORT (TOR_BROWSER)" created on the desktop. Also as the second option you can install the tor browser: a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website. Full link will be provided below. ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! ----------------------------------------------------------------------------------------- Your ID: ivYTRlYfLdBVUjByXafcBOGYeQdILBqyPG51ODqyvHXDpi53YysD5mR8B0Nzlu8i744rMHlyTbo9ZxEJeZPtN7e7aREEKF6YNjxBCCqW5E7O2gsWYHVP6DEAXhQsxqhz2aYiZh9TF%2BN1KgZGfY%2BeceGQIH8%2BLRm2JXFBH36C7TzkyyJoZjEe9jM7VE8l6IRxwZgLI19RaPFfYgAMZtS2Ee%2BmfzdzLW%2BcMmB0PC%2FgjH3akiIneX5D%2FjtgBUk9uPcxvq4mBBdGaoMBOwcLDOCSSfu3Bn18K27fbjxjFEay1mrTt2p%2FH0wI4hckU0YNzL5j7M8VPVx1H7dYYBJISqLsZvidQDdzLW%2BTYRFHNRif%2BTbOuj00eGJs1mU%2BAEs4iMYF%2FZUkCjopRYAcMWRBHvOuTPy%2BJnZKfkz1fwRPHV%2FE7DTFj0c1LmdhmGMEXCE1874hur4AIF1pXOs0IBJITpzLPMPPY3EhU0qJFGRnNBjfkDzfmiMNO1Ze0kIuYT1hgccyy75fPxxFWJ43MXg2F%2BCLVr%2ByAyFxPhvFOw9DKkiw5RT%2BhHwtGnpvnHBgdjoon7FOu4sgM0B2Tf5bLWYNTpzuBeyuZBIEaUeyGAV4HSr%2FrTP6t3wNcXZK5Go%2FQ0l6pM8S6Jh3FyFGCOITNGERbuyzbvLPPChAdF7pVDZcA2rCyx3ZrmIBJUpLhHBgdkc29uxx0rZxFjB4G8BHB2I7Tr7AKuSaITIcKl2JYmdWAx7S6XXrsyUpfFhQs0cvAw1CxOBhv8FddD9qVPVnFEhBb5%2BTIbq6FAFfPhvFQjZjOCnDwmrhkHRwDnBhtjo9XDcv5LVn%2B4kedUVPY%2B5OPHpPfYbqdriwdxA%2BVFWULGBkRRLQn1e5qSkBanRe1W1lDhNms6FhzK9VFSVMaeJwYHYkGsLrQeGvYXdLVUjyOzBZAGOg5SXr0yEAJWlFvxEZeSt4lZ580M43Nk16fvZlA0M%2BVsPCMee4XR4BWFyCN3cCNBmC7kbjjwURXFF74FZyBThcobAFzcNkdCRHH7MEFFkRLOCaffiFCxA8b0%2FdXi4CK3zI7gPJtCIVMVp6uwJ3AjQpwJZw%2Bo9hd0tMHaI%2BEVAqNYPSZ%2FuCa2NkXUWlEzQFJg7GlHPOy2F3Tyhb%2F2AmTzZDlchqyYN9LhUvTOkwB14BCILuQrqYLDNGPhvBaw5YIGOV6hjflWZxYW5b6DAaBgUakY5Kwp8yB2BdWPJ%2FcgU4TZ3BIr6GYREvaViBAiQHNTzWiEzn2XcB Your support onion(TOR) url: http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=ivYTRlYfLdBVUjByXafcBOGYeQdILBqyPG51ODqyvHXDpi53YysD5mR8B0Nzlu8i744rMHlyTbo9ZxEJeZPtN7e7aREEKF6YNjxBCCqW5E7O2gsWYHVP6DEAXhQsxqhz2aYiZh9TF%2BN1KgZGfY%2BeceGQIH8%2BLRm2JXFBH36C7TzkyyJoZjEe9jM7VE8l6IRxwZgLI19RaPFfYgAMZtS2Ee%2BmfzdzLW%2BcMmB0PC%2FgjH3akiIneX5D%2FjtgBUk9uPcxvq4mBBdGaoMBOwcLDOCSSfu3Bn18K27fbjxjFEay1mrTt2p%2FH0wI4hckU0YNzL5j7M8VPVx1H7dYYBJISqLsZvidQDdzLW%2BTYRFHNRif%2BTbOuj00eGJs1mU%2BAEs4iMYF%2FZUkCjopRYAcMWRBHvOuTPy%2BJnZKfkz1fwRPHV%2FE7DTFj0c1LmdhmGMEXCE1874hur4AIF1pXOs0IBJITpzLPMPPY3EhU0qJFGRnNBjfkDzfmiMNO1Ze0kIuYT1hgccyy75fPxxFWJ43MXg2F%2BCLVr%2ByAyFxPhvFOw9DKkiw5RT%2BhHwtGnpvnHBgdjoon7FOu4sgM0B2Tf5bLWYNTpzuBeyuZBIEaUeyGAV4HSr%2FrTP6t3wNcXZK5Go%2FQ0l6pM8S6Jh3FyFGCOITNGERbuyzbvLPPChAdF7pVDZcA2rCyx3ZrmIBJUpLhHBgdkc29uxx0rZxFjB4G8BHB2I7Tr7AKuSaITIcKl2JYmdWAx7S6XXrsyUpfFhQs0cvAw1CxOBhv8FddD9qVPVnFEhBb5%2BTIbq6FAFfPhvFQjZjOCnDwmrhkHRwDnBhtjo9XDcv5LVn%2B4kedUVPY%2B5OPHpPfYbqdriwdxA%2BVFWULGBkRRLQn1e5qSkBanRe1W1lDhNms6FhzK9VFSVMaeJwYHYkGsLrQeGvYXdLVUjyOzBZAGOg5SXr0yEAJWlFvxEZeSt4lZ580M43Nk16fvZlA0M%2BVsPCMee4XR4BWFyCN3cCNBmC7kbjjwURXFF74FZyBThcobAFzcNkdCRHH7MEFFkRLOCaffiFCxA8b0%2FdXi4CK3zI7gPJtCIVMVp6uwJ3AjQpwJZw%2Bo9hd0tMHaI%2BEVAqNYPSZ%2FuCa2NkXUWlEzQFJg7GlHPOy2F3Tyhb%2F2AmTzZDlchqyYN9LhUvTOkwB14BCILuQrqYLDNGPhvBaw5YIGOV6hjflWZxYW5b6DAaBgUakY5Kwp8yB2BdWPJ%2FcgU4TZ3BIr6GYREvaViBAiQHNTzWiEzn2XcB
URLs

http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=ivYTRlYfLdBVUjByXafcBOGYeQdILBqyPG51ODqyvHXDpi53YysD5mR8B0Nzlu8i744rMHlyTbo9ZxEJeZPtN7e7aREEKF6YNjxBCCqW5E7O2gsWYHVP6DEAXhQsxqhz2aYiZh9TF%2BN1KgZGfY%2BeceGQIH8%2BLRm2JXFBH36C7TzkyyJoZjEe9jM7VE8l6IRxwZgLI19RaPFfYgAMZtS2Ee%2BmfzdzLW%2BcMmB0PC%2FgjH3akiIneX5D%2FjtgBUk9uPcxvq4mBBdGaoMBOwcLDOCSSfu3Bn18K27fbjxjFEay1mrTt2p%2FH0wI4hckU0YNzL5j7M8VPVx1H7dYYBJISqLsZvidQDdzLW%2BTYRFHNRif%2BTbOuj00eGJs1mU%2BAEs4iMYF%2FZUkCjopRYAcMWRBHvOuTPy%2BJnZKfkz1fwRPHV%2FE7DTFj0c1LmdhmGMEXCE1874hur4AIF1pXOs0IBJITpzLPMPPY3EhU0qJFGRnNBjfkDzfmiMNO1Ze0kIuYT1hgccyy75fPxxFWJ43MXg2F%2BCLVr%2ByAyFxPhvFOw9DKkiw5RT%2BhHwtGnpvnHBgdjoon7FOu4sgM0B2Tf5bLWYNTpzuBeyuZBIEaUeyGAV4HSr%2FrTP6t3wNcXZK5Go%2FQ0l6pM8S6Jh3FyFGCOITNGERbuyzbvLPPChAdF7pVDZcA2rCyx3ZrmIBJUpLhHBgdkc29uxx0rZxFjB4G8BHB2I7Tr7AKuSaITIcKl2JYmdWAx7S6XXrsyUpfFhQs0cvAw1CxOBhv8FddD9qVPVnFEhBb5%2BTIbq6FAFfPhvFQjZjOCnDwmrhkHRwDnBhtjo9XDcv5LVn%2B4kedUVPY%2B5OPHpPfYbqdriwdxA%2BVFWULGBkRRLQn1e5qSkBanRe1W1lDhNms6FhzK9VFSVMaeJwYHYkGsLrQeGvYXdLVUjyOzBZAGOg5SXr0yEAJWlFvxEZeSt4lZ580M43Nk16fvZlA0M%2BVsPCMee4XR4BWFyCN3cCNBmC7kbjjwURXFF74FZyBThcobAFzcNkdCRHH7MEFFkRLOCaffiFCxA8b0%2FdXi4CK3zI7gPJtCIVMVp6uwJ3AjQpwJZw%2Bo9hd0tMHaI%2BEVAqNYPSZ%2FuCa2NkXUWlEzQFJg7GlHPOy2F3Tyhb%2F2AmTzZDlchqyYN9LhUvTOkwB14BCILuQrqYLDNGPhvBaw5YIGOV6hjflWZxYW5b6DAaBgUakY5Kwp8yB2BdWPJ%2FcgU4TZ3BIr6GYREvaViBAiQHNTzWiEzn2XcB

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\BackFiles_encoded01.txt

Family

ryuk

Ransom Note
[+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension .encoded01. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt 1-5 files for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You can open our site by the shortcut "SUPPORT (TOR_BROWSER)" created on the desktop. Also as the second option you can install the tor browser: a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website. Full link will be provided below. ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! ----------------------------------------------------------------------------------------- Your ID: BslOjiEIZkRVoqiHQesLw22nJLk6PiQjNZ%2FryyiNELJPmXO%2FFDxIcmSMn7Zv2jjlY7F2%2BA5lBi49l4n8Zd868DuENNlzPxUMNszZ%2FTbaM4lC5VbeF2IEfDHwxuEwhXPdSvN9rlk%2BUmR94N3uLY8x%2BjbzKaRYegdhf87A4S2MfaQo%2BmjoSGxbKRn12OA1kS7xRqJj%2Bj1JI3Ja4f7nRIt2pkCZLPZtUC49Fs7K3ijaTfFcu2zeM0gQe0Hem%2FV05SnhYaAC70pvDD4Y8%2BzxI49goFSBT7hOTVpFQd3JxSjYYecwuhzMFi1UAjPh4%2B0unzmpRopUtD94G1x95uPtQ9UJ0FGAG7dLfC0rIsbjvw6Ic7p%2Bk0vdTGYSfGv0lsRx%2BRGiTr4M1nREUHQNxZvKL49gikq6K8IsKVBVQJDJxUTPMflson%2B%2BFGwFAj7Yxe0nvGO0Mbt%2B9xxjMiZoxOPcU4UdwkqkG%2BxpciQlZuDKzwOfffRusS31N2QOd2DPnbd9z2HGaLE4%2B1ZeFwY85MXlMIFkm16UU9k1T1J6fOnG7ibZN9JDnjzkE1IqJwTWn7YVpDqWfppR%2FSZGVGl15f7cRugg%2BWrsfMxnTywXApeNtQfaRpFplWz9FV8XXErQ7Loi%2FwSxNI8AxRlkCCtjh5rBKo1xtUr7fMU8aTVLZcXAyiX%2FJuQ0kSLcBDokLB%2Fz8eIT3W2ANJRg2TFtUls1w9X8dtgFo3Cqe9xRaV8NE5PdtjiAbYJlh0POF0BHIUrG1aoi%2FyegZZE23WhaCz1j18nhZNlJtTWOK6hMSihda%2FTO40nMYOwz%2Bhj9SU80IxH2wrRw03uCZpkgwVs%2BJEJ99Oj%2FJvgW5jf%2FIdxgRQQQN%2BjF1wqqWIZWmyr4HE4seH6Cnclo5xHgbrAl42dKDSs%2ByJDvCINjl2KnLPcERQRkVNfE42LfBd9DmwTaV1AXdR7X%2F80wjjzxV6JK6ipjIyZOk5ztRYsW4U2eHeFzPwd8L83b1gOAT69Rp3%2FZCEcoWWnrmr0l%2ByDNYOx8yFVHVitj683xMbpeu12MSOlKWQ4rSp6f%2F3yOIdBs7HzMBDogIzGX3%2Fd33kqtYrRyuk9YKCNkyvrZNY8V922OO%2FlGYjI0Eun5sA6JTIBchHG%2BOVQYfUiQ6Ldl5WShd6UDzXdnJDA305%2FQD6lar3aHadRLPDFdX8Dtt0PPJ6NTpny6alEkYWfgz%2B0XgEyaV4Y8vjo%3D Your support onion(TOR) url: http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=BslOjiEIZkRVoqiHQesLw22nJLk6PiQjNZ%2FryyiNELJPmXO%2FFDxIcmSMn7Zv2jjlY7F2%2BA5lBi49l4n8Zd868DuENNlzPxUMNszZ%2FTbaM4lC5VbeF2IEfDHwxuEwhXPdSvN9rlk%2BUmR94N3uLY8x%2BjbzKaRYegdhf87A4S2MfaQo%2BmjoSGxbKRn12OA1kS7xRqJj%2Bj1JI3Ja4f7nRIt2pkCZLPZtUC49Fs7K3ijaTfFcu2zeM0gQe0Hem%2FV05SnhYaAC70pvDD4Y8%2BzxI49goFSBT7hOTVpFQd3JxSjYYecwuhzMFi1UAjPh4%2B0unzmpRopUtD94G1x95uPtQ9UJ0FGAG7dLfC0rIsbjvw6Ic7p%2Bk0vdTGYSfGv0lsRx%2BRGiTr4M1nREUHQNxZvKL49gikq6K8IsKVBVQJDJxUTPMflson%2B%2BFGwFAj7Yxe0nvGO0Mbt%2B9xxjMiZoxOPcU4UdwkqkG%2BxpciQlZuDKzwOfffRusS31N2QOd2DPnbd9z2HGaLE4%2B1ZeFwY85MXlMIFkm16UU9k1T1J6fOnG7ibZN9JDnjzkE1IqJwTWn7YVpDqWfppR%2FSZGVGl15f7cRugg%2BWrsfMxnTywXApeNtQfaRpFplWz9FV8XXErQ7Loi%2FwSxNI8AxRlkCCtjh5rBKo1xtUr7fMU8aTVLZcXAyiX%2FJuQ0kSLcBDokLB%2Fz8eIT3W2ANJRg2TFtUls1w9X8dtgFo3Cqe9xRaV8NE5PdtjiAbYJlh0POF0BHIUrG1aoi%2FyegZZE23WhaCz1j18nhZNlJtTWOK6hMSihda%2FTO40nMYOwz%2Bhj9SU80IxH2wrRw03uCZpkgwVs%2BJEJ99Oj%2FJvgW5jf%2FIdxgRQQQN%2BjF1wqqWIZWmyr4HE4seH6Cnclo5xHgbrAl42dKDSs%2ByJDvCINjl2KnLPcERQRkVNfE42LfBd9DmwTaV1AXdR7X%2F80wjjzxV6JK6ipjIyZOk5ztRYsW4U2eHeFzPwd8L83b1gOAT69Rp3%2FZCEcoWWnrmr0l%2ByDNYOx8yFVHVitj683xMbpeu12MSOlKWQ4rSp6f%2F3yOIdBs7HzMBDogIzGX3%2Fd33kqtYrRyuk9YKCNkyvrZNY8V922OO%2FlGYjI0Eun5sA6JTIBchHG%2BOVQYfUiQ6Ldl5WShd6UDzXdnJDA305%2FQD6lar3aHadRLPDFdX8Dtt0PPJ6NTpny6alEkYWfgz%2B0XgEyaV4Y8vjo%3D
URLs

http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=BslOjiEIZkRVoqiHQesLw22nJLk6PiQjNZ%2FryyiNELJPmXO%2FFDxIcmSMn7Zv2jjlY7F2%2BA5lBi49l4n8Zd868DuENNlzPxUMNszZ%2FTbaM4lC5VbeF2IEfDHwxuEwhXPdSvN9rlk%2BUmR94N3uLY8x%2BjbzKaRYegdhf87A4S2MfaQo%2BmjoSGxbKRn12OA1kS7xRqJj%2Bj1JI3Ja4f7nRIt2pkCZLPZtUC49Fs7K3ijaTfFcu2zeM0gQe0Hem%2FV05SnhYaAC70pvDD4Y8%2BzxI49goFSBT7hOTVpFQd3JxSjYYecwuhzMFi1UAjPh4%2B0unzmpRopUtD94G1x95uPtQ9UJ0FGAG7dLfC0rIsbjvw6Ic7p%2Bk0vdTGYSfGv0lsRx%2BRGiTr4M1nREUHQNxZvKL49gikq6K8IsKVBVQJDJxUTPMflson%2B%2BFGwFAj7Yxe0nvGO0Mbt%2B9xxjMiZoxOPcU4UdwkqkG%2BxpciQlZuDKzwOfffRusS31N2QOd2DPnbd9z2HGaLE4%2B1ZeFwY85MXlMIFkm16UU9k1T1J6fOnG7ibZN9JDnjzkE1IqJwTWn7YVpDqWfppR%2FSZGVGl15f7cRugg%2BWrsfMxnTywXApeNtQfaRpFplWz9FV8XXErQ7Loi%2FwSxNI8AxRlkCCtjh5rBKo1xtUr7fMU8aTVLZcXAyiX%2FJuQ0kSLcBDokLB%2Fz8eIT3W2ANJRg2TFtUls1w9X8dtgFo3Cqe9xRaV8NE5PdtjiAbYJlh0POF0BHIUrG1aoi%2FyegZZE23WhaCz1j18nhZNlJtTWOK6hMSihda%2FTO40nMYOwz%2Bhj9SU80IxH2wrRw03uCZpkgwVs%2BJEJ99Oj%2FJvgW5jf%2FIdxgRQQQN%2BjF1wqqWIZWmyr4HE4seH6Cnclo5xHgbrAl42dKDSs%2ByJDvCINjl2KnLPcERQRkVNfE42LfBd9DmwTaV1AXdR7X%2F80wjjzxV6JK6ipjIyZOk5ztRYsW4U2eHeFzPwd8L83b1gOAT69Rp3%2FZCEcoWWnrmr0l%2ByDNYOx8yFVHVitj683xMbpeu12MSOlKWQ4rSp6f%2F3yOIdBs7HzMBDogIzGX3%2Fd33kqtYrRyuk9YKCNkyvrZNY8V922OO%2FlGYjI0Eun5sA6JTIBchHG%2BOVQYfUiQ6Ldl5WShd6UDzXdnJDA305%2FQD6lar3aHadRLPDFdX8Dtt0PPJ6NTpny6alEkYWfgz%2B0XgEyaV4Y8vjo%3D

Targets

    • Target

      1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea

    • Size

      54KB

    • MD5

      c81424677bcfcf9eeafa3504d87e5c63

    • SHA1

      9393744eaf2cd526e3007a0363d2291faba236b2

    • SHA256

      1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea

    • SHA512

      4ac18a81065b70e44052705753e7d5bf5585e05db8618d2758434e7e126dda8b39c010d0521d237c440fe3da766f107992517a542ac9b8b11ac1f98f7958a6fc

    Score
    10/10
    ransomwaresuricataryuk

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

      suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata

    • suricata: ET MALWARE WIN32/KOVTER.B Checkin

      suricata: ET MALWARE WIN32/KOVTER.B Checkin

      suricata

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks