ctblocker | f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674

General

Target

f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674
Size

772KB
Sample

221029-tcq6csdbd6
MD5

95f60b5b36d63307d83e3f3de9675a1d
SHA1

da733991d9618b3a3bb5cc503ba0e860f1e8ea29
SHA256

f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674
SHA512

de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff
SSDEEP

12288:6sFxcCZxPEWJNy93q0DWm9+X6MSUJKzR9wz2U7qdyys2he3gxNMlKglt8RsrtUvy:bHP7gqXpKGNehe3x3r8CU

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-iulhzxi.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. LYMHTMO-7NQCIIB-HDVZFHB-V6KJF4N-GNVBSN3-SKEQCTW-YLISOLR-JQY3U7D SK6WYP7-NOKIZBY-KHOYWDL-E7DLWEF-WP4O6CL-36T7VVZ-CFUXDVF-K44XGKL 5KAW3NM-ULDE2GG-Z2JNJ6J-GAIMGTI-RHQJBCP-77IYB3S-NTOEVS7-JI6EONR Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-iulhzxi.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. LYMHTMO-7NQCIIB-HDVZFHB-V6KJF4N-GNVBSN3-SKEQCTW-YLISOLR-JQY3U7D SK6WYP7-NOKIZBY-KHOYWDL-E7DLWEF-WP4O6CL-36T7VVZ-CFUXDVF-K44XGKL 5KAW3NM-ULDE2GG-Z2JNJ6J-GAIMGTI-RHQJASP-HHIYB3S-NTOEVS7-JI6EQJT Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\ProgramData\zlwdkgg.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Targets

- Target
  
  f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674
- Size
  
  772KB
- MD5
  
  95f60b5b36d63307d83e3f3de9675a1d
- SHA1
  
  da733991d9618b3a3bb5cc503ba0e860f1e8ea29
- SHA256
  
  f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674
- SHA512
  
  de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff
- SSDEEP
  
  12288:6sFxcCZxPEWJNy93q0DWm9+X6MSUJKzR9wz2U7qdyys2he3gxNMlKglt8RsrtUvy:bHP7gqXpKGNehe3x3r8CU
Score

10^/10

ctblocker ransomware
- CTB-Locker
  Ransomware family which uses Tor to hide its C2 communications.
  ransomware ctblocker
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2