demonware

General

Target

eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936
Size

10.4MB
Sample

220305-w58l8aaehj
MD5

42469bbd43954d8ed09b27899b25ffb0
SHA1

55fee15384316826fa1e5f8317ceda1adf1695d5
SHA256

eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936
SHA512

e4f1b7cb3c27bb99ab1e53c4466a1be9ce3a506af060416e08c917c33a5a75803a7329b2e085b8db5039567237c427ba006d3c8d80e795e5805e749504aa008c

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README.txt

Ransom Note

hey Down! Seems like you got hit by CoderWare ransomware! warning: take a screenshot of this place. If you lose the information here, you'll never get to us. and it would be impossible to get your dosys Don't Panic, you get have your files back! CoderWare uses a basic encryption script to lock your files.This type of ransomware is known as CRYPTO. You'll need a decryption key in order to unlock your files. Your files will be deleted when the timer runs out, so you better hurry.You have 10 hours to find your key When you pay >>> 1000$ <<< to the Bitcoin address below, you will need to send a single as proof to our e-mail address, and if the receipt is correct, your code to decrypt our files to your e-mail address. It will be sent back to you via e-mail. But you have to be quick for that. Because you have 10 hours. If you do not pay within 10 hours, your files will be permanently deleted. And it would be out of reach again. If you don't know how to get bitcoin. https://buy.moonpay.io can quickly get your credit or debit card online from the website. Please type the bitcoin address shown on the screen in the wallet field on the website. If you try to shut it down by force, you'll lose your dosys. because if you lose your bitcoin address, you won't be able to pay. and you'll never get your files back. email: [email protected] bitcion Adress : 336Fvf8fRrpySwq8gsaWdf7gfuGm5FQi8K telegram : @Codersan whatsap: +63 997 401 3126

Emails

[email protected]

Wallets

336Fvf8fRrpySwq8gsaWdf7gfuGm5FQi8K

Targets

- Target
  
  eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936
- Size
  
  10.4MB
- MD5
  
  42469bbd43954d8ed09b27899b25ffb0
- SHA1
  
  55fee15384316826fa1e5f8317ceda1adf1695d5
- SHA256
  
  eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936
- SHA512
  
  e4f1b7cb3c27bb99ab1e53c4466a1be9ce3a506af060416e08c917c33a5a75803a7329b2e085b8db5039567237c427ba006d3c8d80e795e5805e749504aa008c
Score

10^/10

demonware ransomware spyware stealer
- DemonWare
  Ransomware first seen in mid-2020.
  ransomware demonware
- Drops file in Drivers directory
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Drops file in Drivers directory

Modifies extensions of user files

Loads dropped DLL

Reads user/profile data of web browsers

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2