demonware

General

Target

08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424
Size

9.9MB
Sample

220305-1vh12ahdb5
MD5

9bb3e77f3a2b7329ca41979a783996ae
SHA1

fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06
SHA256

08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424
SHA512

d1c4567034e479956c43660c4553d8aff2242dae7c414900747cdb0d59ace891bdf5774474e8509a8c33291dbf13561bfadd4758d77d2f60ae8e9cb262a08bf1

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README.txt

Ransom Note

hey Down! Seems like you got hit by CoderWare ransomware! warning: take a screenshot of this place. If you lose the information here, you'll never get to us. and it would be impossible to get your dosys Don't Panic, you get have your files back! CoderWare uses a basic encryption script to lock your files.This type of ransomware is known as CRYPTO. You'll need a decryption key in order to unlock your files. Your files will be deleted when the timer runs out, so you better hurry.You have 10 hours to find your key When you pay >>> 1000$ <<< to the Bitcoin address below, you will need to send a single as proof to our e-mail address, and if the receipt is correct, your code to decrypt our files to your e-mail address. It will be sent back to you via e-mail. But you have to be quick for that. Because you have 10 hours. If you do not pay within 10 hours, your files will be permanently deleted. And it would be out of reach again. If you don't know how to get bitcoin. https://buy.moonpay.io can quickly get your credit or debit card online from the website. Please type the bitcoin address shown on the screen in the wallet field on the website. If you try to shut it down by force, you'll lose your dosys. because if you lose your bitcoin address, you won't be able to pay. and you'll never get your files back. email: [email protected] bitcion Adress : 336Fvf8fRrpySwq8gsaWdf7gfuGm5FQi8K telegram : @Codersan whatsap: +63 997 401 3126

Emails

[email protected]

Wallets

336Fvf8fRrpySwq8gsaWdf7gfuGm5FQi8K

Targets

- Target
  
  08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424
- Size
  
  9.9MB
- MD5
  
  9bb3e77f3a2b7329ca41979a783996ae
- SHA1
  
  fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06
- SHA256
  
  08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424
- SHA512
  
  d1c4567034e479956c43660c4553d8aff2242dae7c414900747cdb0d59ace891bdf5774474e8509a8c33291dbf13561bfadd4758d77d2f60ae8e9cb262a08bf1
Score

10^/10

demonware ransomware spyware stealer
- DemonWare
  Ransomware first seen in mid-2020.
  ransomware demonware
- Drops file in Drivers directory
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Drops file in Drivers directory

Modifies extensions of user files

Loads dropped DLL

Reads user/profile data of web browsers

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2