dharma

General

Target

e3d86be6c15b8a99818918664b806476503aea6b26692189555e90023724d2a7
Size

525KB
Sample

220724-segt2agba9
MD5

b12f061145406694b61da782826bf916
SHA1

a312bb3e956005972e2487fb4194ce52847ba971
SHA256

e3d86be6c15b8a99818918664b806476503aea6b26692189555e90023724d2a7
SHA512

67b0f34ae082ca69944db997720f0ca438fcd9153acdb2e46a6144ab166592b3d9b18f31dc72038992a5bc44175761e1d91b47c1994f78b307f3b5e490f62154

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_0101C73C Use Tor Browser to access this address. If you have not been answered via the link within 12 hours, write to us by e-mail: admin@spacedatas.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

admin@spacedatas.com

URLs

http://zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_0101C73C

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_69AEBD78 Use Tor Browser to access this address. If you have not been answered via the link within 12 hours, write to us by e-mail: admin@spacedatas.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

admin@spacedatas.com

URLs

http://zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_69AEBD78

Targets

- Target
  
  e3d86be6c15b8a99818918664b806476503aea6b26692189555e90023724d2a7
- Size
  
  525KB
- MD5
  
  b12f061145406694b61da782826bf916
- SHA1
  
  a312bb3e956005972e2487fb4194ce52847ba971
- SHA256
  
  e3d86be6c15b8a99818918664b806476503aea6b26692189555e90023724d2a7
- SHA512
  
  67b0f34ae082ca69944db997720f0ca438fcd9153acdb2e46a6144ab166592b3d9b18f31dc72038992a5bc44175761e1d91b47c1994f78b307f3b5e490f62154
Score

10^/10

dharma persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral1 behavioral2