3c6617a14ce2c81ee1148f9fc23b6e365c7028bdc72f477cbaec2ae97536a544

General

Target

3c6617a14ce2c81ee1148f9fc23b6e365c7028bdc72f477cbaec2ae97536a544
Size

211KB
Sample

220703-jfelmaafcl
MD5

391d5c1032d21993431cd763cf1f0275
SHA1

42346f6255aba3a01ffeeaaf5701730a7346a351
SHA256

3c6617a14ce2c81ee1148f9fc23b6e365c7028bdc72f477cbaec2ae97536a544
SHA512

b2c9ac996ef2e6191dc63b31677934cb4b77120196c9b29514df2c28b326bc725e22369896b3f915d4bfca88b066effc73c898e0fe9c8385655efcbb98363030

Score

10^/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\_ReCoVeRy_+yjmnp.txt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled , or start obtaining BITCOIN NOW !!!!! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files , except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below * http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/87A88698E6734CB * http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/87A88698E6734CB * http://rbg4hfbilrf7to452p89hrfq.boonmower.com/87A88698E6734CB If for some reasons the addresses are not available, follow these steps * Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en * After a successful installation, run the browser * Type in the address bar: xlowfznrg4wf7dli.onion/87A88698E6734CB * Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/87A88698E6734CB http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/87A88698E6734CB http://rbg4hfbilrf7to452p89hrfq.boonmower.com/87A88698E6734CB

URLs

http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/87A88698E6734CB

http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/87A88698E6734CB

http://rbg4hfbilrf7to452p89hrfq.boonmower.com/87A88698E6734CB

http://xlowfznrg4wf7dli.onion/87A88698E6734CB

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\_ReCoVeRy_+yjmnp.html

Ransom Note

<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial;  font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> <center>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></center> What happened  to your files? All of your files were  protected by a strong encryption with RSA4096  More  information about the encryption RSA4096 can be found <a href= http://en.wikipedia.org/wiki/RSA_(cryptosystem) target="_blank"> https://en.wikipedia.org/wiki/RSA_(cryptosystem) </a> What  does this mean? This means that the  structure and data within your files have been irrevocably changed, you will not be able work with them, read them or see them, it is the same thing as losing them forever, but with our help, you  can restore them How did this happen?   Especially for you, on our SERVER was generated the secret key All your  files were encrypted with the public key,  which has been  transferred to your computer via the Internet.  Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program which is on our Secret Server!!! What do I do? Alas, if you  do not take  the necessary measures for the specified time then the conditions for obtaining the private key will be changed  If you really need  your data, then we suggest you  do not waste valuable  time searching for other  solutions becausen  they do not exist. <div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your  personal home page, there are a few different addresses pointing to  your page below:<hr>  1 - <a href=http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/87A88698E6734CB target="_blank">http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/87A88698E6734CB</a>  2 - <a href=http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/87A88698E6734CB target="_blank">http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/87A88698E6734CB</a>  3 - <a href=http://rbg4hfbilrf7to452p89hrfq.boonmower.com/87A88698E6734CB target="_blank">http://rbg4hfbilrf7to452p89hrfq.boonmower.com/87A88698E6734CB</a> </div> <div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the  addresses are not available,  follow these steps: <hr> 1 -  Download and  install tor-browser: <a href=http://www.torproject.org/projects/torbrowser.html.en target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a> 2 -  After a successful installation, run the browser and wait for initialization. 3 -  Type in the tor-browser address bar: xlowfznrg4wf7dli.onion/87A88698E6734CB 4 -  Follow the instructions  on the site.</div> !!! IMPORTANT INFORMATION: <div class="tb" style="width:790px;"> Your Personal PAGES: <a href=http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/87A88698E6734CB target="_blank">http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/87A88698E6734CB</a> <a href=http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/87A88698E6734CB target="_blank">http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/87A88698E6734CB</a> <a href=http://rbg4hfbilrf7to452p89hrfq.boonmower.com/87A88698E6734CB target="_blank">http://rbg4hfbilrf7to452p89hrfq.boonmower.com/87A88698E6734CB</a>  Your  Personal TOR-Browser page : xlowfznrg4wf7dli.onion/87A88698E6734CB  Your personal  ID  (if you open  the site directly):  87A88698E6734CB </div></div></center></body></html>

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\_ReCoVeRy_+oivwe.txt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled , or start obtaining BITCOIN NOW !!!!! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files , except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below * http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/3B2DEC74196AB99 * http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/3B2DEC74196AB99 * http://rbg4hfbilrf7to452p89hrfq.boonmower.com/3B2DEC74196AB99 If for some reasons the addresses are not available, follow these steps * Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en * After a successful installation, run the browser * Type in the address bar: xlowfznrg4wf7dli.onion/3B2DEC74196AB99 * Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/3B2DEC74196AB99 http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/3B2DEC74196AB99 http://rbg4hfbilrf7to452p89hrfq.boonmower.com/3B2DEC74196AB99

URLs

http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/3B2DEC74196AB99

http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/3B2DEC74196AB99

http://rbg4hfbilrf7to452p89hrfq.boonmower.com/3B2DEC74196AB99

http://xlowfznrg4wf7dli.onion/3B2DEC74196AB99

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\_ReCoVeRy_+oivwe.html

Ransom Note

<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial;  font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> <center>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></center> What happened  to your files? All of your files were  protected by a strong encryption with RSA4096  More  information about the encryption RSA4096 can be found <a href= http://en.wikipedia.org/wiki/RSA_(cryptosystem) target="_blank"> https://en.wikipedia.org/wiki/RSA_(cryptosystem) </a> What  does this mean? This means that the  structure and data within your files have been irrevocably changed, you will not be able work with them, read them or see them, it is the same thing as losing them forever, but with our help, you  can restore them How did this happen?   Especially for you, on our SERVER was generated the secret key All your  files were encrypted with the public key,  which has been  transferred to your computer via the Internet.  Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program which is on our Secret Server!!! What do I do? Alas, if you  do not take  the necessary measures for the specified time then the conditions for obtaining the private key will be changed  If you really need  your data, then we suggest you  do not waste valuable  time searching for other  solutions becausen  they do not exist. <div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your  personal home page, there are a few different addresses pointing to  your page below:<hr>  1 - <a href=http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/3B2DEC74196AB99 target="_blank">http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/3B2DEC74196AB99</a>  2 - <a href=http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/3B2DEC74196AB99 target="_blank">http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/3B2DEC74196AB99</a>  3 - <a href=http://rbg4hfbilrf7to452p89hrfq.boonmower.com/3B2DEC74196AB99 target="_blank">http://rbg4hfbilrf7to452p89hrfq.boonmower.com/3B2DEC74196AB99</a> </div> <div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the  addresses are not available,  follow these steps: <hr> 1 -  Download and  install tor-browser: <a href=http://www.torproject.org/projects/torbrowser.html.en target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a> 2 -  After a successful installation, run the browser and wait for initialization. 3 -  Type in the tor-browser address bar: xlowfznrg4wf7dli.onion/3B2DEC74196AB99 4 -  Follow the instructions  on the site.</div> !!! IMPORTANT INFORMATION: <div class="tb" style="width:790px;"> Your Personal PAGES: <a href=http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/3B2DEC74196AB99 target="_blank">http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/3B2DEC74196AB99</a> <a href=http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/3B2DEC74196AB99 target="_blank">http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/3B2DEC74196AB99</a> <a href=http://rbg4hfbilrf7to452p89hrfq.boonmower.com/3B2DEC74196AB99 target="_blank">http://rbg4hfbilrf7to452p89hrfq.boonmower.com/3B2DEC74196AB99</a>  Your  Personal TOR-Browser page : xlowfznrg4wf7dli.onion/3B2DEC74196AB99  Your personal  ID  (if you open  the site directly):  3B2DEC74196AB99 </div></div></center></body></html>

Targets

- Target
  
  3c6617a14ce2c81ee1148f9fc23b6e365c7028bdc72f477cbaec2ae97536a544
- Size
  
  211KB
- MD5
  
  391d5c1032d21993431cd763cf1f0275
- SHA1
  
  42346f6255aba3a01ffeeaaf5701730a7346a351
- SHA256
  
  3c6617a14ce2c81ee1148f9fc23b6e365c7028bdc72f477cbaec2ae97536a544
- SHA512
  
  b2c9ac996ef2e6191dc63b31677934cb4b77120196c9b29514df2c28b326bc725e22369896b3f915d4bfca88b066effc73c898e0fe9c8385655efcbb98363030
Score

10^/10

persistence ransomware spyware stealer suricata upx
- suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
  suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
  suricata
- suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
  suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
  suricata
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2