Overview
overview
10Static
static
8trojan/1.exe
windows7_x64
10trojan/1.exe
windows10-2004_x64
10trojan/10.exe
windows7_x64
10trojan/10.exe
windows10-2004_x64
8trojan/2.exe
windows7_x64
3trojan/2.exe
windows10-2004_x64
5trojan/3.exe
windows7_x64
10trojan/3.exe
windows10-2004_x64
10trojan/4.exe
windows7_x64
8trojan/4.exe
windows10-2004_x64
8trojan/5.exe
windows7_x64
8trojan/5.exe
windows10-2004_x64
8trojan/6.exe
windows7_x64
10trojan/6.exe
windows10-2004_x64
10trojan/7.exe
windows7_x64
10trojan/7.exe
windows10-2004_x64
10trojan/8.exe
windows7_x64
trojan/8.exe
windows10-2004_x64
10trojan/9.exe
windows7_x64
8trojan/9.exe
windows10-2004_x64
8General
-
Target
abac9b724c6d13aa90b5484b7c424c1505f9f7d58504954bb3ed9b718a448991
-
Size
3.8MB
-
Sample
220707-ldjtnsche7
-
MD5
dd62a5e768399cccdb02b5b6364ec44c
-
SHA1
3c287b8a161bf3a90bfc7eb6baa29dbf54d4bb84
-
SHA256
abac9b724c6d13aa90b5484b7c424c1505f9f7d58504954bb3ed9b718a448991
-
SHA512
30b9b1eb4f52a30300c09fb0d14ce5c9f1ab3a0023144c660f93ffab2dc4e37de50abb2bc3c23a0b521d8645f07c3628f9a4c2a71d612a7cce5db3d4d38a2067
Static task
static1
Behavioral task
behavioral1
Sample
trojan/1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
trojan/1.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
trojan/10.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
trojan/10.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
trojan/2.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
trojan/2.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
trojan/3.exe
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
trojan/3.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
trojan/4.exe
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
trojan/4.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral11
Sample
trojan/5.exe
Resource
win7-20220414-en
Behavioral task
behavioral12
Sample
trojan/5.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral13
Sample
trojan/6.exe
Resource
win7-20220414-en
Behavioral task
behavioral14
Sample
trojan/6.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral15
Sample
trojan/7.exe
Resource
win7-20220414-en
Behavioral task
behavioral16
Sample
trojan/7.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral17
Sample
trojan/8.exe
Resource
win7-20220414-en
Behavioral task
behavioral18
Sample
trojan/8.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral19
Sample
trojan/9.exe
Resource
win7-20220414-en
Behavioral task
behavioral20
Sample
trojan/9.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
BruceBoyle@onionmail.org
SylvesterJones@onionmail.org
v-society.official@onionmail.org
http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion
Extracted
C:\$Recycle.Bin\README_6060147.txt
blackout
decrypted8@bigmir.net
mitoplent@safe-mail.net
http://t5vj34iny72dpdu4.onion
https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi
Extracted
C:\$Recycle.Bin\README_8713028.txt
blackout
decrypted8@bigmir.net
mitoplent@safe-mail.net
http://t5vj34iny72dpdu4.onion
https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi
Extracted
C:\HELP_DECRYPT_YOUR_FILES.TXT
enc0@dr.com
enc1@usa.com
Extracted
C:\HELP_DECRYPT_YOUR_FILES.HTML
enc0@dr.com<br>
enc1@usa.com<br>
Extracted
C:\Users\Admin\Desktop\README.txt
17RaYJ7ULTZARS5nsroGUVRc7g2kF18azM
Extracted
C:\Users\Admin\Desktop\README.txt
17RaYJ7ULTZARS5nsroGUVRc7g2kF18azM
Targets
-
-
Target
trojan/1.exe
-
Size
145KB
-
MD5
6e67678fc82cc9c1215a7625b5c27513
-
SHA1
1b27d0a1b3078fdf0b51439d86f8b093733bfac5
-
SHA256
b5fe0cbc7569e8adb249658ba9942cafd423c057849623d5e6e5ccf279b22782
-
SHA512
550383b64d1f458ef32a66b008dfca3d1d83257e857c1c14b3988a231176b496dfd283863b2d1f43d00942960e5eac6244ded555cdb0a03191f5b6081d4ee8f0
Score10/10-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Deletes itself
-
Drops file in System32 directory
-
-
-
Target
trojan/10.exe
-
Size
216KB
-
MD5
78621f1e196497d440afb57f4609fcf9
-
SHA1
eed7c3bb3fc5181b88abeed2204997f350324022
-
SHA256
4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080
-
SHA512
8bcc845b88710528c45df0ccc1ffc4d52663a2e7b870f7d347dacf2a2a698ea8d7ffc412b14841b5020618be845a0a1ee70e54f2aa86b3a4d8a9c298ff7ced44
Score10/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
trojan/2.exe
-
Size
778KB
-
MD5
d4d4f4fee724206e7a43e1de300b207d
-
SHA1
7ffcdb6f8ed5e850b0e55d887f2af6c14b1c79d7
-
SHA256
404be535500066a8e0e395aa75fd406709e7c3e49e61598450ede47cfe084f61
-
SHA512
882a64d63885c2b786c6aa9501e1efc32ad13fdf32beb19cff02bf8134a1735be2b3285f32e60c8a529a6f0465cd5a46d072714e7639602142e4d578257862db
Score5/10-
Drops file in System32 directory
-
-
-
Target
trojan/3.exe
-
Size
376KB
-
MD5
ee39fe5532bdf8daa98b723c901896f9
-
SHA1
74b487e2817f4f18deaa13ba02e33f6dea688469
-
SHA256
97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050
-
SHA512
badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255
Score10/10-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
trojan/4.exe
-
Size
89KB
-
MD5
ff0378ea8f209c085c4ff00b67ef23fa
-
SHA1
187fc7cc78740db57c1dc0bd9a2fa017c9160f1f
-
SHA256
885b63ca1d23550c56d34a5a5195bba4cc21c59f7161d38781eb2cd85aee0bbb
-
SHA512
f819e0f1b01232de9ba773a308aba2791ad75033122b1866bff94357c05f55bacaae17c15f607218ffeba8ab77c23faef92061d076fe6cfbf4def251bfd2d184
Score8/10-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
trojan/5.exe
-
Size
1.1MB
-
MD5
1d13e667dbcf6a1ec0d0cacfbf1397ca
-
SHA1
709eaeb8969ac6e3da0bb41348e0369245147d66
-
SHA256
bb7eed4a124277973d985fc52e066f66e075181c337fa61de918a6d1b498ac8e
-
SHA512
a02bbb787e27a1ab25ad8f6bc6c9f6934859027ac23c4427d6385ea75ac0f73ee76853418200055e97b2ad3b2c4be90f19e1fcfd77b4d9cd93491cce4f2b102d
Score8/10-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
trojan/6.exe
-
Size
156KB
-
MD5
eba85b706259f4dc0aec06a6a024609a
-
SHA1
94873e77bd5b7e5d6bd9e5af40eca26c2c56e0b7
-
SHA256
ae121f28c05037d09f85f8b7ef9930f2d62c8f0e6e6a8d7ff092932ddbb1ad23
-
SHA512
1679216a9e3c4665bc79332847759829e3c280bfe9f3ab70d1c7289346a302ff543fa4f88bc3e449c5d8b9eb4b03e96dd50c1f13877f4d4287ab4c63a0b2542e
Score10/10-
Disables Task Manager via registry modification
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
-
-
Target
trojan/7.exe
-
Size
127KB
-
MD5
a202914a34dc528aa137bd394518d9b0
-
SHA1
4724934b61687cb1abe96bab137c7b1d4476f271
-
SHA256
f110528a354648070a7ef4cbc43046ca427adced8aad6c936bdc9e8932e01225
-
SHA512
c18ece9e156c2020cc34e3aa77e00efaeda2cca2d5a99b0c0e6cf170b723a009dbaa775b14a7673ba076aefbb7aba1a0fec12e3db7d580c5b43841cb1659a8d6
Score10/10-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
trojan/8.exe
-
Size
235KB
-
MD5
6ad37fb0ae1f564119c32ad238f5013e
-
SHA1
cd168d13400f213c11d2fb6f1517b998c21308be
-
SHA256
058e4cb879be1a2f49a95d2e92d53b22d22af2591c408f4b027e33bd198edf1e
-
SHA512
977e9cdab8e5629279d25073c5b84fb54cdc230ea1658cfdbe8d43793dcaa0eca8d7dfdcd858fae694c11f77c91cc600e86a1c6b4fd6834c6ade21c11f7b7be2
Score10/10-
suricata: ET MALWARE Observed Thanatos Ransomware Variant Pico User-Agent
suricata: ET MALWARE Observed Thanatos Ransomware Variant Pico User-Agent
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
trojan/9.exe
-
Size
12.0MB
-
MD5
84bb70a4861bffd2852ed7fe6e71ec9b
-
SHA1
e25e727215abcd5317236d8919f85a6e251f8367
-
SHA256
a44cc1193a4f20d0c1e94841b21b0bcfeec45a30dc68ba6eb68d0ea5aef6c942
-
SHA512
42749e3034a2027cc658c03ec1ff7191d643bced89d887cfef5f84127d785fc3b948a1dade7db209fc5a5bb258de831d116e3ca46f8740540603937a1203e3f3
Score8/10-
Executes dropped EXE
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-