Overview
overview
10Static
static
VirusShare...3a.exe
windows7_x64
10VirusShare...3a.exe
windows10_x64
10VirusShare...3a.exe
windows10-2004_x64
10VirusShare...3a.exe
windows11_x64
VirusShare...3a.exe
macos_amd64
1VirusShare...3a.exe
linux_armhf
VirusShare...3a.exe
linux_mips
VirusShare...3a.exe
linux_mipsel
VirusShare...3a.exe
linux_amd64
General
-
Target
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a
-
Size
324KB
-
Sample
220407-yegrxsbfa9
-
MD5
0d8ff116ce8976fc820c996a6ee90c3a
-
SHA1
f04aa63508e99c54095cba747f31fb28fbfd392e
-
SHA256
25c1c67de6ead9c4efd8372caccfbba80cc77667dd9b172e5535b1c7a7b81a5e
-
SHA512
2c2c7b2eac7ac70d0bba26821a52e72e443428c154368c0ca173ff9901bcfdab386d81a759478ca6e85211003eb5fe3bebef076533eed647ad4803054a38311a
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Resource
win10-20220331-en
Behavioral task
behavioral3
Sample
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral4
Sample
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Resource
win11-20220223-en
Behavioral task
behavioral5
Sample
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Resource
macos
Behavioral task
behavioral6
Sample
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral7
Sample
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral8
Sample
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral9
Sample
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Resource
ubuntu1804-amd64-en-20211208
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-3422572840-2899912402-917774768-1000\how_recover+kmq.txt
http://gfhshhf.home7dfg4.com/E6F170CA0D69ACB
http://td63hftt.buwve5ton2.com/E6F170CA0D69ACB
https://tw7kaqthui5ojcez.onion.to/E6F170CA0D69ACB
http://tw7kaqthui5ojcez.onion/E6F170CA0D69ACB
Extracted
C:\$Recycle.Bin\S-1-5-21-3422572840-2899912402-917774768-1000\how_recover+kmq.html
https://tw7kaqthui5ojcez.onion.to/E6F170CA0D69ACB</a>
Extracted
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
http://tw7kaqthui5ojcez.onion/E6F170CA0D69ACB
http://gfhshhf.home7dfg4.com/E6F170CA0D69ACB
http://td63hftt.buwve5ton2.com/E6F170CA0D69ACB
https://tw7kaqthui5ojcez.onion.to/E6F170CA0D69ACB
Extracted
C:\$Recycle.Bin\S-1-5-21-3729659790-1998850411-3319863756-1000\how_recover+aqr.txt
http://gfhshhf.home7dfg4.com/A1C3162A4A639533
http://td63hftt.buwve5ton2.com/A1C3162A4A639533
https://tw7kaqthui5ojcez.onion.to/A1C3162A4A639533
http://tw7kaqthui5ojcez.onion/A1C3162A4A639533
Extracted
C:\$Recycle.Bin\S-1-5-21-3729659790-1998850411-3319863756-1000\how_recover+aqr.html
https://tw7kaqthui5ojcez.onion.to/A1C3162A4A639533</a>
Extracted
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
http://tw7kaqthui5ojcez.onion/A1C3162A4A639533
http://gfhshhf.home7dfg4.com/A1C3162A4A639533
http://td63hftt.buwve5ton2.com/A1C3162A4A639533
https://tw7kaqthui5ojcez.onion.to/A1C3162A4A639533
Extracted
C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\how_recover+gfl.txt
http://gfhshhf.home7dfg4.com/5BA5EC8132DBDCDA
http://td63hftt.buwve5ton2.com/5BA5EC8132DBDCDA
https://tw7kaqthui5ojcez.onion.to/5BA5EC8132DBDCDA
http://tw7kaqthui5ojcez.onion/5BA5EC8132DBDCDA
Extracted
C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\how_recover+gfl.html
https://tw7kaqthui5ojcez.onion.to/5BA5EC8132DBDCDA</a>
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\how_recover+gfl.html
http://tw7kaqthui5ojcez.onion/5BA5EC8132DBDCDA
http://gfhshhf.home7dfg4.com/5BA5EC8132DBDCDA
http://td63hftt.buwve5ton2.com/5BA5EC8132DBDCDA
https://tw7kaqthui5ojcez.onion.to/5BA5EC8132DBDCDA
Targets
-
-
Target
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a
-
Size
324KB
-
MD5
0d8ff116ce8976fc820c996a6ee90c3a
-
SHA1
f04aa63508e99c54095cba747f31fb28fbfd392e
-
SHA256
25c1c67de6ead9c4efd8372caccfbba80cc77667dd9b172e5535b1c7a7b81a5e
-
SHA512
2c2c7b2eac7ac70d0bba26821a52e72e443428c154368c0ca173ff9901bcfdab386d81a759478ca6e85211003eb5fe3bebef076533eed647ad4803054a38311a
Score10/10-
Modifies boot configuration data using bcdedit
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-