buran

General

Target

60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1
Size

214KB
Sample

220306-fn9j7abgcr
MD5

7f5669e4d89b5a1636f05b52b7c0f9b7
SHA1

12d7b1fb828cea1b1abb568bcc9d0e29e78ecdb6
SHA256

60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1
SHA512

2010a75f1c8634480a42a2c995874459f4ab983fa90ae7fe7d12f0a6d53a34eb68622241f2a43c9218cb8290edb9ca6484991a7811d7e54ead7da5cb8ee3d220

Score

10^/10

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: F53-C6F-8B9 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 5FF-455-18A Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Targets

- Target
  
  60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1
- Size
  
  214KB
- MD5
  
  7f5669e4d89b5a1636f05b52b7c0f9b7
- SHA1
  
  12d7b1fb828cea1b1abb568bcc9d0e29e78ecdb6
- SHA256
  
  60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1
- SHA512
  
  2010a75f1c8634480a42a2c995874459f4ab983fa90ae7fe7d12f0a6d53a34eb68622241f2a43c9218cb8290edb9ca6484991a7811d7e54ead7da5cb8ee3d220
Score

10^/10

buran persistence ransomware
- Buran
  Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
  ransomware buran
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2