Overview

overview

10

Static

static

BitPaymer.exe

windows7_x64

10

BitPaymer.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    BitPaymer.exe

  • Size

    3.2MB

  • Sample

    220707-wkm5sadhdj

  • MD5

    8c54bbe3f191a8627bfeeb4cb02634a9

  • SHA1

    2fc2ecbed153344557386e80a2fbd097bf795559

  • SHA256

    f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555

  • SHA512

    752d4bb22765373f7ee185acc42b73d5f2b75ae46ed995bf2f59486038a512eca30c5ecf040541cc2833df005ee17db00a0ec5ae802b677ff468f256ea53ecd2

Score
10/10
bitpaymerbackdoordiscoveryevasionexploitpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA AgAAANZMAQIAABBmAAAApAAA1ErjS6x+npxtc6StiFzgAKWcs0iRzbXX4DHwi45XThUcwf3/Sx0h YhAGY3MGgIw7JGqa6IJkfs/hDW15DR3iz0zFIXFOmidfE/HeboHFhdZS60v1JtSjaqol3SUuAdOx q5s666vGN7HIZhZRrgrRkRGmesPZy58ebfs66rlmmNGRKm4IvGkEkE2ircPB7r7AJliwDP74+pJM /pNkgw/V6XiOPI6vUM+iyTUT2NW3GvJEqJtvLJ2kCALzqarRtQtqq0DjwlRYXqYMw5afjm0XnxsD 3TT9oGCDtwyN3ZyG/Zenf7ekt+PLyhGxEyPgEPFp+EJ3al6bT8qRErr2AnFHNA==
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2010_x64.log.html.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA DgAAAF5u6I1LhPeBcl977+eIAQIAABBmAAAApAAAzRnoKf9ELNTwjM8968CrRHpcHREuXdTyiSm3 VX18tk0JJPAdlsu2am8R7qnGBkEMApoe5FHnJ47eo0+d+hP1/3Iyp/Gr9aiO2NO+8ZevaFIFkUzv 3SjgEJIkRuZy3sXW5fMFySC1PfNYaLpxFxdHygB1L+yolq/AARwgZRs8ROADwIma5zmN8IrVykS1 qNd0clTJZXSElMF+95axwB1i+80KUbe5STDbsPBolBmSGy4TeaHk25lSZcFx4UQwcQk/A0c144Fb AhmNjydJVDiO6O1LenNn7vjR7yXVOsa4MsU/QxDPr1rCoAPI43i9opsN8RyuILArAWgxcyCAFjNU bA==
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA AgAAAERPAQIAABBmAAAApAAAzAXv0M+pI64Sz6WKs12HoQihEdN9TJfmopR81nWN3pekLTrLYCXL xalF7JZJllVkJuUhEe0vT9twC608i4or62+ctqD13AquQnPgLdZcnmoawe+K3qCZKbdFpwO125yF 4Nqegj6CWWJKo44MuiDDzziZzI0EJ5s5jNtqgk/A2XogXDNtR5VQEIytmSGyPW23QRN+U+0g3MxM b4cz6Eda+eYCVM4iRn4PIFXGZPCsl+HcrdRGtCiknboua/Q8zKiHpOJkJR300QMSUOBks/5owNCn hFVnlUt3pc3Tz8DunRaSEKv3yEVpE9K7/KwWUrLlCbKe4rzM902gj6Kdlp1ZSg==
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2010_x86.log.html.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA DAAAAMseIYR+9kZ1IwnCDQECAAAQZgAAAKQAALuMhmO9uC2U9KlLtExGhvi3Gxg7fQFKcRZ5JpOH rB9U+gLGJzhtb9O8rtCOroy3tjZJrUd1kh8P5xkfh9oLQoymhS/CeIRQiFbJeCLClM0yBQKMpaKZ xMvbLRVCq2DZU1oTCWiujFXCbju3tMDXNDys6XvWX8erxdVKWos99nzMUVY0D6jiDtr4iK86vzbG a5WNrMFA3WEirdQLYYVLanAJiPtWq5d54Wz9Oc7tpFdoffBuqEF3lEHz3eWfie72u3WVMFPnF8Tg 5iv+3KuvieQKgKlO+R2WgbLupSlULV6UqMrBg7cYuygV1HuiB4ltP0eqKUMDMU/CdA20JedS9FQ=
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA BAAAAE5SuycBAgAAEGYAAACkAADRlug9kTWD3co4cY/h5bjrs6RVmLp7Tykv4040aEd3Xxit9NE1 SMs3eqpsgXnlgODu0524soal/RC2jgEzP09XEgorkDdGUiBbzGMzFkTDj6fdaVYSeeCfNm0JFzhj sWCg7DgW1MFNM6fsG8xum/n0nAL1Sr7XZhaKY/xojIbtkbnrMdlvgoXluYCR2Dpb1unOtKbYdzsJ YI4k6K3j9FqRarhz2xiKQn3Nd40eEwB622nPh2lySoIzqo8opV623RZpltyqQhNy2fXht8yPgfGl 0/VJA4f80ePKhUlq9IgjSZ5oqmTZF06zv5g0H0uTls8JmVgTRUmVODNgENC1gZw8
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA BgAAAJc/ZZ0ecgECAAAQZgAAAKQAAEXVpNJAaEElKz/t5m+y43u7YiWjpufdNk5ph5FgXetXpMSm SywnrYD1lKjqaQb0lP7ZvzBUF8ihZle9xiXtvmnrkU2PxTsbPdwGexqa/ijUki7gMjdUuQ69frzu cOV3RS6JDzkaxknW8WW//HxtGnpsPhF52Vch3fUSrMFnrxAR4lttsQ7wf+h1HZshQZnmBRPpJwHH /xm1dCPaJT2E5lXm3v4tMWknNPTdbpkpPK14uKnNnWV4VMEkbip03U6Ckg8f9CtXI7OLbFC1yP80 KrV6hMMNmVYSg/2sDaYF5AAIv8UgWgtQ0A7y2DkVcCecevoUaIVofn9rlwm6HFLgwqM=
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA AgAAADrmAQIAABBmAAAApAAAIO/C4+5MK5Bwk8NGmVMsiSKbhg5fsvYPfI4Q66IAuF2UOpFCOSoB YKdXnB/AMQPLPMznpzN3GMUU6TM4oX4Qb7dUgDa4IS7l73ugVXLRysRcjnDw7nzNPTzyx7gU/7kM 6Wl/8OFlP0K6m61pceoeJfM8WbcZUbiCTf9Su5uHHZz/H3oDnFEgwvVbCFOBw9WRxKj3wpuWRMtp 67YekXD3kVeVnIkfscDNdTP7rKj87QvFfKB/awflQFp1fXZMubOdZhtvUaQjP6JLWKYAp3A40I0N zcJ4dLss8zYLufKtipDxWpWWf1FI/52+L51NrL79Xf6s6h6lnaAsR7bDkz+dIA==
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA AgAAAC4/AQIAABBmAAAApAAAcRI4bs25jqHwfafIvh0ZXVHQn5Nk61ILsFNS0UxlR7wk0XiEvy9w feTkXCFf4q1NN/Fml1h6F4urxElbYmG++/Q5R8qcxeXSsRpBlMTGYGYU7TsjPYOoC01QF0cpzGd9 C8D4fbVjiHEj9GoHTbUIJI7KJh9UYCIPtNmN1NuqJpa2BLfpmFko75LVwtXBybd0L1ZRFfl7HhzL KRVZ5Ch59rx7YcJkPH7CJGfEkrGcaOi5bRzU0kBEmhi31MJhaMZTOWO4PBknwmsRzc+mDVK6mXXd 0pei8c4DunUO1CmsRCxxAFGATjFO9NI1xv16E+VmzddacbELc+cWu6Hh5UyNXA==
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA CAAAAEE1w8GGB2lDAQIAABBmAAAApAAAjd3BUzjPMkymhvES+t2fOR96KZIiSHwM1i03/l4+9w/o 3h3807WHqAbwyjLEFIScNMCim0IhNFCaQAB3uJ7Q/NM7L/M7XTyjp0VGMbQLQ3IAHa/px2TpLQx4 K/e9lLIXHjWipnj1pqEJPFanZTSd2G/imVGjVh4bEHYf7RusNn1cuQsnL4+Ntl8ZDhD67lW9RDbx zNLcQhOH2fPcXhL5sC5VJOz6w28laSnz665Xjpcn5kkfEdJRVYo4lnHS+C/bYqtJR6trvBDnjMD4 g1pYUQ7U1RigKeRfoYN25xs+Hfh4v6Ad7C082msxe6v99Bj1i5qSR8MThwNf/WSAOz+VFw==
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.readme2unlock.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA CAAAACtjbizP7zdoAQIAABBmAAAApAAAblyUrJbORtDxiltahM2ZyI7nJpkJFH1+9jXXTEuUId2j cgZuxvK8wAKp6d45RKJ3Eg+akbRcY+OklTFfUuOa0qvs/nGZ0Fzl+XeKkPzwOYCdIKx0heuCMSZL wF5CzJtV7e/WFssQoptjvKT9SsA0CwS6MhjtOEqtHUatLXxYvzVRQ/yks4UTdaLHp+mSo1IWjouZ 4/IN8iyDr61rOTvg771YOJquSGagL1V4qnrM111oTyvtgFxU6pZRxmden7D2+MKASaposNxdf9FA hxuyutMaiGAONz9MuOmZybT085kwZI9gju2M6ymMZy/YoTE6G+esXfC2m5eepc3UKY16Ug==
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Targets

    • Target

      BitPaymer.exe

    • Size

      3.2MB

    • MD5

      8c54bbe3f191a8627bfeeb4cb02634a9

    • SHA1

      2fc2ecbed153344557386e80a2fbd097bf795559

    • SHA256

      f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555

    • SHA512

      752d4bb22765373f7ee185acc42b73d5f2b75ae46ed995bf2f59486038a512eca30c5ecf040541cc2833df005ee17db00a0ec5ae802b677ff468f256ea53ecd2

    Score
    10/10
    bitpaymerbackdoordiscoveryevasionexploitpersistenceransomwaretrojan

    • BitPaymer

      Bitpaymer is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorbitpaymer

    • Modifies security service

      evasion

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

File Deletion

2
T1107

File Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks