Overview

overview

10

Static

static

de8a4978d6...2e.exe

windows7-x64

9

de8a4978d6...2e.exe

windows10-2004-x64

10

Resubmissions

24/10/2022, 14:59

221024-sczbashcfl 10

02/06/2020, 00:13

200602-s5zbncbaen 9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

  • Size

    6.0MB

  • Sample

    221024-sczbashcfl

  • MD5

    df472f90c33e6c341a74fe1ca29dac70

  • SHA1

    d7512488de06b677751014bdc48302c179542558

  • SHA256

    de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e

  • SHA512

    4257e88d9c6f5eec59d1da6749c386b3859be04159ec37aba2adb3704e5f2ce11ef3adfb086b86d1bea03db300e1d82cab08f266cf6fae4d8f929e71918ddcf9

  • SSDEEP

    196608:6lwfwLOxsdCZOGdRc7lg6MzQk67CU94Dy0q7:wnmF8O+9SQVCU9420a

Score
10/10
discoveryevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\# How To Decrypt Files #.hta

Ransom Note
ALL YOUR FILES HAS BEEN ENCRYPTED!!! has been encrypted by FonixCrypter using strong cryptography algorithms Salsa20and RSA 4098 Decryption key is hold in our server !!Recovery tools and other software will not help you !! The only way to receive your key and decrypt your files is the payment with bitcoin You have to 48 hours(2 Day) To contact or paying us After that, you have to Pay Double!! Our Email = [email protected] in case of no answer in 24 hours write us to this Email = [email protected] if you don't know how to buy bitcoin you can use this link https://www.coindesk.com/information/how-can-i-buy-bitcoins the easiest way to buy bitcoin is localBitcoins https://localbitcoins.com/ Note: Before payment, you can contact with us and send 1 free small file (size less 2Mb) as decryption test The test files shouldn't contain valuable data like large SQL or Backup files. ATTENTIONS : - Don't delete any files or rename encrypted files - If you using other applications to decrypt, it may damage your files - Don't find your backups? they have been Successfully encrypted too or securly wiped. Regards-FonixTeam

Targets

    • Target

      de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

    • Size

      6.0MB

    • MD5

      df472f90c33e6c341a74fe1ca29dac70

    • SHA1

      d7512488de06b677751014bdc48302c179542558

    • SHA256

      de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e

    • SHA512

      4257e88d9c6f5eec59d1da6749c386b3859be04159ec37aba2adb3704e5f2ce11ef3adfb086b86d1bea03db300e1d82cab08f266cf6fae4d8f929e71918ddcf9

    • SSDEEP

      196608:6lwfwLOxsdCZOGdRc7lg6MzQk67CU94Dy0q7:wnmF8O+9SQVCU9420a

    Score
    10/10
    discoveryevasionpersistenceransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks