General
-
Target
Trojan.Win32.Fsysna.gafh-d9d01bff3bf98b37793eb9d74e713cc340b7d9ad40d0c6437f422c41fca73364.exe
-
Size
834KB
-
Sample
220924-lm78mabab3
-
MD5
20b61a16f732ba0646ff501f37ce4e4e
-
SHA1
8668c2041ebd9e56c1c4e14a4164569922729c35
-
SHA256
d9d01bff3bf98b37793eb9d74e713cc340b7d9ad40d0c6437f422c41fca73364
-
SHA512
9dd12047b7b020d4be9f2eea4196502750d38652cc287dbae1355277e7047a74f421fe910e2ebd2eb4634e07a00a4ded70e0ceb2540d34e18ba7b63eaba91f3f
-
SSDEEP
24576:XmqE0fhdkphXlbKmL6P3t7uv8gOkwtTXIWO:XzAhfsd7uB7wtT
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.Win32.Fsysna.gafh-d9d01bff3bf98b37793eb9d74e713cc340b7d9ad40d0c6437f422c41fca73364.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Trojan.Win32.Fsysna.gafh-d9d01bff3bf98b37793eb9d74e713cc340b7d9ad40d0c6437f422c41fca73364.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
C:\Users\Admin\Fix_ReadMe.txt
CryptoLocky_123456@protonmail.com
34gkQtAhK9jDDRy7SWTLsnzRmubv7yRhDv
Extracted
C:\Users\Admin\Desktop\Fix_ReadMe.txt
CryptoLocky_123456@protonmail.com
34gkQtAhK9jDDRy7SWTLsnzRmubv7yRhDv
Extracted
C:\Users\Admin\Fix_ReadMe.txt
CryptoLocky_123456@protonmail.com
34gkQtAhK9jDDRy7SWTLsnzRmubv7yRhDv
Extracted
C:\Users\Admin\Desktop\Fix_ReadMe.txt
CryptoLocky_123456@protonmail.com
34gkQtAhK9jDDRy7SWTLsnzRmubv7yRhDv
Targets
-
-
Target
Trojan.Win32.Fsysna.gafh-d9d01bff3bf98b37793eb9d74e713cc340b7d9ad40d0c6437f422c41fca73364.exe
-
Size
834KB
-
MD5
20b61a16f732ba0646ff501f37ce4e4e
-
SHA1
8668c2041ebd9e56c1c4e14a4164569922729c35
-
SHA256
d9d01bff3bf98b37793eb9d74e713cc340b7d9ad40d0c6437f422c41fca73364
-
SHA512
9dd12047b7b020d4be9f2eea4196502750d38652cc287dbae1355277e7047a74f421fe910e2ebd2eb4634e07a00a4ded70e0ceb2540d34e18ba7b63eaba91f3f
-
SSDEEP
24576:XmqE0fhdkphXlbKmL6P3t7uv8gOkwtTXIWO:XzAhfsd7uB7wtT
Score10/10-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-