ouroboros | 398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7 | Triage

Submit
Reports

Overview

overview

Static

static

398f2d4704...a7.exe

windows7_x64

398f2d4704...a7.exe

windows10-2004_x64

Sharing

General

Target

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7
Size

1.3MB
Sample

220305-x5mkesagcp
MD5

056a68f7c923ced5e13df36cd7ffba93
SHA1

a386d3650975bafd35aee69cd59b895780b0b70b
SHA256

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7
SHA512

b218331bbdfc793a490a0b82d38300d1aeb829b355ec91c8a7a80f78772052d6a0dcd7a8bd65d9e85f28b4b010deb0537c9c6cc526381f9f8649fbdae8bb514b

Score

10^/10

ouroboros evasion ransomware spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

Resource

win7-20220223-en

ouroboros evasion ransomware spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

Resource

win10v2004-en-20220112

ouroboros evasion ransomware spyware stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7
- Size
  
  1.3MB
- MD5
  
  056a68f7c923ced5e13df36cd7ffba93
- SHA1
  
  a386d3650975bafd35aee69cd59b895780b0b70b
- SHA256
  
  398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7
- SHA512
  
  b218331bbdfc793a490a0b82d38300d1aeb829b355ec91c8a7a80f78772052d6a0dcd7a8bd65d9e85f28b4b010deb0537c9c6cc526381f9f8649fbdae8bb514b
Score

10^/10

ouroboros evasion ransomware spyware stealer
- Ouroboros/Zeropadypt
  Ransomware family based on open-source CryptoWire.
  ransomware ouroboros
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Web Service

Credential Access

Credentials in Files

Discovery

Lateral Movement

Replication Through Removable Media

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

ouroborosevasionransomwarespywarestealer

behavioral2

ouroborosevasionransomwarespywarestealer

© 2018-2024

Terms | Privacy