Overview
overview
10Static
static
7L22_File.zip
windows7-x64
1L22_File.zip
windows10-2004-x64
1Install.exe
windows7-x64
10Install.exe
windows10-2004-x64
10fonts/Arggotsc.ttf
windows7-x64
3fonts/Arggotsc.ttf
windows10-2004-x64
7fonts/Army Thin.ttf
windows7-x64
3fonts/Army Thin.ttf
windows10-2004-x64
7fonts/BELLB.ttf
windows7-x64
3fonts/BELLB.ttf
windows10-2004-x64
7fonts/BOD_BI.ttf
windows7-x64
3fonts/BOD_BI.ttf
windows10-2004-x64
7fonts/BOD_I.ttf
windows7-x64
3fonts/BOD_I.ttf
windows10-2004-x64
7fonts/CALISTBI.ttf
windows7-x64
3fonts/CALISTBI.ttf
windows10-2004-x64
7fonts/Caba...ar.ttf
windows7-x64
3fonts/Caba...ar.ttf
windows10-2004-x64
7fonts/black.ttf
windows7-x64
3fonts/black.ttf
windows10-2004-x64
7fonts/browa.ttf
windows7-x64
3fonts/browa.ttf
windows10-2004-x64
7fonts/browauz.ttf
windows7-x64
3fonts/browauz.ttf
windows10-2004-x64
7fonts/deat...eg.ttf
windows7-x64
3fonts/deat...eg.ttf
windows10-2004-x64
7langs/Belarusian.ini
windows7-x64
1langs/Belarusian.ini
windows10-2004-x64
1langs/Croatian.ini
windows7-x64
1langs/Croatian.ini
windows10-2004-x64
1langs/Danish.ini
windows7-x64
1langs/Danish.ini
windows10-2004-x64
1General
-
Target
L22_File.zip
-
Size
6.4MB
-
Sample
220905-m6sgysadf3
-
MD5
72a9f4e777d2f5046a47a5d580986444
-
SHA1
3d64114624dc2f1c96485cb7c193ea95fab4f731
-
SHA256
ec4bf6cfc55df437a044d2f779cfd3619ddc96d4c7c5cb6621f38e9e30ec1041
-
SHA512
23eddd86be0fed3f86de09378c55f85b0e47f967432edb079abb242fb046693c8d58734a32784e65729ca538e5492dddc18c498c7986b88da4302bb9420395ec
-
SSDEEP
196608:Tjfhn41BNL8oYEzjTy1vt2Dv4WoeUnpxQS+i+:vZn41B95j2vt2sci+
Behavioral task
behavioral1
Sample
L22_File.zip
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
L22_File.zip
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Install.exe
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
Install.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
fonts/Arggotsc.ttf
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
fonts/Arggotsc.ttf
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
fonts/Army Thin.ttf
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
fonts/Army Thin.ttf
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
fonts/BELLB.ttf
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
fonts/BELLB.ttf
Resource
win10v2004-20220901-en
Behavioral task
behavioral11
Sample
fonts/BOD_BI.ttf
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
fonts/BOD_BI.ttf
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
fonts/BOD_I.ttf
Resource
win7-20220812-en
Behavioral task
behavioral14
Sample
fonts/BOD_I.ttf
Resource
win10v2004-20220901-en
Behavioral task
behavioral15
Sample
fonts/CALISTBI.ttf
Resource
win7-20220812-en
Behavioral task
behavioral16
Sample
fonts/CALISTBI.ttf
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
fonts/Cabana-Regular.ttf
Resource
win7-20220901-en
Behavioral task
behavioral18
Sample
fonts/Cabana-Regular.ttf
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
fonts/black.ttf
Resource
win7-20220812-en
Behavioral task
behavioral20
Sample
fonts/black.ttf
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
fonts/browa.ttf
Resource
win7-20220901-en
Behavioral task
behavioral22
Sample
fonts/browa.ttf
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
fonts/browauz.ttf
Resource
win7-20220812-en
Behavioral task
behavioral24
Sample
fonts/browauz.ttf
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
fonts/deathrattlebb_reg.ttf
Resource
win7-20220901-en
Behavioral task
behavioral26
Sample
fonts/deathrattlebb_reg.ttf
Resource
win10v2004-20220812-en
Behavioral task
behavioral27
Sample
langs/Belarusian.ini
Resource
win7-20220812-en
Behavioral task
behavioral28
Sample
langs/Belarusian.ini
Resource
win10v2004-20220901-en
Behavioral task
behavioral29
Sample
langs/Croatian.ini
Resource
win7-20220812-en
Behavioral task
behavioral30
Sample
langs/Croatian.ini
Resource
win10v2004-20220812-en
Behavioral task
behavioral31
Sample
langs/Danish.ini
Resource
win7-20220812-en
Behavioral task
behavioral32
Sample
langs/Danish.ini
Resource
win10v2004-20220812-en
Malware Config
Extracted
privateloader
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
-
payload_url
https://vipsofts.xyz/files/mega.bmp
Extracted
djvu
http://acacaca.org/test3/get.php
-
extension
.oovb
-
offline_id
6GXhR4uyHH9NXT2qot14T0HeNSviNKH0Q6PGVNt1
-
payload_url
http://rgyui.top/dl/build2.exe
http://acacaca.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-6g0MALAb7E Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0552Jhyjd
Extracted
redline
nam6
103.89.90.61:34589
-
auth_value
5a3b5b1f2e8673a71b501e4a670a3f3a
Extracted
raccoon
ad82482251879b6e89002f532531462a
http://89.185.85.53/
Extracted
redline
@fuschlock
5.182.36.101:31305
-
auth_value
75217e9ad4340e68bc1f7002a503fe3c
Extracted
redline
Andriii_ff
109.107.181.244:41535
-
auth_value
0318e100e6da39f286482d897715196b
Extracted
redline
3108_RUZKI
213.219.247.199:9452
-
auth_value
f71fed1cd094e4e1eb7ad1c53e542bca
Extracted
redline
mettop1
xoralessh.xyz:80
-
auth_value
a8206072062ec5262484a012d246646b
Targets
-
-
Target
L22_File.zip
-
Size
6.4MB
-
MD5
72a9f4e777d2f5046a47a5d580986444
-
SHA1
3d64114624dc2f1c96485cb7c193ea95fab4f731
-
SHA256
ec4bf6cfc55df437a044d2f779cfd3619ddc96d4c7c5cb6621f38e9e30ec1041
-
SHA512
23eddd86be0fed3f86de09378c55f85b0e47f967432edb079abb242fb046693c8d58734a32784e65729ca538e5492dddc18c498c7986b88da4302bb9420395ec
-
SSDEEP
196608:Tjfhn41BNL8oYEzjTy1vt2Dv4WoeUnpxQS+i+:vZn41B95j2vt2sci+
Score1/10 -
-
-
Target
Install.exe
-
Size
435.0MB
-
MD5
2a27acc2f6b26b15d6d839d43a6b6bc0
-
SHA1
661dca9bd343226ae54da0e21f12ef1e181b1776
-
SHA256
006fd40f696d274a44535fcf35d6130445842b148115db48c5b859a8519cdc77
-
SHA512
ebf8bfdf7529429a400ad39d473da0e43752c6cd16dffaadd067e38b3e0c9991664217d15931a73f7f78a0160cdbd4f5710699d2f293c1638ae8d1ed5f7940ee
-
SSDEEP
98304:Ak/AHdxT8BEU8MkJwe65adTX4a2tYsUxKr76hwrrKqdSlwrWL:Ak/i8jkJjLd8a2UxIzGwyL
-
Detected Djvu ransomware
-
Detects Smokeloader packer
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
YTStealer payload
-
Detectes Phoenix Miner Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Uses the VBS compiler for execution
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
fonts/Arggotsc.ttf
-
Size
88KB
-
MD5
1a1ec864b6c0730c8be73b99a092bf46
-
SHA1
b621b1ef3365eeeb562073b7affd2177d63342a4
-
SHA256
85d7a5ef7867ab572048c9a4f422526f249da11f3236e8763a737d66df08e096
-
SHA512
8ac4b1b54c92ce4b7dd1c3419243f13cf5c1e7537b768db3306787223904083d562809fcb18ac26707f67518e05558bd9d89fab46a3500fbef3aaa5f9cb38617
-
SSDEEP
1536:yRpVPVxnzULhyM1toY7I+Q2+QZMDxRJyG7Syl/6JsOgTpqRkX5/qb5UB:yjVPV1zUVyYRQ2hZmRJyG7Syl/6J1gTZ
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/Army Thin.ttf
-
Size
88KB
-
MD5
9c0996fba26512ad5120010e385e208d
-
SHA1
37a752173b71a3a3e27a7c6ac825b69db622fba4
-
SHA256
b00dd75d282e11a2067bb8341c9c2b4a1c2ae5db3029e584d92a4549fb784d48
-
SHA512
c9fca09824a7192afb128c1b9cfcb1bf0c7e39ad1a269ddb4b271a65f7cb0b4d0d8a155f5485e32dc8c036fee9bfe29f11e97399632132c47514adf893574ed7
-
SSDEEP
1536:R2o690qRKBuTRKBoxIddKOyjgUq867OrUsw+gpG5I/:j690qYBuTYBoxIddKOyjgUI7OrU4gpGC
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/BELLB.TTF
-
Size
80KB
-
MD5
f37324d3575c7132e330af3c8f08da17
-
SHA1
1e14164f2bf6d6972744642d0a6c8afce4d6daa4
-
SHA256
dcc8d42eebbab6822f736a7b99e1c9d6ee6861b247a19049bb33e5955d991dde
-
SHA512
80e2daad5319c8a732bec4eb5b7b62fd88979638df98e104688dd9747f0f4089f5a68e61509ce0c7a7590e1c73ad4564a41e97b7a8dd16d12947daa48935f743
-
SSDEEP
1536:EIIZKRcnuonqV3nVbISbjFameCNLs6EzeJFE1bXzyjVNfpS0vH:qn9nW3VbXTesWyYFXzyjlS0f
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/BOD_BI.TTF
-
Size
83KB
-
MD5
5bb67e55de4ee82aff5585b7bc7df099
-
SHA1
30c29ebba4511f7ffb96bc056bfb6531229011f4
-
SHA256
9729e2ae73b15871db606a18a48b8674ce2bae35d76a511d3510c4a9db2385ef
-
SHA512
51e91ff81bf05e2cd05d0caaf81f8ce6742d7ef9b8f7857daad2bbad085f419d6773c1bd664f040bf0028f51139046bb23589c1c66c3c4065dfd34d246c64c84
-
SSDEEP
1536:j0mROXFT8UwUDH49fe7/jtYMXVT4FBMDbsJ4/RG2luywo60qdlnHy721Mslt6l2G:wnXp8UwUDY9fC0gTqy4DnSK1MsN9uELO
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/BOD_I.TTF
-
Size
87KB
-
MD5
cec8a6834241575dcafba6d7504d64b8
-
SHA1
3d412b305c3d93474c9fe02f60a049a9e87aeaab
-
SHA256
960458b4c0851b8b9f1d047fe50f7fa01ddfbecaec692521d262660882e9596a
-
SHA512
9a3e79f5a04e6f0794099788c07330b97c4ab31e95df745cea9d5e8cbc7dba2a01a04dc4cbc7b93fcd76a7d1240f073f256ec7d5a9ce08d62312b01d4fd10e78
-
SSDEEP
1536:4AxM2frzSwDp3Qe0hmIyz9TJyCh1qaoDR9nbZ1v6jZCSpxiOvHdlGDw2taRkvwGv:4ARzSwN3QTld9iUGRDGweskvwNWV/wEt
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/CALISTBI.TTF
-
Size
82KB
-
MD5
b8178488b4decb255bd3094b320600ac
-
SHA1
315bf5a35ef284a71fd90f304767c8d90d6883cd
-
SHA256
9b9e45f016b013d92c3caf1985db22f85e39c8b1f208636f9ac21f9c135239ce
-
SHA512
3e98e8484ba5ac6c1475af24ae9ae55045511a46baf250ca36d4bb2b64e74b67e9b58a289572ee2609662685ab7218cf8fee200400a417a310bd7b82f47af1e6
-
SSDEEP
1536:fAsN4DofckwriM3kM+cGEGjmU+xXXXozKbR5ITHpfLR8eXHVBGgIuBoQPeV9pfrr:fT0oYiMURcGEF7x3EKfiZRrfGgIsPsD/
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/Cabana-Regular.ttf
-
Size
88KB
-
MD5
153c7063d63f0b1aeda64c70d5a3b447
-
SHA1
ebcf5312bed9fc7a3da8526c770998b6fa1e06a1
-
SHA256
4b6737e1f2e28fb2cf39eea2eba98baf66f7de0776bca0a893b55e5b783b1649
-
SHA512
17ce2c6057a2dc232c1a8febe0462434753fff500f889ca8847e9973e503b30949bb2ff725a2a0189d2742e9fcc8b65581b8c4b389447a3edfe97ae21f243cfa
-
SSDEEP
1536:qSiX1ccXNRpK52m2DwLbltfXfbu3wLbltf8fNHK2P9cENm:J6BBInmP9Fm
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/black.ttf
-
Size
84KB
-
MD5
5046ede33c7ccea0481c46e344d7eef4
-
SHA1
570694d9531f8d3366b721f361749a6f6b8be94f
-
SHA256
3ff9aa61c36a1ba3b7b46e7e73eda89695ab5f3f6263afe2594dcb91d50b9a64
-
SHA512
4b6509a81ee99cbdcaf3fdce013dc7bd95c957b33e5a599aac58032a0a451cc4802cec13fafad491a3324c8e4f14e4dbbb42aed85fec0cb27c50b30695878a66
-
SSDEEP
1536:dzAncHAR/NYyTPrII+WwohDPhLw1YZgYyru3TLB0c0l0jpJ9Z3:dISyhNwohDPI8guLB0T0jX
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/browa.ttf
-
Size
87KB
-
MD5
bd62018c47c6141847cd00dcf20a215e
-
SHA1
7a0c700fa81a8b5d405076f55e1c89f54a578309
-
SHA256
20ba365275e4972f1a68588c821cd1ec88656349633d4598a1dec93498d5638e
-
SHA512
eff01b4800af12a3b182a0cb958a4e86e4f82d09d86d237fe1efef729b8795470a6a4d0191e3e4c63a2a5d9e2938d30e7c38b08069be21c82256bc9d23d68764
-
SSDEEP
1536:uQsHpEYQ1ikaMYsrhp7XLKvp45uD6kaeuFklGIIYh4riRO+nYHae2U:wEYoiVMlhZbw4gukaqGFYhEMnU
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/browauz.ttf
-
Size
87KB
-
MD5
cd3ee79a96eb48acedc65a5f00c3f1c2
-
SHA1
33e0b6205417de835594f04006882660e77057d6
-
SHA256
58dd269b448b3abb62fc0764b4f1b48b0ce339052dd3db8d881e5db3e77dac8b
-
SHA512
c6e6b2368275c57c324580849a19cb0fbfb94dbae697566c513d624e2bdc01946bd04b01214e99cdef439e8ab28273579914ee64665978f2fa4a4bb0e8294d2e
-
SSDEEP
1536:p69JtJbJTMiJVKKaJcJhAgzaB36Xega5A6FVxucJYSRDlQefqR+sNvs2+sARy9Rp:MjTFJ5jl+36XeP5A6CSAein0HsAYDEAb
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/deathrattlebb_reg.ttf
-
Size
82KB
-
MD5
8ae15895cd813a33942b7b17c0fcc2fb
-
SHA1
d4489524c533fa198eaa6ba23c39049100481087
-
SHA256
5ca9bb7216ccf7e07a6c79dce17815255bcbebe811e966f2763e7d93fc6426ae
-
SHA512
347c62c3efd3c97da9800ff2e5b0a23350d0f11a555da956b8c1b0c0986c423443b92d256daed8f0a38f69caaa388e8896fafe7ca54e433cae85c1c1ef44926c
-
SSDEEP
1536:uUzTV3HFhOStXfDEcdHUkAkbR5DJoCG5t27o:ucTVFXfQmU6VJu5t2U
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
langs/Belarusian.ini
-
Size
105KB
-
MD5
e345897882019c990457b83651f9ad97
-
SHA1
2ae5a3917a4a6b1312454b5cc9b4ddf670c667d5
-
SHA256
75723086a2c083a3d625bdfad8ffb39cac6819bcd84241002ecdd19ec4f3122d
-
SHA512
c20441612c64b7f2a9a46aa6cd68b950d2056de268bee2132e0d286498a42aebd8cb3cb4c42cd6e618df9b6cb38ca7e2f6e0b6af8fbed5d6ec95edf96e4035e6
-
SSDEEP
768:wRmpwuzTeCmPMuQKh+k+xP2EEeg5L6PZYp9lJpFGyW1zCRwK9J2p9RiIa0oDgYpT:NzTeCmP7+xuXIa0HmoQz4Yh
Score1/10 -
-
-
Target
langs/Croatian.ini
-
Size
105KB
-
MD5
8477123868f12632d652c6da5df683c2
-
SHA1
23dbeba17e366e1bb5e7d7be156a9be309c9555d
-
SHA256
5bf2b70edb78073f3ce4fe6d809a3a25c982cb2840b8ebaf4367ebc42f16bd3e
-
SHA512
b785f8d680f22211c01cfa59cdf86f1bfdeca0446c1c26fc2c144e3018773d22e4050c95cd513d60df9b226df31dc504b5059db168977b3949dbcc428a7ff30d
-
SSDEEP
768:w0VnpiuM0pY1HIlw1VoIGRweBLUab7Fno8wBtA1yR4IY52t9RM8wE4c+Tyb3TRr2:VdpiuM0pY1olaEZLUYg4c+7wvO60ll
Score1/10 -
-
-
Target
langs/Danish.ini
-
Size
107KB
-
MD5
5f50b22de0efb245cd3b8f2fb50a6d3d
-
SHA1
be369ffd0c47ff92b3aa5c259ab9f4d40807b687
-
SHA256
59df77a75aca7c0a8574f6d4b5be5632908c4fea8634f4748e36ff6fee40e317
-
SHA512
f3fec19409ea564bd68f4bd1253297ed8bcbe86554422a22891c61ee237f581f95f6976512e53bcabc5cafe3411343e660d3fb8f398f95f9c1efcec8eaa4367a
-
SSDEEP
1536:gmGRkLzUJnbfeKzcqt5G+qX59CcZEY9dHbm/c4C1CgqfRG:gmGRbnbfNRt5G+qX59CcNdX47G
Score1/10 -