dharma

General

Target

9f2349c23dadb14899049f44ef4750f1b3bb2d796e84012811a3ded1ec330f13
Size

1.7MB
Sample

220724-sef8hagba8
MD5

6fccb7f6581e2519f14e858b597d8b5b
SHA1

5cec2dbbf7af2c1a547bcce36deb06e8a2bc491b
SHA256

9f2349c23dadb14899049f44ef4750f1b3bb2d796e84012811a3ded1ec330f13
SHA512

2c936900e8ec067dac4a5b28ed77de2bab4a90f373e776026eee8b213cb15817fd5ff83134bd2d8c9bc5edff57b7a80d1265ed566a49b0fc4946bd8e8f6fad9b

Score

10^/10

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_B29CE706 Use Tor Browser to access this address. If you have not been answered via the link within 12 hours, write to us by e-mail: admin@spacedatas.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

admin@spacedatas.com

URLs

http://zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_B29CE706

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_ABAD1BB4 Use Tor Browser to access this address. If you have not been answered via the link within 12 hours, write to us by e-mail: admin@spacedatas.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

admin@spacedatas.com

URLs

http://zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_ABAD1BB4

Targets

- Target
  
  9f2349c23dadb14899049f44ef4750f1b3bb2d796e84012811a3ded1ec330f13
- Size
  
  1.7MB
- MD5
  
  6fccb7f6581e2519f14e858b597d8b5b
- SHA1
  
  5cec2dbbf7af2c1a547bcce36deb06e8a2bc491b
- SHA256
  
  9f2349c23dadb14899049f44ef4750f1b3bb2d796e84012811a3ded1ec330f13
- SHA512
  
  2c936900e8ec067dac4a5b28ed77de2bab4a90f373e776026eee8b213cb15817fd5ff83134bd2d8c9bc5edff57b7a80d1265ed566a49b0fc4946bd8e8f6fad9b
Score

10^/10

dharma persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral1 behavioral2