teslacrypt | 1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b

General

Target

1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b
Size

370KB
Sample

220607-rgd1gsffd5
MD5

57b33c329990ba3f266fb59ef6468568
SHA1

fc73e1a2aa3124e2924f62d09db42e10614d928a
SHA256

1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b
SHA512

ad8f3c76e9199a0d3b408426acc9163ce278ab11d951d3de7dd69b4ea54fd21a9ec37f65c16e70bfd440420a7e74f8ee55d9a30d6fa847d5af1dfccd82186f3b

Score

10^/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\_RECoVERY_+aecnt.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/E507C241A439684 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/E507C241A439684 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E507C241A439684 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/E507C241A439684 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/E507C241A439684 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/E507C241A439684 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E507C241A439684 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/E507C241A439684

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/E507C241A439684

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/E507C241A439684

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E507C241A439684

http://xlowfznrg4wf7dli.ONION/E507C241A439684

Targets

- Target
  
  1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b
- Size
  
  370KB
- MD5
  
  57b33c329990ba3f266fb59ef6468568
- SHA1
  
  fc73e1a2aa3124e2924f62d09db42e10614d928a
- SHA256
  
  1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b
- SHA512
  
  ad8f3c76e9199a0d3b408426acc9163ce278ab11d951d3de7dd69b4ea54fd21a9ec37f65c16e70bfd440420a7e74f8ee55d9a30d6fa847d5af1dfccd82186f3b
Score

10^/10

teslacrypt persistence ransomware spyware stealer suricata
- TeslaCrypt, AlphaCrypt
  Ransomware based on CryptoLocker. Shut down by the developers in 2016.
  ransomware teslacrypt
- suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
  suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
  suricata
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Deletes itself
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1 behavioral2