buran

General

Target

8441952734.zip
Size

99KB
Sample

221121-gg15xahh8t
MD5

3ea0ab42bcab5745ba3631f01c4d4cd3
SHA1

9eb457ce8568fa4a4375cdebbf3b181976a99718
SHA256

41d6fb7f590167acde5cb8d7f3c38fcdc0bcc4c33027b594003967b18e761101
SHA512

62a629f3d4b7eb13b93daa34e16f46d480516a8868d4e812981ff8847e024b959b526df94d569fd9bac2e3f934819cc917a936e31c3710a8eb1e63ec0976475d
SSDEEP

1536:M+Ovx10yq8KousTaexxb/nREiXKFBjmSN5bI74xB7iXybvDJujQeoeaP:DOLbKouTkREiXKFBSSN58U8uDJ4/Ny

Score

10^/10

buran ransomware

Malware Config

Extracted

Path

\??\Z:\WE CAN RECOVER YOUR DATA.txt

Family

buran

Ransom Note

YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: 1. Visit qtox.github.io 2. Download and install qTOX on your PC. 3. Open it, click "New Profile" and create profile. 4. Click "Add friends" button and search our contact - DA639EF141F3E3C35EA62FF284200C29FA2E7E597EF150FDD526F9891CED372CBB9AB7B8BEC8 and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: sonickwall@tutanota.com Your personal ID: 2054B482 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

sonickwall@tutanota.com

Extracted

Path

C:\WE CAN RECOVER YOUR DATA.txt

Family

buran

Ransom Note

YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: 1. Visit qtox.github.io 2. Download and install qTOX on your PC. 3. Open it, click "New Profile" and create profile. 4. Click "Add friends" button and search our contact - DA639EF141F3E3C35EA62FF284200C29FA2E7E597EF150FDD526F9891CED372CBB9AB7B8BEC8 and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: sonickwall@tutanota.com Your personal ID: F2F22DBB Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

sonickwall@tutanota.com

Targets

- Target
  
  bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb
- Size
  
  189KB
- MD5
  
  f1ebb4dbdfc6ec7a53bcefabdc7fb6de
- SHA1
  
  b76bc50249e7420ac0f4f64e83d1a58da2068eaa
- SHA256
  
  bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb
- SHA512
  
  8608689d716fe8ed44348b4382cf4aed67de6dd4a9da2d92a8fcbd731ccf1a7f42e60ce35376ccef81b67414f2f8ea8bbcd3b2054d78f344ad92d1f4f29ca788
- SSDEEP
  
  3072:t3blGV9hulKmhbfvjv69vF6nHynNPFW7Lifa81Hh7Gl8emNiq8q/f+2L:t3bq9UlKgPuEyNFWSb1Hg6l8q/ffL
Score

10^/10

buran ransomware
- Buran
  Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
  ransomware buran
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2