Overview

overview

10

Static

static

10

1.exe

windows7_x64

6

1.exe

windows10-2004_x64

6

10.exe

windows7_x64

10

10.exe

windows10-2004_x64

10

2.doc

windows7_x64

10

2.doc

windows10-2004_x64

1

3.xlsx

windows7_x64

10

3.xlsx

windows10-2004_x64

1

4.exe

windows7_x64

10

4.exe

windows10-2004_x64

1

5.exe

windows7_x64

10

5.exe

windows10-2004_x64

1

6.exe

windows7_x64

10

6.exe

windows10-2004_x64

10

7.exe

windows7_x64

10

7.exe

windows10-2004_x64

1

8.exe

windows7_x64

10

8.exe

windows10-2004_x64

10

9.docm

windows7_x64

10

9.docm

windows10-2004_x64

10

rip.bat

windows7_x64

10

rip.bat

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rip.rar

  • Size

    5.6MB

  • Sample

    220323-ztp8aafcbn

  • MD5

    72db0a49acb0d9475fc6cfc21fe9e229

  • SHA1

    de54b95eb842ad804b425d8dc74914c5a20ac88f

  • SHA256

    d638abd2e0c80c8ace2de8dc015b3a208916e6c4bd6a081a6fc2c09f8a77bc15

  • SHA512

    0a9e429f422160de4eb26a2c8d096d8ec88faa011a1c710871362638a688450fca3c0b10d0bfd12b5c2f535c13384fd5e57b24d8d1ff55eadbae737ed0420289

Score
10/10
dcrathawkeyemazenjratponywannacryxloaderbotdpzzcollectiondiscoveryevasioninfostealerkeyloggerloadermacromacro_on_actionpersistenceransomwareratspywarestealersuricatatrojanupxworm

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Bot

C2

DanilWhiteNjrat-57320.portmap.host:57320

Mutex

802f813d3810aa536753efbd3390b541

Attributes
  • reg_key

    802f813d3810aa536753efbd3390b541

  • splitter

    |'|'|

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Extracted

Family

xloader

Version

2.5

Campaign

dpzz

Decoy

roadstown.com

idfaltd.com

infotechsearchgroup.com

elcuentodelaprincesa.com

youkutiyu88.com

wildparkresort.com

iss-sa.com

jmglaser.com

criticalthinking.store

cabinetsossa.com

satseconomy.com

newendtech.com

gran-piel.com

accoya.net

timothyschmallrealt.com

valentikaeventos.com

majestineprojector.com

love-austria.com

hermetikyogusmalikombi.com

karasevda-jor.com

Extracted

Family

pony

C2

http://londonpaerl.co.uk/yesup/gate.php

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    files.000webhost.com
  • Port:
    21
  • Username:
    fcb-aws-host-4

Extracted

Path

C:\DECRYPT-FILES.txt

Family

maze

Ransom Note
Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6bf10cbe616f8269 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6bf10cbe616f8269 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- hrKHr9zBg7CCurFkSSdg5eUI2Co9srEYj665KkZ+iKc0MmydFU6gI/4lLtxvkE725lKhsVdHGx4YWgumgeRh11lGSusfT4HDr1psens3ewp5uqKJKxdtL9Xlmu7XUcbCOlsXw7J/QGHM1Qcy48tPc+Cdfpcrxz6YqLjQdWhDXsv/OK8dc7rYiKb7Tn3BqusEN9izL8IU5s5d+NU35kDNbXRU5iaID3b0aATzdN7pbUM5WlK5G8Ygy6+A3TZpiJlqUDJWz9ewTGsXZns5YgLUaHdv7QHfBT9wIz6PsXTU9UYrWdMU6rFxvr2FKgH89UuTtSAhOIQA6RlYVkBGT2iG6eRPnJct10bvjkj+fUvBrl3KjzvnBC7GS8K/pc4+iMKAtCW34COGZfHx6hIeb230Za14G9XxSKH/42ICiKuE2DnXcszLbA8SqSVIZ9dLPwhfAkATpdVWeycSDL3VEFy8tWalqrWUH92YYRnHBVa4CLpc3vEvsnJyTzQgReVQ2flWJXMO8xSWH38u4vjK96RDjohTRrHvxnDlmE1ZHw+eAGO1fFRzBksNSCfIF66n5eQUUeaOhhMtgX76Z18NgTwq2jkj5f8rFDYuNPXFuvius5zXMxh4WrGk00i64M7JcuO29RbD8KjdbGEwl100tbPwjp54vQAT7TdQIhlsn9gj7BRlDKVxV93KeMRmtNMdAvpingugIhgsbYuPqnUv2Uhps+9O1jj8KmzJQFwYzxR2blcr3qUDrB+aDFr5qMQGilvcgis+5d4QQd5hHjmd0q4ZW9YOtKpbYua98m0pWm5/+1qyOV3YGE76n2bDgeLojGRxf0LMJCmDO9mtqt8ARBETtNfZkeI5DvV09TE9U6BPAyzTwOcc/UsuHxAX4bEvlHBcjTaxZrNBHumnvWyeXACNaEDIgQsYNzXGpXmuBC8Xe2Ezq9T03nEbV9WqWGihOSk69ZHFWmiBLoKdJhsf9Sc3UT6dBAdlH38VbT0JSgDtPuMa0KiY5fwicrU4GV1yMu+SRommwEuXAdZUzMfUFyh0ZEMkdZHvFJ/y1d9e1MWqkwabt0UafhYdMxchCh0QUUv9oBinGz2CHg23OPw2hWI5AQJMDSqCVFbA8lLKSC/zONFf6BgF3RujyNdw2wHgD8Z7qJD5cdqrefGD+MsipLgtU6xOmHdaaokkKKV2SACn28v7m4zmOTUeqJWOp85vBJOsWrWlBSZFoPQ9lMsTivG9JRTSsl4HFIQF2+njKDUyQqRUaPuj6VC3uHKxpaFz+zdUpkNHEAhEdGaYJNWuCHKt+DqHP9MPEq4eu1tEZ9dWdx4IQmIE7dQyNBvafhNu0ndbjho98toHlQYS7N3SvBtJJ+dSFmsQmLtY65gqqtK8p5bvcnr2tzCQN4ZJZI+sbgzeLtmbw/z1X8DaKdEiy+0p/+vgBTLoB3D5PNGOPSKU3PstFBwWgZIAwEgJ1mrn4zftoi1PFjVmvCp2lL7u6X2xETe4/XvigBDJ0gAFbJs18+j4wYl6Qu10aJm4HD1B/OeyaXZllRXkynWwVtex7Ad7axDetDIHX4RIeleXba+SR8hRo9wNjlpIMO5ZiLEA9nTYxa6lEhJM578li1bKfQx0hesiNAOCh+hnr/ch/Q8v0BhAIqkMlT4w6FuuTaIlXfaHEbnD0b48E6/dA5sIeOo87qaG5S0ttBis3HiiO2768tbvrwDIgSzihKokdKVNHPMcpT7Ku5EwPK1JDcdR3VkGYzp6ee9Y9qrGbYLkmnH4EIPt2CiCNJNhNZT43XydFvEk3tuPVBTEDxjoMAaWdY3DilhyN+WoFL+dz6gdMx5ntuEK6nt8oBpC46omAKbg4F5n6Np8KvwpXrkLH/Ql9XrVnD4aZaUEY2kIX1gjcTM2fzqlZ/0LAL4+QSj3ORT51/S214WJgIEBUSnf1eoJaFOPJ8bd7u6Fq7EdxSb9gFXNfOBKcuwRRp9HSWiVVdTgexTNtxsamogSCUlZ2uuuHlz/iGroF/+uTn5B38H+mxugU5s0zY8lcS2cR9L3lRTrntJweTMekrCL/EhpoBALw/gxCdw/owcPmaJ6m98TDhRGOrooxk9myYpWQy0AWY/2SOASl6uBNiBKY0l9kdNARRrIjNLp/acoADhJdMcRGrYlf6kaH/4HK5cuk8SO1O7I/aAE4bqGChrDzPBSDq87oWjvU8hjhrhU9fnW3SwR0ZqIQS5t3lrQ0FSe0t4WT7ai9s25GbmjgAoiNgBiAGYAMQAwAGMAYgBlADYAMQA2AGYAOAAyADYAOQAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAEQAUgBMAFEASQBYAEMAVwAAACoMbgBvAG4AZQB8AAAAMiZXAGkAbgBkAG8AdwBzACAANwAgAFUAbAB0AGkAbQBhAHQAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEI2fABDAF8ARgBfADIAMAA0ADcAMwAvADIANgAxADgANAAxAHwARABfAFUAXwAwAC8AMAB8AAAASABQQFiJCGCJCGiJCHCuidl7eAyAAQGKAQUyLjMuMQ== ---END MAZE KEY---
URLs

http://aoacugmutagkwctu.onion/6bf10cbe616f8269

https://mazedecrypt.top/6bf10cbe616f8269

Extracted

Path

C:\DECRYPT-FILES.txt

Family

maze

Ransom Note
Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6d2f0cd52fc97737 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6d2f0cd52fc97737 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- mUd4Q+gVsVRJKR9eQP7kInxfvHF0mvzGjO6nFrj1y5JSMls3CGWIgRaSO+YD5dinrdpG2Ok62qKNkMsKxRiaKPP0j09B0J2udH6EbRwBD+ewKQEaUOY2S7EZqEtse2o4CGxkX2Rg8TSXUK+B3HU4d81q1XIppta7djioccVR1kiAHJvYxRpdZToYI5+cx0QVxcbBrhH9pncSQ68B09Q1x2FLuKHeNwHTxJgyLKRR2/EgGmlMMgVdzvXZ9qZAC9tl9ZoqzHk9wCFT4SevRZLDZo40cBiWaKMOjoNP0ghYHN4lhJcM0XsEOCZct9Bg0xStdcHasboeVI9QTAvTJxPf97+Uf50J0mQP78JN6K4r3A/cQBo558k0B4veJo2mX8NsOK2+bJUexRs79MCzMx0tMwIsC4mLHTA8uOfFr0cUY69L5KnypLkHBT6AEUTUZalO4sz0motsElun+EgjYPZKzEXILFL6pnYjQXRv8gRihxN+5qVaLZ9of2nTu83wgUdatys7EHhAVtnpkbYgSyjAdHxhxDdEy1G9S2EN1lfO0NVuDz1lfD43nVj6khrNBBDxLG3cEqDkKTuERHcRk4ycWslWEJfGL/zpVJlewwQ9+mnkh6ODtNNpl0cny2o7jDFVgpQm8jLxoYpn9h4FYrnhvh3f71J98Jfr16cpWB3UGRoQOMx6DF3Ig433bSmohXrpBefUSsQQotev9qwBeWzWeWDA00mhP99Pf7SY4PHEYzjT15Hm6OAKJ0tGbL6TUcQhPGlgtoqRs0eGxedgerxIbvnjmewb3YKfecfGTl0/VlXEGxTRbH/rOlIhTu9l0VrkYAOX5jvXgE39hVO1fSEEs+5CpJwKuIT0hnnivplXBODE06E/3NC13rfTrH7KsnsH3SswuID2Evoj6yGapSvYqb3ZvHY3jKOCtUNy44ixmlHwEr54tNHEldzD0P8S66ojybZN8Uj5sBU+ZmYXRoM/m3xNuxDVwqEwSrv9MfGIdAoOSrir1favjnnf9UwyJzrIyMsaTIpV1x5CY2McaxkDEbFiDLr5Y4r1d95ISVX828D/Fw3iiio6tUIG/kao8PaVWM5nrJaM0Cu7khZtWugVsPdAz/sHYeMMWiyaqFzJy2AMvaNbAepgFSDRE0ZRPpEzj1www2my4koUSDGFjmeFSoIcpudvQXbIiy4JthxV8UFo4mSc/dgz1mV/JgeZMoInVx9FOWaHcuCd//3+EFkpyStY8CaB6ICn2QaYRigEq/eAUUpNeWQFl3HTzYxiVsqhRMgh/DYX6a8UlibLHvQhGulLZrKLJTnq6kNxtGwe7ogohvCJli2RgLcQz/qAqV3y/09bTWkV+qQhxifN/kWFbt8d0vmxzLXmygkwBvLDGI4LOQO1sZTdMibhvYNwokNdJ17brdAUvS+Gmn63FjhtWCpfV8o7SgZrZ84XVklpbhkd/EtEWoGQMZ0NaJwNjlPBq0VmETosSoLkPSgvg8lcQR1Jv7K6qt65G0jxFCjhZqJonlkADFy7fGTfQOZDdkoELfSzWRIKE7S9o2r3U+SaLF2T6F3ZkKAX1CCKmLr+EOs2Z6dDbdK0WF89Ytcwph8YpvT7fVeVNW1lrNfw0xu4AZeazIReHfi493fzqq5UEGVywO+4mnPJuR2pQrRsEaG6v0yE6V3+4ipkD5KYaUHgML95C7oCPWccplq0tjAN+xQmUluAqdppw6AtA9J4ZbwGHmDJaNQ+HS4CCiPqvz9POHO1dt9GD8nvvYBqudRsoCk0EqoqUYpX43PSAWu0u8yHuno7hApyU2/fd2fJ774U//MzcE6Ga8wB+4GvAqg+3tI7LKe75qtxDWPeUiVN0qS8CPk+1Grw6a/bExC3fb/rcWkvIoSno82dwCV6V5u08IAJePibLtIo+0ez/73hg32GviyyaS2zUIb1ZTSRVxJ9QRojWRlkqsNT9ibV5mXBRay1pDohsDvPFiJsZtsgEtlbe7lzn7vqBDMAGUBGydXNUpY4wucDXtin/Jx9szI5FADz7iokEl4s/d5/ArZuhEmqVi7DLeus8uh/bCwN2Ugs4/yVTjBJq2Pbce6pW5tT5MxYHDBHrfsUoWzAQg4jI+2z812RofIAPBXsss45owUUjsvj13oa/OdAFrWDINADhIkM88Br9T7j6J7vGaJutYDKc17Z7Qc2sdyEMjunx3WZhupWalaQMt85hlh1xWRcElu5DabR+4DG3OLrluEJ4uuzQB1SVgoiNgBkADIAZgAwAGMAZAA1ADIAZgBjADkANwA3ADMANwAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAFUAUABNAFUAUwBIAE0AVgAAACoMbgBvAG4AZQB8AAAAMixXAGkAbgBkAG8AdwBzACAAMQAwACAARQBuAHQAZQByAHAAcgBpAHMAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEI2fABDAF8ARgBfADIAMAA0ADcAOQAvADIANgAxADgANAAxAHwARABfAFUAXwAwAC8AMAB8AAAASABQQFiJCGCJCGiJCHC+iLgOeAyAAQGKAQUyLjMuMQ== ---END MAZE KEY---
URLs

http://aoacugmutagkwctu.onion/6d2f0cd52fc97737

https://mazedecrypt.top/6d2f0cd52fc97737

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://192.168.5.128/powercat.ps1

Extracted

Path

C:\DECRYPT-FILES.txt

Family

maze

Ransom Note
Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6c2b0cc8f1b719ac e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6c2b0cc8f1b719ac b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- siyl05x/b0jl1CClVqjmPLrnHJrkP4XVYht2mQt9BpVC/5M6VvrQTL6l6soKs6THTDW66u/QmNH9Pk+Pi0lYLTciuF28iPn2wLYxNi90MO1cdxocATXAspaxvYDLCLR4VVTwiCRh8MFIdxxJtKfqRBUsr1Sh2hbCvX86XtIolwNQwPsWPrgLNc92GYXvljEd2qBOxZric+OCa10fSht9VlyURdQQSaSSLcqvidDrSSJUFiyB4atFMLYb/mXIxQuoVRMnE+KhzrvqdvwqIUaTgtGfo6DKl/g9zseNBp04ZUU2kSOY+zHOzJp2tv8utytnKbkwukb5Vz3Wv4MMpFZKk4n29DokTXA4h9Xf9Asv4bK3myAk7Vid16oO5+Y5FUuAuShQKrgNS6tuDeZ0U9LtHijddIzyaufL7SPamukzDWDX5Mr9IlacZZbI9DvEeu2VyAQXUjwVAkyV97c2tkjtjFn938qDsIfCZ5/BpmU/+CO/qBC73U1tdEScMZTLGh5y5ypIcQrGqG23g1k6lzVnuFZrZn5U1MISB4X5uynqj0XxW0JUIX3KiinB+g0xdY/jgENrclGIvFP0Jur9UPh2XaLOnCVpbaYJOu/wxVcFlFMp+OUgEHb0PCUB+vZnFWgM0v2KQUFWnuU+OGMEFSDjWOw6SEnHa31XEsnBdTgsEb6OZhquXcSFe3QRZkZUOKgViA5UDVn6kd7iteCNujZ877586ils4rXcgeQHHc23oq2q+LE12lFlcAA3WcZxELC5+zfgRjYtUY5iXjlI2fCLdNwNFebHCFxrm1Y2PGtrifnKGz8Xe+1YDsaMLu1vmQ+ZR4Z9qa3GUyljxeZ7HjtAcAsZ0Yrkt13p45bEC2e5Zz5elOTvSB33sP68E4xPm2Sj6bgixHudecLB2qNDxL57/gTuT1T99nrccMSIz7BtchhbktqjZzNOeiEIAjj50q1hq36M/veaQYqynFK6w5Y8cd5KMAkEt3XuiDLq52ipTgkm8qWk8UurVw3rCJ+wqnruUQyfvQmd1mYJOHcC+lDopkV3iIRLMv/8RnarNElk5GQLwuH4LNuavMCWyYO9XwJiQr7k36al5LuMx5f9MVyb+rmFnBESizOBjGLOOr0d2H89JoxWTfn/AqpH1GFRodUfhP7G4EVQ0/nWEVcRvA4q4iu/RGig1tZm31Lset1Wp6uV3Ae99l2oE0cFVbEK7Fqd3VSQRdA1V97W+MUJBOBMoRaAhF0h/hlWYkgeB410Q9cEYv1P63UvAjAmFJ+9eyUj7YNlmRrgD7rMf/9SSxTb650M9RUP5R8gOsbgMTAnULKvIJwjazQvUo/Zd14wyEafUEdJ9iY2xb3xwjAjcb2kG0L+JM4GokGcNJ7alUruO2oR4u3tndHkPG53uBA1b0oGajIfeUeOTI/mcesmOaPU53UgPKEulFYo+DsUt+gKDK/p34eOcXW8NnfHrmDX6JaPgMsnKdvqlGVL6mbSTgYqeBnMGevmluKGEmh7Rj7lXyiVowSCbLe5iKKN10FZ/13duJvMrzgwWI2+KPQANB0RaWuq04wUjZp6qsSyXec44P6wfGkPmtjy8SAK23+r5TcWjJ9saie/asI1zPn6hngNHUBhC5D+GyWtFsP/qZTK0NMiRJE+D4XQ3ktNpx4ccHK+IziVbmN9YrV4boM8UriJqwLHMqJqqqWT3c5szwOan/4MzBTeieK43e1g1BXlzSOtMqQ9Mf0plG9Nro3SBWiTteBunYGIaVQSDXo7Mmowb/6d0K2/+zPTAD5BlD2JztgSOWcbXT2o5ye2Ng425e4nRu8DzhIyAYV4ydbLmdv3jXm7JlW4ttil/bHkOUJm2cyO3XeYvmNQHu83cXKwRW4DMY5lszd8ZVVYLQwuj8RDAWkSbjsJOsH4krgYplVa4EvIZCscph5lSYBXxtEXdOGmX4pPA+CkaIB2f9GjTQXcfG6NvUIMeKiPvVte61jm/oEl+8pIX4Bv7MjitNfxOgM1z0T+EMdONx2GM5aJDhPM257O0tXhGHwbhhEnWXgJma0U/4iauX15EN4pVAGDAoopYgLBTyyx9hR23hxTpmT0oVaAe0J8yYdg0KpJwwjdxRIMlimdub+L2yiteYll/UWxQSXuQ9gOSoJ1P7u0Ov4JpECn/XF2HbORubJfvi3/ZZqZ56MVcwqOxP4t0T4TznPfXM7Ko8TSC7Bv/MMmbiESJ+U0DFB3aBQHmRK7Q1T8lkjB0yhStAoiNgBjADIAYgAwAGMAYwA4AGYAMQBiADcAMQA5AGEAYwAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAEoARABRAFAAWABPAFAAUgAAACoMbgBvAG4AZQB8AAAAMixXAGkAbgBkAG8AdwBzACAAMQAwACAARQBuAHQAZQByAHAAcgBpAHMAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEI2fABDAF8ARgBfADIAMAA0ADUANAAvADIANgAxADgANAAxAHwARABfAFUAXwAwAC8AMAB8AAAASABQQFiJCGCJCGiJCHDPkrgOeAyAAQGKAQUyLjMuMQ== ---END MAZE KEY---
URLs

http://aoacugmutagkwctu.onion/6c2b0cc8f1b719ac

https://mazedecrypt.top/6c2b0cc8f1b719ac

Targets

    • Target

      1.exe

    • Size

      89KB

    • MD5

      69a5fc20b7864e6cf84d0383779877a5

    • SHA1

      6c31649e2dc18a9432b19e52ce7bf2014959be88

    • SHA256

      4fe08cc381f8f4ea6e3d8e34fddf094193ccbbcc1cae7217f0233893b9c566a2

    • SHA512

      f19f3221a26bdab7ddcf18196ef6e6012968c675065c4e56f54faaace18321c07771fdbdacabd365159ccc5bf01e40693146709217e13dcd282609242e61a4bc

    Score
    6/10
    persistence

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

    • Target

      10.exe

    • Size

      3.4MB

    • MD5

      84c82835a5d21bbcf75a61706d8ab549

    • SHA1

      5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

    • SHA256

      ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

    • SHA512

      90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

    Score
    10/10
    wannacrydiscoverypersistenceransomwarespywarestealerworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral3behavioral4

    • Target

      2.doc

    • Size

      803KB

    • MD5

      7f6c623196d7e76c205b4fb898ad9be6

    • SHA1

      408bb5b4e8ac34ce3b70ba54e00e9858ced885c0

    • SHA256

      3a5648f7de99c4f87331c36983fc8adcd667743569a19c8dafdd5e8a33de154d

    • SHA512

      8a57b3c14fe3f6c7ea014f867924176d3b9c07ad6195b0e5fa877e16b55b1c23e4abfdf24b7e7a0dffafe8991d4878d98dad1419be03f27f64f0c95720542dee

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral5behavioral6

    • Target

      3.xlsx

    • Size

      186KB

    • MD5

      c9cd3acc2e298487bd4a370d254047b3

    • SHA1

      74bf2f7cad70d3b90400e7697ec7806ab4b88157

    • SHA256

      ca4efa47b5d61942aa639e18b498c796a4c0f4bf31ef8019515b4af51406b342

    • SHA512

      dc58d4f54395b6fab38607cd061e655db5922222a7f14353c7506cbded429e4d4fe3c5c7b95677acda97562a3e781109d11125991343838b75353bcfdd39f4b5

    Score
    10/10
    xloaderdpzzloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

      suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      4.exe

    • Size

      120KB

    • MD5

      860aa57fc3578f7037bb27fc79b2a62c

    • SHA1

      a14008fe5e1eb88bf46266de3d5ee5db2e0a722b

    • SHA256

      5430565c4534b482c7216a0ae75d04e201ee0db0386682c0c010243083c28d29

    • SHA512

      6639b3e2594e554c7fa811f22e1c514474d34220155b4c989ad8716db1a0aea65894aa23d78c12a4618c57312da00353a77dd8e6c6bdd927bf865f2e98aff8f1

    Score
    10/10
    ponycollectiondiscoveryratspywarestealerupx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

    • Target

      5.exe

    • Size

      37KB

    • MD5

      e817d74d13c658890ff3a4c01ab44c62

    • SHA1

      bf0b97392e7d56eee0b63dc65efff4db883cb0c7

    • SHA256

      2945881f15e98a18d27108a29963988190853838f34faf3020e6c3c97342672d

    • SHA512

      8d90ef308c1e0b7e01e7732e2cd819f07bfc1ef06e523efa81694ced75550c9f1be460fc9de412faeb96273a6492580402ab9c9538ed441fc26d96b6785e7815

    Score
    10/10
    njratbotevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral11behavioral12

    • Target

      6.exe

    • Size

      564KB

    • MD5

      748a4bea8c0624a4c7a69f67263e0839

    • SHA1

      6955b7d516df38992ac6bff9d0b0f5df150df859

    • SHA256

      220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e

    • SHA512

      5fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd

    Score
    10/10
    evasionpersistencesuricatatrojandcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      evasiontrojan

    • suricata: ET MALWARE DCRAT Activity (GET)

      suricata: ET MALWARE DCRAT Activity (GET)

      suricata

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops file in System32 directory

    behavioral13behavioral14

    • Target

      7.exe

    • Size

      892KB

    • MD5

      ed666bf7f4a0766fcec0e9c8074b089b

    • SHA1

      1b90f1a4cb6059d573fff115b3598604825d76e6

    • SHA256

      d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264

    • SHA512

      d0791eaa9859d751f946fd3252d2056c29328fc97e147a5234a52a3728588a3a1aaa003a8e32863d338ebdca92305c48b6fa12ca1e620cf27460bf091c3b6d49

    Score
    10/10
    hawkeyecollectionkeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      8.exe

    • Size

      898KB

    • MD5

      61b32a82577a7ea823ff7303ab6b4283

    • SHA1

      9107c719795fa5768498abb4fed11d907e44d55e

    • SHA256

      4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167

    • SHA512

      86ac9d3d0804f5dd3ebe08ab59058363bceeaa3f42d2d482f97ce688837b3b81693fde2b973250b93ee3223318b0f8e4f2faf6b0f91017807feacabce979d700

    Score
    10/10
    mazeransomwarespywarestealersuricatatrojan

    • Maze

      Ransomware family also known as ChaCha.

      trojanransomwaremaze

    • suricata: ET MALWARE Maze/ID Ransomware Activity

      suricata: ET MALWARE Maze/ID Ransomware Activity

      suricata

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Sets desktop wallpaper using registry

      ransomware
    behavioral17behavioral18

    • Target

      9.docm

    • Size

      134KB

    • MD5

      0c7350573157a1f63ac41cc191d8c08c

    • SHA1

      b2b2076177c5355cacbeac5a837d72d6ec8a62ac

    • SHA256

      794da863af633a0ca17c9c607a44a6c1c768c458f564bf5899a6d251822c4ec5

    • SHA512

      6b947b66aedfa6ff9646cec4137e1d7b24c88153b77e28146bead6899081f0e4bf0db1e0e0cb74aa578a29de7499e27b2cd43aa4292689ac37730b6bdf0c5414

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral19behavioral20

    • Target

      rip.bat

    • Size

      240B

    • MD5

      2a3a737798bd52b365170827479b0e74

    • SHA1

      8e467ecbb934580aa1145c1620ece909e5824d4e

    • SHA256

      6bb4c441789fa52cb51b98b8a82c744115b01958bbf872428d78ef7dfb283f67

    • SHA512

      8f7fd488ba52ee1a1cf20222d765911bd1b2b8c91b56f9e1d3fa122e9d1dcead03f77118c8848a044ee0de0a18b49de7d231c0ce2703810a2ad7bc67c4d74725

    Score
    10/10
    wannacrydiscoveryransomwaresuricatawormdcratmazeevasioninfostealerpersistencerattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Maze

      Ransomware family also known as ChaCha.

      trojanransomwaremaze

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      evasiontrojan

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • suricata: ET MALWARE DCRAT Activity (GET)

      suricata: ET MALWARE DCRAT Activity (GET)

      suricata

    • suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

      suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

      suricata

    • suricata: ET MALWARE Maze/ID Ransomware Activity

      suricata: ET MALWARE Maze/ID Ransomware Activity

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral21behavioral22

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Scheduled Task

1
T1053

Scripting

1
T1064

Persistence

Hidden Files and Directories

1
T1158

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

File Deletion

2
T1107

File and Directory Permissions Modification

1
T1222

Hidden Files and Directories

1
T1158

Modify Registry

6
T1112

Scripting

1
T1064

Web Service

1
T1102

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks

static1

macromacro_on_actionbotnjrat
Score
10/10

behavioral1

Score
6/10

behavioral2

persistence
Score
6/10

behavioral3

wannacrydiscoverypersistenceransomwarespywarestealerworm
Score
10/10

behavioral4

wannacrydiscoverypersistenceransomwarespywarestealerworm
Score
10/10

behavioral5

Score
10/10

behavioral6

Score
1/10

behavioral7

xloaderdpzzloaderratsuricata
Score
10/10

behavioral8

Score
1/10

behavioral9

ponycollectiondiscoveryratspywarestealerupx
Score
10/10

behavioral10

Score
1/10

behavioral11

njratbotevasionpersistencetrojan
Score
10/10

behavioral12

Score
1/10

behavioral13

evasionpersistencesuricatatrojan
Score
10/10

behavioral14

dcratevasioninfostealerpersistenceratsuricatatrojan
Score
10/10

behavioral15

hawkeyecollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral16

Score
1/10

behavioral17

mazeransomwarespywarestealersuricatatrojan
Score
10/10

behavioral18

mazeransomwarespywarestealersuricatatrojan
Score
10/10

behavioral19

Score
10/10

behavioral20

Score
10/10

behavioral21

wannacrydiscoveryransomwaresuricataworm
Score
10/10

behavioral22

dcratmazewannacrydiscoveryevasioninfostealerpersistenceransomwareratsuricatatrojanworm
Score
10/10