Overview

overview

10

Static

static

8

trojan/1.exe

windows7_x64

10

trojan/1.exe

windows10-2004_x64

10

trojan/10.exe

windows7_x64

10

trojan/10.exe

windows10-2004_x64

8

trojan/2.exe

windows7_x64

3

trojan/2.exe

windows10-2004_x64

5

trojan/3.exe

windows7_x64

10

trojan/3.exe

windows10-2004_x64

10

trojan/4.exe

windows7_x64

8

trojan/4.exe

windows10-2004_x64

8

trojan/5.exe

windows7_x64

8

trojan/5.exe

windows10-2004_x64

8

trojan/6.exe

windows7_x64

10

trojan/6.exe

windows10-2004_x64

10

trojan/7.exe

windows7_x64

10

trojan/7.exe

windows10-2004_x64

10

trojan/8.exe

windows7_x64

trojan/8.exe

windows10-2004_x64

10

trojan/9.exe

windows7_x64

8

trojan/9.exe

windows10-2004_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    abac9b724c6d13aa90b5484b7c424c1505f9f7d58504954bb3ed9b718a448991

  • Size

    3.8MB

  • Sample

    220707-ldjtnsche7

  • MD5

    dd62a5e768399cccdb02b5b6364ec44c

  • SHA1

    3c287b8a161bf3a90bfc7eb6baa29dbf54d4bb84

  • SHA256

    abac9b724c6d13aa90b5484b7c424c1505f9f7d58504954bb3ed9b718a448991

  • SHA512

    30b9b1eb4f52a30300c09fb0d14ce5c9f1ab3a0023144c660f93ffab2dc4e37de50abb2bc3c23a0b521d8645f07c3628f9a4c2a71d612a7cce5db3d4d38a2067

Score
10/10
blackoutmetasploitbackdoorevasionpersistenceransomwarespywarestealersuricatatrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note
ALL YOUR FILES HAVE BEEN ENCRYPTED BY "VICE SOCIETY" All your important documents, photos, databases were stolen and encrypted. If you don't contact us in 7 days we will upload your files to darknet. The only method of recovering files is to purchase an unique private key. We are the only who can give you tool to recover your files. To proove that we have the key and it works you can send us 2 files and we decrypt it for free (not more than 2 MB each). This file should be not valuable! Write to email: BruceBoyle@onionmail.org Alternative email: SylvesterJones@onionmail.org Public emai:l v-society.official@onionmail.org Our tor website: vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to ours) or you can become a victim of a scam.
Emails

BruceBoyle@onionmail.org

SylvesterJones@onionmail.org

v-society.official@onionmail.org
URLs

http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion

Extracted

Path

C:\$Recycle.Bin\README_6060147.txt

Family

blackout

Ransom Note
Hello!! All your files have been encrypted.. Your Id: Y0zqdgTFO6mJwFNzLuvuk86F3lszkfPzBRFyEWsWRbDbFk0+mOTRpub+bSQUQ53quJuVUNssIWpiZRhCoNaobcapFz8ZXEJYQtkvrWINsc2wHjpyuf3fB/vE3OVsH3UmvnPkoVHL4LNky965r8/zNA+GGAHELDTMSL7oSOh8lTEYot2YxT52+nsD1YGYKXRJMWc4lsqo5pMMnfEQr06382myHHSddHUN2EBHR9UjdqPN9vaV0CgaYxD7r4NiT6vkcQgFHe1+NAD2md8UsrT4dQ7A/FqXpG0HjIEmXvy0SA3iKOW6W9HN8xed6ecZMxGsKYJqqc07hIGyheOxJhcn4w++ZW4tVVNfNjA2MDE0N19BZG1pbl83LzcvMjAyMiAxMToyNzo0MCBBTV9XaW4gN19ibHV0NV82 To decrypt your files, write to email: decrypted8@bigmir.net or mitoplent@safe-mail.net In the letter, send your Id and 2 small encrypted files for trial decryption. If you dont get answer from decrypted8@bigmir.net or mitoplent@safe-mail.net in 72 hours, you need to install tor browser, you can download it here: https://www.torproject.org/download/download.html.en After installation, open the tor browser to website: http://t5vj34iny72dpdu4.onion and follow the instructions. Do not try restore files without our help, this is useless, and can destroy you data permanetly. However, the files can be recovered even after the removal of our program and even after reinstalling the operating system. Download the decoding video here: https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi
Emails

decrypted8@bigmir.net

mitoplent@safe-mail.net
URLs

http://t5vj34iny72dpdu4.onion

https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Extracted

Path

C:\$Recycle.Bin\README_8713028.txt

Family

blackout

Ransom Note
Hello!! All your files have been encrypted.. Your Id: XcVmNTdofOXf7nzyvYgkam0RhHwLmlTQyxz7AD4nWK9zZh/DRI9Fezr4nbVEm3zPD0KOhBqZ1R+Ruu0cvNBFEginppfbbPoDu/R3W9mu0bzW+mr2IaBLcfixnHJ1ut/b0E4VUmH+LMG5eaE62AhYtwX3VhTn2u1D3BCX12Gql7epDcery62U5M9NcMsrLVuUJADCQPwT2dPkHT6B/Z5fSZwYEiBW6JTse5nuXncMlg3AXXkHBvDV2J0J9rqAmZHbln7+uip0m9sMWuhwPlWE8OrUiRt4ARWCCSCDncTVF5HzZvkRbbXJasHvvD0fMay72RdmABBD2vs1PgyyHK7Djg++ZW4tVVNfODcxMzAyOF9BZG1pbl83LzcvMjAyMiAxMToyNjo0NyBBTV9XaW4gMTBfYmx1dDVfNg To decrypt your files, write to email: decrypted8@bigmir.net or mitoplent@safe-mail.net In the letter, send your Id and 2 small encrypted files for trial decryption. If you dont get answer from decrypted8@bigmir.net or mitoplent@safe-mail.net in 72 hours, you need to install tor browser, you can download it here: https://www.torproject.org/download/download.html.en After installation, open the tor browser to website: http://t5vj34iny72dpdu4.onion and follow the instructions. Do not try restore files without our help, this is useless, and can destroy you data permanetly. However, the files can be recovered even after the removal of our program and even after reinstalling the operating system. Download the decoding video here: https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi
Emails

decrypted8@bigmir.net

mitoplent@safe-mail.net
URLs

http://t5vj34iny72dpdu4.onion

https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Extracted

Path

C:\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private HardWare with a low price! E-MAIL1: enc0@dr.com E-MAIL2: enc1@usa.com
Emails

enc0@dr.com

enc1@usa.com

Extracted

Path

C:\HELP_DECRYPT_YOUR_FILES.HTML

Ransom Note
<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>HELP_DECRYPT_YOUR_FILES</title> <style> .text { text-align: center; } </style> </head> <body> <div class="text"> <strong>NOT YOUR LANGUAGE?</strong> USE <a href="https://translate.google.com">https://translate.google.com</a><br><br> <strong>What happened to your files ?</strong><br> All of your files were protected by a strong encryption with RSA-2048.<br> More information about the encryption keys using RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br> <strong>How did this happen ?</strong><br> !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br> !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br> !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br> <strong>What do I do ?</strong><br> So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br> If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br> <strong>For more specific instructions:</strong><br> Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br> For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br> Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private HardWare with a low price! <br> <strong>E-MAIL1:</strong> enc0@dr.com<br> <strong>E-MAIL2:</strong> enc1@usa.com<br>
Emails

enc0@dr.com<br>

enc1@usa.com<br>

Extracted

Path

C:\Users\Admin\Desktop\README.txt

Ransom Note
--------------------------------------------------- ____ _ __ __ _ | _ \ (_) ___ ___ \ \ / / (_) _ __ _ _ ___ | |_) | | | / __| / _ \ \ \ / / | | | '__| | | | | / __| | __/ | | | (__ | (_) | \ V / | | | | | |_| | \__ \ |_| |_| \___| \___/ \_/ |_| |_| \__,_| |___/ --------------------------------------------------- Pico v1.1 Your files are encrypted. This means you cannot access your files if they are encrypted you can't watch, edit, use them. Try something funny and we will delete all your files. All your files are encrypted with. 256-bit encryption is refers to the length of the encryption key used to encrypt a data stream or file. A hacker or cracker will require 2256 different combinations to break a 256-bit encrypted message, which is virtually impossible to be broken by even the fastest computers. After 2 minutes of receiving the payment, the decryption tool will be send to you. To decrypt your files, follow next steps: 1. Send 100 (0.02 BTC) to the Bitcoin Wallet or other paying method if requested. Bitcoin wallet: 17RaYJ7ULTZARS5nsroGUVRc7g2kF18azM 2. Send your MachineID to Discord picocode#8523 MactineID: 4cab856c-2ae4-4cbd-8a04-329969ee64da --------------------------------------------------- Do not waste your time, files can only be decrypted by our decode tool. If you paid the tool will get send by discord to you.
Wallets

17RaYJ7ULTZARS5nsroGUVRc7g2kF18azM

Extracted

Path

C:\Users\Admin\Desktop\README.txt

Ransom Note
--------------------------------------------------- ____ _ __ __ _ | _ \ (_) ___ ___ \ \ / / (_) _ __ _ _ ___ | |_) | | | / __| / _ \ \ \ / / | | | '__| | | | | / __| | __/ | | | (__ | (_) | \ V / | | | | | |_| | \__ \ |_| |_| \___| \___/ \_/ |_| |_| \__,_| |___/ --------------------------------------------------- Pico v1.1 Your files are encrypted. This means you cannot access your files if they are encrypted you can't watch, edit, use them. Try something funny and we will delete all your files. All your files are encrypted with. 256-bit encryption is refers to the length of the encryption key used to encrypt a data stream or file. A hacker or cracker will require 2256 different combinations to break a 256-bit encrypted message, which is virtually impossible to be broken by even the fastest computers. After 2 minutes of receiving the payment, the decryption tool will be send to you. To decrypt your files, follow next steps: 1. Send 100 (0.02 BTC) to the Bitcoin Wallet or other paying method if requested. Bitcoin wallet: 17RaYJ7ULTZARS5nsroGUVRc7g2kF18azM 2. Send your MachineID to Discord picocode#8523 MactineID: 6bb404a8-25bc-4cef-a831-797f8d1e89c0 --------------------------------------------------- Do not waste your time, files can only be decrypted by our decode tool. If you paid the tool will get send by discord to you.
Wallets

17RaYJ7ULTZARS5nsroGUVRc7g2kF18azM

Targets

    • Target

      trojan/1.exe

    • Size

      145KB

    • MD5

      6e67678fc82cc9c1215a7625b5c27513

    • SHA1

      1b27d0a1b3078fdf0b51439d86f8b093733bfac5

    • SHA256

      b5fe0cbc7569e8adb249658ba9942cafd423c057849623d5e6e5ccf279b22782

    • SHA512

      550383b64d1f458ef32a66b008dfca3d1d83257e857c1c14b3988a231176b496dfd283863b2d1f43d00942960e5eac6244ded555cdb0a03191f5b6081d4ee8f0

    Score
    10/10
    metasploitbackdoorevasiontrojan

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies firewall policy service

      evasion

    • Windows security bypass

      evasiontrojan

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Deletes itself

    • Windows security modification

      evasiontrojan

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      trojan/10.exe

    • Size

      216KB

    • MD5

      78621f1e196497d440afb57f4609fcf9

    • SHA1

      eed7c3bb3fc5181b88abeed2204997f350324022

    • SHA256

      4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080

    • SHA512

      8bcc845b88710528c45df0ccc1ffc4d52663a2e7b870f7d347dacf2a2a698ea8d7ffc412b14841b5020618be845a0a1ee70e54f2aa86b3a4d8a9c298ff7ced44

    Score
    10/10
    persistenceransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

    • Target

      trojan/2.exe

    • Size

      778KB

    • MD5

      d4d4f4fee724206e7a43e1de300b207d

    • SHA1

      7ffcdb6f8ed5e850b0e55d887f2af6c14b1c79d7

    • SHA256

      404be535500066a8e0e395aa75fd406709e7c3e49e61598450ede47cfe084f61

    • SHA512

      882a64d63885c2b786c6aa9501e1efc32ad13fdf32beb19cff02bf8134a1735be2b3285f32e60c8a529a6f0465cd5a46d072714e7639602142e4d578257862db

    Score
    5/10

    • Drops file in System32 directory

    behavioral5behavioral6

    • Target

      trojan/3.exe

    • Size

      376KB

    • MD5

      ee39fe5532bdf8daa98b723c901896f9

    • SHA1

      74b487e2817f4f18deaa13ba02e33f6dea688469

    • SHA256

      97f870be4bf2ddb4004045e2a902da032059d6e89084fdb7dc3ef53eb8570050

    • SHA512

      badbf5fbfc8a13a260488e7112c187b0667235f8814f2c50b38ab98b723c232a5444d06c9f1835f2e19783990642681ee4513b358f847b1e7fc3f0c28bf0c255

    Score
    10/10
    persistence

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral7behavioral8

    • Target

      trojan/4.exe

    • Size

      89KB

    • MD5

      ff0378ea8f209c085c4ff00b67ef23fa

    • SHA1

      187fc7cc78740db57c1dc0bd9a2fa017c9160f1f

    • SHA256

      885b63ca1d23550c56d34a5a5195bba4cc21c59f7161d38781eb2cd85aee0bbb

    • SHA512

      f819e0f1b01232de9ba773a308aba2791ad75033122b1866bff94357c05f55bacaae17c15f607218ffeba8ab77c23faef92061d076fe6cfbf4def251bfd2d184

    Score
    8/10
    persistenceupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral9behavioral10

    • Target

      trojan/5.exe

    • Size

      1.1MB

    • MD5

      1d13e667dbcf6a1ec0d0cacfbf1397ca

    • SHA1

      709eaeb8969ac6e3da0bb41348e0369245147d66

    • SHA256

      bb7eed4a124277973d985fc52e066f66e075181c337fa61de918a6d1b498ac8e

    • SHA512

      a02bbb787e27a1ab25ad8f6bc6c9f6934859027ac23c4427d6385ea75ac0f73ee76853418200055e97b2ad3b2c4be90f19e1fcfd77b4d9cd93491cce4f2b102d

    Score
    8/10
    upx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Deletes itself

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral11behavioral12

    • Target

      trojan/6.exe

    • Size

      156KB

    • MD5

      eba85b706259f4dc0aec06a6a024609a

    • SHA1

      94873e77bd5b7e5d6bd9e5af40eca26c2c56e0b7

    • SHA256

      ae121f28c05037d09f85f8b7ef9930f2d62c8f0e6e6a8d7ff092932ddbb1ad23

    • SHA512

      1679216a9e3c4665bc79332847759829e3c280bfe9f3ab70d1c7289346a302ff543fa4f88bc3e449c5d8b9eb4b03e96dd50c1f13877f4d4287ab4c63a0b2542e

    Score
    10/10
    blackoutevasionpersistenceransomware

    • Blackout

      Ransomware family identified in early 2020.

      ransomwareblackout

    • Disables Task Manager via registry modification

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral13behavioral14

    • Target

      trojan/7.exe

    • Size

      127KB

    • MD5

      a202914a34dc528aa137bd394518d9b0

    • SHA1

      4724934b61687cb1abe96bab137c7b1d4476f271

    • SHA256

      f110528a354648070a7ef4cbc43046ca427adced8aad6c936bdc9e8932e01225

    • SHA512

      c18ece9e156c2020cc34e3aa77e00efaeda2cca2d5a99b0c0e6cf170b723a009dbaa775b14a7673ba076aefbb7aba1a0fec12e3db7d580c5b43841cb1659a8d6

    Score
    10/10
    persistenceransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral15behavioral16

    • Target

      trojan/8.exe

    • Size

      235KB

    • MD5

      6ad37fb0ae1f564119c32ad238f5013e

    • SHA1

      cd168d13400f213c11d2fb6f1517b998c21308be

    • SHA256

      058e4cb879be1a2f49a95d2e92d53b22d22af2591c408f4b027e33bd198edf1e

    • SHA512

      977e9cdab8e5629279d25073c5b84fb54cdc230ea1658cfdbe8d43793dcaa0eca8d7dfdcd858fae694c11f77c91cc600e86a1c6b4fd6834c6ade21c11f7b7be2

    Score
    10/10
    persistenceransomwaresuricata

    • suricata: ET MALWARE Observed Thanatos Ransomware Variant Pico User-Agent

      suricata: ET MALWARE Observed Thanatos Ransomware Variant Pico User-Agent

      suricata

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral17behavioral18

    • Target

      trojan/9.exe

    • Size

      12.0MB

    • MD5

      84bb70a4861bffd2852ed7fe6e71ec9b

    • SHA1

      e25e727215abcd5317236d8919f85a6e251f8367

    • SHA256

      a44cc1193a4f20d0c1e94841b21b0bcfeec45a30dc68ba6eb68d0ea5aef6c942

    • SHA512

      42749e3034a2027cc658c03ec1ff7191d643bced89d887cfef5f84127d785fc3b948a1dade7db209fc5a5bb258de831d116e3ca46f8740540603937a1203e3f3

    Score
    8/10
    persistencespywarestealer

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral19behavioral20

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

7
T1060

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

11
T1112

Disabling Security Tools

2
T1089

File Deletion

2
T1107

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

11
T1082

Query Registry

8
T1012

Peripheral Device Discovery

4
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks

static1

upx
Score
8/10

behavioral1

metasploitbackdoorevasiontrojan
Score
10/10

behavioral2

metasploitbackdoorevasiontrojan
Score
10/10

behavioral3

persistenceransomware
Score
10/10

behavioral4

persistence
Score
8/10

behavioral5

Score
3/10

behavioral6

Score
5/10

behavioral7

persistence
Score
10/10

behavioral8

persistence
Score
10/10

behavioral9

persistenceupx
Score
8/10

behavioral10

persistenceupx
Score
8/10

behavioral11

upx
Score
8/10

behavioral12

upx
Score
8/10

behavioral13

blackoutevasionpersistenceransomware
Score
10/10

behavioral14

blackoutevasionpersistenceransomware
Score
10/10

behavioral15

persistenceransomware
Score
10/10

behavioral16

persistenceransomware
Score
10/10

behavioral17

persistenceransomwaresuricata
Score
10/10

behavioral18

persistenceransomware
Score
10/10

behavioral19

persistencespywarestealer
Score
8/10

behavioral20

persistence
Score
8/10