teslacrypt | 44bb8e023b4c0e0b5830a58d120ac427cbdcb4897dc74e91c155ea169b07d99d

General

Target

44bb8e023b4c0e0b5830a58d120ac427cbdcb4897dc74e91c155ea169b07d99d
Size

396KB
Sample

220707-wzmgsseffq
MD5

794f78c8b950dc1a840d165892cb0596
SHA1

4667584f756b8e67a504ada9141f868e59f8dbb1
SHA256

44bb8e023b4c0e0b5830a58d120ac427cbdcb4897dc74e91c155ea169b07d99d
SHA512

1151775fe618496334f1bf184e4f65bfb83125918ffa80274e7e560c49a10a838cf253e7b7404df37e8219a827d47117900b7a26c5f97041227d931138d708d0

Score

10^/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-790309383-526510583-3802439154-1000\_RECoVERY_+ieepd.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/5543BBC86777C8A4 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/5543BBC86777C8A4 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/5543BBC86777C8A4 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/5543BBC86777C8A4 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/5543BBC86777C8A4 http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/5543BBC86777C8A4 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/5543BBC86777C8A4 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/5543BBC86777C8A4

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/5543BBC86777C8A4

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/5543BBC86777C8A4

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/5543BBC86777C8A4

http://xlowfznrg4wf7dli.ONION/5543BBC86777C8A4

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-790309383-526510583-3802439154-1000\_RECoVERY_+ieepd.html

Ransom Note

<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial;  font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> <center>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></center> What happened  to your files? All of your files were  protected by a strong encryption with RSA4096  More  information about the encryption RSA4096 can be found <a href=http://en.wikipedia.org/wiki/RSA_(cryptosystem) target="_blank"> http://en.wikipedia.org/wiki/RSA_(cryptosystem) </a> What  does this mean? This means that the  structure and data within your files have been irrevocably changed, you will not be able work with them, read them or see them, it is the same thing as losing them forever, but with our help, you  can restore them How did this happen?   Especially for you, on our SERVER was generated the secret key All your  files were encrypted with the public key,  which has been  transferred to your computer via the Internet.  Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program which is on our Secret Server!!! What do I do? Alas, if you  do not take  the necessary measures for the specified time then the conditions for obtaining the private key will be changed  If you really need  your data, then we suggest you  do not waste valuable  time searching for other  solutions becausen  they do not exist. <div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your  personal home page, there are a few different addresses pointing to  your page below:<hr>  1 - <a href=http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/5543BBC86777C8A4 target="_blank">http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/5543BBC86777C8A4</a>  2 - <a href=http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/5543BBC86777C8A4 target="_blank">http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/5543BBC86777C8A4</a>  3 - <a href=http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/5543BBC86777C8A4 target="_blank">http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/5543BBC86777C8A4</a> </div> <div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the  addresses are not available,  follow these steps: <hr> 1 -  Download and  install tor-browser: <a href=http://www.torproject.org/projects/torbrowser.html.en target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a> 2 -  After a successful installation, run the browser and wait for initialization. 3 -  Type in the tor-browser address bar: xlowfznrg4wf7dli.onion/5543BBC86777C8A4 4 -  Follow the instructions  on the site.</div> !!! IMPORTANT INFORMATION: <div class="tb" style="width:790px;"> Your Personal PAGES: <a href=http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/5543BBC86777C8A4 target="_blank">http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/5543BBC86777C8A4</a> <a href=http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/5543BBC86777C8A4 target="_blank">http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/5543BBC86777C8A4</a> <a href=http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/5543BBC86777C8A4 target="_blank">http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/5543BBC86777C8A4</a>  Your  Personal TOR-Browser page : xlowfznrg4wf7dli.onion/5543BBC86777C8A4  Your personal  ID  (if you open  the site directly):  5543BBC86777C8A4 </div></div></center></body></html>

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\_RECoVERY_+brwih.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4C9D79DF556F837F 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4C9D79DF556F837F 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/4C9D79DF556F837F If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/4C9D79DF556F837F 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4C9D79DF556F837F http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4C9D79DF556F837F http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/4C9D79DF556F837F *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/4C9D79DF556F837F

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4C9D79DF556F837F

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4C9D79DF556F837F

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/4C9D79DF556F837F

http://xlowfznrg4wf7dli.ONION/4C9D79DF556F837F

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\_RECoVERY_+brwih.html

Ransom Note

<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial;  font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> <center>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></center> What happened  to your files? All of your files were  protected by a strong encryption with RSA4096  More  information about the encryption RSA4096 can be found <a href=http://en.wikipedia.org/wiki/RSA_(cryptosystem) target="_blank"> http://en.wikipedia.org/wiki/RSA_(cryptosystem) </a> What  does this mean? This means that the  structure and data within your files have been irrevocably changed, you will not be able work with them, read them or see them, it is the same thing as losing them forever, but with our help, you  can restore them How did this happen?   Especially for you, on our SERVER was generated the secret key All your  files were encrypted with the public key,  which has been  transferred to your computer via the Internet.  Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program which is on our Secret Server!!! What do I do? Alas, if you  do not take  the necessary measures for the specified time then the conditions for obtaining the private key will be changed  If you really need  your data, then we suggest you  do not waste valuable  time searching for other  solutions becausen  they do not exist. <div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your  personal home page, there are a few different addresses pointing to  your page below:<hr>  1 - <a href=http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4C9D79DF556F837F target="_blank">http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4C9D79DF556F837F</a>  2 - <a href=http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4C9D79DF556F837F target="_blank">http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4C9D79DF556F837F</a>  3 - <a href=http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/4C9D79DF556F837F target="_blank">http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/4C9D79DF556F837F</a> </div> <div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the  addresses are not available,  follow these steps: <hr> 1 -  Download and  install tor-browser: <a href=http://www.torproject.org/projects/torbrowser.html.en target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a> 2 -  After a successful installation, run the browser and wait for initialization. 3 -  Type in the tor-browser address bar: xlowfznrg4wf7dli.onion/4C9D79DF556F837F 4 -  Follow the instructions  on the site.</div> !!! IMPORTANT INFORMATION: <div class="tb" style="width:790px;"> Your Personal PAGES: <a href=http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4C9D79DF556F837F target="_blank">http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4C9D79DF556F837F</a> <a href=http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4C9D79DF556F837F target="_blank">http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4C9D79DF556F837F</a> <a href=http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/4C9D79DF556F837F target="_blank">http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/4C9D79DF556F837F</a>  Your  Personal TOR-Browser page : xlowfznrg4wf7dli.onion/4C9D79DF556F837F  Your personal  ID  (if you open  the site directly):  4C9D79DF556F837F </div></div></center></body></html>

Targets

- Target
  
  44bb8e023b4c0e0b5830a58d120ac427cbdcb4897dc74e91c155ea169b07d99d
- Size
  
  396KB
- MD5
  
  794f78c8b950dc1a840d165892cb0596
- SHA1
  
  4667584f756b8e67a504ada9141f868e59f8dbb1
- SHA256
  
  44bb8e023b4c0e0b5830a58d120ac427cbdcb4897dc74e91c155ea169b07d99d
- SHA512
  
  1151775fe618496334f1bf184e4f65bfb83125918ffa80274e7e560c49a10a838cf253e7b7404df37e8219a827d47117900b7a26c5f97041227d931138d708d0
Score

10^/10

teslacrypt persistence ransomware suricata
- TeslaCrypt, AlphaCrypt
  Ransomware based on CryptoLocker. Shut down by the developers in 2016.
  ransomware teslacrypt
- suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
  suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
  suricata
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
behavioral1 behavioral2