General
-
Target
3d35ae33c9ff6733c65eb3fb6b5be1a2c50572cf05249c55b9d7ca04d00c5b00
-
Size
344KB
-
Sample
220703-efm6jsgbb3
-
MD5
4c9d26671b002aed754533fde0a175d1
-
SHA1
9f6290c38ee05435fc61533a51c12df97634a7e7
-
SHA256
3d35ae33c9ff6733c65eb3fb6b5be1a2c50572cf05249c55b9d7ca04d00c5b00
-
SHA512
15ad4a1b2697683921bbeb7ffcacc74b9033535844d0df70d4c44dd2c9036d658f6376ef1bbed6b7f9ed94109a0fe30b390c7973793011c6c917b5d233bd153c
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\Recovery+muiov.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/F3545393A5148F13
http://tes543berda73i48fsdfsd.keratadze.at/F3545393A5148F13
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/F3545393A5148F13
http://xlowfznrg4wf7dli.ONION/F3545393A5148F13
Extracted
C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\Recovery+ltroe.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/D195ACAD8A9167
http://tes543berda73i48fsdfsd.keratadze.at/D195ACAD8A9167
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/D195ACAD8A9167
http://xlowfznrg4wf7dli.ONION/D195ACAD8A9167
Targets
-
-
Target
3d35ae33c9ff6733c65eb3fb6b5be1a2c50572cf05249c55b9d7ca04d00c5b00
-
Size
344KB
-
MD5
4c9d26671b002aed754533fde0a175d1
-
SHA1
9f6290c38ee05435fc61533a51c12df97634a7e7
-
SHA256
3d35ae33c9ff6733c65eb3fb6b5be1a2c50572cf05249c55b9d7ca04d00c5b00
-
SHA512
15ad4a1b2697683921bbeb7ffcacc74b9033535844d0df70d4c44dd2c9036d658f6376ef1bbed6b7f9ed94109a0fe30b390c7973793011c6c917b5d233bd153c
Score10/10-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-