zeppelin | cf96b90b86f6d19c0af108aa0cf1fba8397f86649bde7114c995bae3d81e2a46

General

Target

cf96b90b86f6d19c0af108aa0cf1fba8397f86649bde7114c995bae3d81e2a46
Size

112KB
Sample

221027-ns9dzscafj
MD5

d6f53cafb5dd1db67fbd115d4601a4f8
SHA1

296842e79dc4b3f155d7bec96c40e95a6c074e92
SHA256

cf96b90b86f6d19c0af108aa0cf1fba8397f86649bde7114c995bae3d81e2a46
SHA512

8e5bce1cc935112fba0eb7e571d6f09c3187b18d644cd26052a88b409647ecc4e15e4ebc733c0fb8287fc8941ce8205b136d51605fc56f5af03514881f7739f9
SSDEEP

3072:SLw2vQUT5csD2O+hUAdMGPBKAgkryplnl4l:ZoQm5YO+hp5KAVWDl4l

Score

10^/10

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED!!! We downloaded a lot of sensitive data! employee passports and financial data! All your files, documents, photos, databases and other important files are encrypted. If you do not want the data to be made public! you need to purchase our software! You are not able to decipher it yourself! The only way to recover files is to acquire a unique private key. Only we can give you this key and only we can recover your files. To make sure we have the decryptor and it works, you can send an email to: [email protected] and decrypt one file for free. But this file should not be valuable! Are you sure you want to recover files? Email: [email protected] Reserved email: [email protected] Your personal identifier: 7B5-ECF-F70 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, this may result in permanent data loss. * Decrypting your files with the help of third parties may result in higher prices (they add their commission to ours) or you may become a victim of scammers.

Emails

[email protected]

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED!!! We downloaded a lot of sensitive data! employee passports and financial data! All your files, documents, photos, databases and other important files are encrypted. If you do not want the data to be made public! you need to purchase our software! You are not able to decipher it yourself! The only way to recover files is to acquire a unique private key. Only we can give you this key and only we can recover your files. To make sure we have the decryptor and it works, you can send an email to: [email protected] and decrypt one file for free. But this file should not be valuable! Are you sure you want to recover files? Email: [email protected] Reserved email: [email protected] Your personal identifier: 140-6FD-524 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, this may result in permanent data loss. * Decrypting your files with the help of third parties may result in higher prices (they add their commission to ours) or you may become a victim of scammers.

Emails

[email protected]

Targets

- Target
  
  9999.exe
- Size
  
  211KB
- MD5
  
  985d95919b67d3b791dab3ca373d5fdf
- SHA1
  
  d2705558b3096ac3165e90eac19da099f0d23fe8
- SHA256
  
  a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0
- SHA512
  
  c4e5036e933e3821f73b9cde6eea799c9fded8d18c313c91305f909402586205afae79505e9aad24219acff9ca49321c476289dc1362677159ab6b591bc48047
- SSDEEP
  
  6144:Yia1gMHHPDWImID8X/4DQFu/U3buRKlemZ9DnGAetTfd1JpLQ+:YIMHv6PID84DQFu/U3buRKlemZ9DnGAq
Score

10^/10

zeppelin persistence ransomware
- Detects Zeppelin payload
- Zeppelin Ransomware
  Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
  ransomware zeppelin
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2