teslacrypt | 4330bfda9eec337dd8acf0d859bf583a4d97af6a3ec091a7e7110d902dd73c06

General

Target

4330bfda9eec337dd8acf0d859bf583a4d97af6a3ec091a7e7110d902dd73c06
Size

421KB
Sample

220707-3pjfqaghcp
MD5

7aee5b9eda40e9acc892db4c3b7c4fb7
SHA1

ab4d13b7433856c602eba8f95b3ebbfa32baaa1f
SHA256

4330bfda9eec337dd8acf0d859bf583a4d97af6a3ec091a7e7110d902dd73c06
SHA512

bfc3a803fd116ec1dddc159084b12534b16617e5e086d9a9f6bf0e0b4b1b574f1daadf64abb341eabbfd5e0a9cc2f1a0d1feef9d6e6cf1ea928f6fe25795483d

Score

10^/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-790309383-526510583-3802439154-1000\_RECoVERY_+teejr.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7C3B4BEC7E2AB03B 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7C3B4BEC7E2AB03B 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7C3B4BEC7E2AB03B If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/7C3B4BEC7E2AB03B 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7C3B4BEC7E2AB03B http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7C3B4BEC7E2AB03B http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7C3B4BEC7E2AB03B *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/7C3B4BEC7E2AB03B

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7C3B4BEC7E2AB03B

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7C3B4BEC7E2AB03B

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7C3B4BEC7E2AB03B

http://xlowfznrg4wf7dli.ONION/7C3B4BEC7E2AB03B

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-790309383-526510583-3802439154-1000\_RECoVERY_+teejr.html

Ransom Note

<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial;  font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> <center>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></center> What happened  to your files? All of your files were  protected by a strong encryption with RSA4096  More  information about the encryption RSA4096 can be found <a href=http://en.wikipedia.org/wiki/RSA_(cryptosystem) target="_blank"> http://en.wikipedia.org/wiki/RSA_(cryptosystem) </a> What  does this mean? This means that the  structure and data within your files have been irrevocably changed, you will not be able work with them, read them or see them, it is the same thing as losing them forever, but with our help, you  can restore them How did this happen?   Especially for you, on our SERVER was generated the secret key All your  files were encrypted with the public key,  which has been  transferred to your computer via the Internet.  Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program which is on our Secret Server!!! What do I do? Alas, if you  do not take  the necessary measures for the specified time then the conditions for obtaining the private key will be changed  If you really need  your data, then we suggest you  do not waste valuable  time searching for other  solutions becausen  they do not exist. <div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your  personal home page, there are a few different addresses pointing to  your page below:<hr>  1 - <a href=http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7C3B4BEC7E2AB03B target="_blank">http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7C3B4BEC7E2AB03B</a>  2 - <a href=http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7C3B4BEC7E2AB03B target="_blank">http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7C3B4BEC7E2AB03B</a>  3 - <a href=http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7C3B4BEC7E2AB03B target="_blank">http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7C3B4BEC7E2AB03B</a> </div> <div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the  addresses are not available,  follow these steps: <hr> 1 -  Download and  install tor-browser: <a href=http://www.torproject.org/projects/torbrowser.html.en target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a> 2 -  After a successful installation, run the browser and wait for initialization. 3 -  Type in the tor-browser address bar: xlowfznrg4wf7dli.onion/7C3B4BEC7E2AB03B 4 -  Follow the instructions  on the site.</div> !!! IMPORTANT INFORMATION: <div class="tb" style="width:790px;"> Your Personal PAGES: <a href=http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7C3B4BEC7E2AB03B target="_blank">http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7C3B4BEC7E2AB03B</a> <a href=http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7C3B4BEC7E2AB03B target="_blank">http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7C3B4BEC7E2AB03B</a> <a href=http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7C3B4BEC7E2AB03B target="_blank">http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7C3B4BEC7E2AB03B</a>  Your  Personal TOR-Browser page : xlowfznrg4wf7dli.onion/7C3B4BEC7E2AB03B  Your personal  ID  (if you open  the site directly):  7C3B4BEC7E2AB03B </div></div></center></body></html>

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1081944012-3634099177-1681222835-1000\_RECoVERY_+snqfg.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A0557EFA9A73C61 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A0557EFA9A73C61 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/A0557EFA9A73C61 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/A0557EFA9A73C61 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A0557EFA9A73C61 http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A0557EFA9A73C61 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/A0557EFA9A73C61 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/A0557EFA9A73C61

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A0557EFA9A73C61

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A0557EFA9A73C61

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/A0557EFA9A73C61

http://xlowfznrg4wf7dli.ONION/A0557EFA9A73C61

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1081944012-3634099177-1681222835-1000\_RECoVERY_+snqfg.html

Ransom Note

<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial;  font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> <center>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></center> What happened  to your files? All of your files were  protected by a strong encryption with RSA4096  More  information about the encryption RSA4096 can be found <a href=http://en.wikipedia.org/wiki/RSA_(cryptosystem) target="_blank"> http://en.wikipedia.org/wiki/RSA_(cryptosystem) </a> What  does this mean? This means that the  structure and data within your files have been irrevocably changed, you will not be able work with them, read them or see them, it is the same thing as losing them forever, but with our help, you  can restore them How did this happen?   Especially for you, on our SERVER was generated the secret key All your  files were encrypted with the public key,  which has been  transferred to your computer via the Internet.  Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program which is on our Secret Server!!! What do I do? Alas, if you  do not take  the necessary measures for the specified time then the conditions for obtaining the private key will be changed  If you really need  your data, then we suggest you  do not waste valuable  time searching for other  solutions becausen  they do not exist. <div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your  personal home page, there are a few different addresses pointing to  your page below:<hr>  1 - <a href=http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A0557EFA9A73C61 target="_blank">http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A0557EFA9A73C61</a>  2 - <a href=http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A0557EFA9A73C61 target="_blank">http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A0557EFA9A73C61</a>  3 - <a href=http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/A0557EFA9A73C61 target="_blank">http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/A0557EFA9A73C61</a> </div> <div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the  addresses are not available,  follow these steps: <hr> 1 -  Download and  install tor-browser: <a href=http://www.torproject.org/projects/torbrowser.html.en target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a> 2 -  After a successful installation, run the browser and wait for initialization. 3 -  Type in the tor-browser address bar: xlowfznrg4wf7dli.onion/A0557EFA9A73C61 4 -  Follow the instructions  on the site.</div> !!! IMPORTANT INFORMATION: <div class="tb" style="width:790px;"> Your Personal PAGES: <a href=http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A0557EFA9A73C61 target="_blank">http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A0557EFA9A73C61</a> <a href=http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A0557EFA9A73C61 target="_blank">http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A0557EFA9A73C61</a> <a href=http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/A0557EFA9A73C61 target="_blank">http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/A0557EFA9A73C61</a>  Your  Personal TOR-Browser page : xlowfznrg4wf7dli.onion/A0557EFA9A73C61  Your personal  ID  (if you open  the site directly):  A0557EFA9A73C61 </div></div></center></body></html>

Targets

- Target
  
  4330bfda9eec337dd8acf0d859bf583a4d97af6a3ec091a7e7110d902dd73c06
- Size
  
  421KB
- MD5
  
  7aee5b9eda40e9acc892db4c3b7c4fb7
- SHA1
  
  ab4d13b7433856c602eba8f95b3ebbfa32baaa1f
- SHA256
  
  4330bfda9eec337dd8acf0d859bf583a4d97af6a3ec091a7e7110d902dd73c06
- SHA512
  
  bfc3a803fd116ec1dddc159084b12534b16617e5e086d9a9f6bf0e0b4b1b574f1daadf64abb341eabbfd5e0a9cc2f1a0d1feef9d6e6cf1ea928f6fe25795483d
Score

10^/10

teslacrypt persistence ransomware suricata
- TeslaCrypt, AlphaCrypt
  Ransomware based on CryptoLocker. Shut down by the developers in 2016.
  ransomware teslacrypt
- suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
  suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
  suricata
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2