Overview

overview

10

Static

static

10

74cfb2b965...11.exe

windows7-x64

10

74cfb2b965...11.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a165417d30d442cf63e14f467a44e08337f0e2229ba82b54b5aed17a6f4a7788.rl.zip

  • Size

    2.4MB

  • Sample

    220826-zmg84ahdgm

  • MD5

    f0f96fc0b0ff452b0295f541d0b81576

  • SHA1

    61f6a2bc3fcff5d71f422fd67520529599fa19f2

  • SHA256

    37eca05efdadf2436566193ccc0abd0f07203c0bef8e15551546c9cc754f378c

  • SHA512

    acaf3cf4dfa44e8821443cd31a0313c95c498489f2958cee6d1b33acafbce8b76ee7c48d7cf45484a6f8323a877256c2488ddb8d4a1db37a01b32aa2a9365219

  • SSDEEP

    49152:1xkXoYFxzooIfQjE613cQqMH5u0LaQ1w6gh8eKvADp0vMil5:1xkXoYFxkowAcXM4mZNgh8eKIDp+

Score
10/10
snatchransomwareransomware_notespywarestealerupx

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
Hello! All your files are encrypted and only I can decrypt them. Contact me: 1rest0re@protonmail.com or 1rest0re@cock.li Write me if you want to return your files - I can do it very quickly! The header of letter must contain extension of encrypted files. I'm always reply within 24 hours. If not - check spam folder, resend your letter or try send letter from another email service (like protonmail.com). Attention! Do not rename or edit encrypted files: you may have permanent data loss. To prove that I can recover your files, I am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups) HURRY UP! ! ! ! If you do not email me in the next 48 hours then your data may be lost permanently ! ! !
Emails

1rest0re@protonmail.com

1rest0re@cock.li

Targets

    • Target

      74cfb2b96582ac00612a640e850fcb70e293a011.rl

    • Size

      4.8MB

    • MD5

      4ee3ecddd5f208f586b181af1ae0ce8f

    • SHA1

      74cfb2b96582ac00612a640e850fcb70e293a011

    • SHA256

      a165417d30d442cf63e14f467a44e08337f0e2229ba82b54b5aed17a6f4a7788

    • SHA512

      0a8b941969912b1ad0dd2eff5bee5f5dcfd822929a0cdb0c4eec5d898a66b951fd121008865c728c7a5ba7f7fba1f28ed1ba66994c75713319fbd25fdbb675c5

    • SSDEEP

      98304:fsfnH+0+buUdBMd5YcN8JYsJi2o3jXsisx:f4nH+0+uUdBAYniVTsjx

    Score
    10/10
    snatchransomwareransomware_notespywarestealerupx

    • Detecting the common Go functions and variables names used by Snatch ransomware

    • Snatch Ransomware

      Ransomware family generally distributed through RDP bruteforce attacks.

      ransomwaresnatch

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Often Ransomware samples write a note containing information on how to pay the ransom.

      Often Ransomware samples write a note containing information on how to pay the ransom.

      ransomware_note
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks