teslacrypt | 4a6e3bd7acd26d0f34aa8faf112bda87635d5d7add7777d1bc160bd3781a517c

General

Target

4a6e3bd7acd26d0f34aa8faf112bda87635d5d7add7777d1bc160bd3781a517c
Size

416KB
Sample

220712-qjcprseed8
MD5

6d97decf011100391cefd3d9355b1e8e
SHA1

92c7a7e1d383c0cba6be05dc7230a2814d47ba57
SHA256

4a6e3bd7acd26d0f34aa8faf112bda87635d5d7add7777d1bc160bd3781a517c
SHA512

243e6922a0a6c6d656205a07dd4adeb50362d3d92f929185c5a2c638fc418fce7a70cd856eb1622aac98fe58a8f13e470eeaa2d28537bbe788be1b53b5a2b53a

Score

10^/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1083475884-596052423-1669053738-1000\_RECoVERY_+pifqa.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/FD35A02F296B4B4 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/FD35A02F296B4B4 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/FD35A02F296B4B4 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/FD35A02F296B4B4 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/FD35A02F296B4B4 http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/FD35A02F296B4B4 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/FD35A02F296B4B4 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/FD35A02F296B4B4

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/FD35A02F296B4B4

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/FD35A02F296B4B4

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/FD35A02F296B4B4

http://xlowfznrg4wf7dli.ONION/FD35A02F296B4B4

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1083475884-596052423-1669053738-1000\_RECoVERY_+pifqa.html

Ransom Note

<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial;  font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> <center>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></center> What happened  to your files? All of your files were  protected by a strong encryption with RSA4096  More  information about the encryption RSA4096 can be found <a href=http://en.wikipedia.org/wiki/RSA_(cryptosystem) target="_blank"> http://en.wikipedia.org/wiki/RSA_(cryptosystem) </a> What  does this mean? This means that the  structure and data within your files have been irrevocably changed, you will not be able work with them, read them or see them, it is the same thing as losing them forever, but with our help, you  can restore them How did this happen?   Especially for you, on our SERVER was generated the secret key All your  files were encrypted with the public key,  which has been  transferred to your computer via the Internet.  Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program which is on our Secret Server!!! What do I do? Alas, if you  do not take  the necessary measures for the specified time then the conditions for obtaining the private key will be changed  If you really need  your data, then we suggest you  do not waste valuable  time searching for other  solutions becausen  they do not exist. <div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your  personal home page, there are a few different addresses pointing to  your page below:<hr>  1 - <a href=http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/FD35A02F296B4B4 target="_blank">http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/FD35A02F296B4B4</a>  2 - <a href=http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/FD35A02F296B4B4 target="_blank">http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/FD35A02F296B4B4</a>  3 - <a href=http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/FD35A02F296B4B4 target="_blank">http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/FD35A02F296B4B4</a> </div> <div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the  addresses are not available,  follow these steps: <hr> 1 -  Download and  install tor-browser: <a href=http://www.torproject.org/projects/torbrowser.html.en target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a> 2 -  After a successful installation, run the browser and wait for initialization. 3 -  Type in the tor-browser address bar: xlowfznrg4wf7dli.onion/FD35A02F296B4B4 4 -  Follow the instructions  on the site.</div> !!! IMPORTANT INFORMATION: <div class="tb" style="width:790px;"> Your Personal PAGES: <a href=http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/FD35A02F296B4B4 target="_blank">http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/FD35A02F296B4B4</a> <a href=http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/FD35A02F296B4B4 target="_blank">http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/FD35A02F296B4B4</a> <a href=http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/FD35A02F296B4B4 target="_blank">http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/FD35A02F296B4B4</a>  Your  Personal TOR-Browser page : xlowfznrg4wf7dli.onion/FD35A02F296B4B4  Your personal  ID  (if you open  the site directly):  FD35A02F296B4B4 </div></div></center></body></html>

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\_RECoVERY_+ustuq.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/5C91B0F390133FF2 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/5C91B0F390133FF2 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/5C91B0F390133FF2 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/5C91B0F390133FF2 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/5C91B0F390133FF2 http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/5C91B0F390133FF2 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/5C91B0F390133FF2 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/5C91B0F390133FF2

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/5C91B0F390133FF2

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/5C91B0F390133FF2

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/5C91B0F390133FF2

http://xlowfznrg4wf7dli.ONION/5C91B0F390133FF2

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\_RECoVERY_+ustuq.html

Ransom Note

<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial;  font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> <center>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></center> What happened  to your files? All of your files were  protected by a strong encryption with RSA4096  More  information about the encryption RSA4096 can be found <a href=http://en.wikipedia.org/wiki/RSA_(cryptosystem) target="_blank"> http://en.wikipedia.org/wiki/RSA_(cryptosystem) </a> What  does this mean? This means that the  structure and data within your files have been irrevocably changed, you will not be able work with them, read them or see them, it is the same thing as losing them forever, but with our help, you  can restore them How did this happen?   Especially for you, on our SERVER was generated the secret key All your  files were encrypted with the public key,  which has been  transferred to your computer via the Internet.  Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program which is on our Secret Server!!! What do I do? Alas, if you  do not take  the necessary measures for the specified time then the conditions for obtaining the private key will be changed  If you really need  your data, then we suggest you  do not waste valuable  time searching for other  solutions becausen  they do not exist. <div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your  personal home page, there are a few different addresses pointing to  your page below:<hr>  1 - <a href=http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/5C91B0F390133FF2 target="_blank">http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/5C91B0F390133FF2</a>  2 - <a href=http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/5C91B0F390133FF2 target="_blank">http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/5C91B0F390133FF2</a>  3 - <a href=http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/5C91B0F390133FF2 target="_blank">http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/5C91B0F390133FF2</a> </div> <div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the  addresses are not available,  follow these steps: <hr> 1 -  Download and  install tor-browser: <a href=http://www.torproject.org/projects/torbrowser.html.en target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a> 2 -  After a successful installation, run the browser and wait for initialization. 3 -  Type in the tor-browser address bar: xlowfznrg4wf7dli.onion/5C91B0F390133FF2 4 -  Follow the instructions  on the site.</div> !!! IMPORTANT INFORMATION: <div class="tb" style="width:790px;"> Your Personal PAGES: <a href=http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/5C91B0F390133FF2 target="_blank">http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/5C91B0F390133FF2</a> <a href=http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/5C91B0F390133FF2 target="_blank">http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/5C91B0F390133FF2</a> <a href=http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/5C91B0F390133FF2 target="_blank">http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/5C91B0F390133FF2</a>  Your  Personal TOR-Browser page : xlowfznrg4wf7dli.onion/5C91B0F390133FF2  Your personal  ID  (if you open  the site directly):  5C91B0F390133FF2 </div></div></center></body></html>

Targets

- Target
  
  4a6e3bd7acd26d0f34aa8faf112bda87635d5d7add7777d1bc160bd3781a517c
- Size
  
  416KB
- MD5
  
  6d97decf011100391cefd3d9355b1e8e
- SHA1
  
  92c7a7e1d383c0cba6be05dc7230a2814d47ba57
- SHA256
  
  4a6e3bd7acd26d0f34aa8faf112bda87635d5d7add7777d1bc160bd3781a517c
- SHA512
  
  243e6922a0a6c6d656205a07dd4adeb50362d3d92f929185c5a2c638fc418fce7a70cd856eb1622aac98fe58a8f13e470eeaa2d28537bbe788be1b53b5a2b53a
Score

10^/10

teslacrypt persistence ransomware suricata
- TeslaCrypt, AlphaCrypt
  Ransomware based on CryptoLocker. Shut down by the developers in 2016.
  ransomware teslacrypt
- suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
  suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
  suricata
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
behavioral1 behavioral2