ctblocker | 0e4893b6d43728b8d7b9c1483ac5aa03eaa2be552963703369461bb77e653303

General

Target

0e4893b6d43728b8d7b9c1483ac5aa03eaa2be552963703369461bb77e653303
Size

748KB
Sample

221126-qbdbbsed63
MD5

233f3620139e38ec5ae44f2ea73b2122
SHA1

4e582a1411167b7eb59633fe3102c4c1cd19b92f
SHA256

0e4893b6d43728b8d7b9c1483ac5aa03eaa2be552963703369461bb77e653303
SHA512

76764469bf253fe56a8c9d543ce327b4bdb60a058041dcd97ceebc9d47999e47221326315d7616fb04dd19376ed64a7857f6f06ce7fa7fbcb841873044262593
SSDEEP

12288:geWzt13drPsKlgTA0Ow/WnX5m9stu1EgpU55jgG4HdRUdWQiHL:gee4KCOznX5R4KgQ5RBC

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-kfkizxi.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 67CLYI7-WMSQVTZ-IXA2UUB-X4WOHZ2-7ZO4HWO-SKGMPDT-AFZOFJL-GEKR3EU 3HFVE35-GZY53SA-AZDUJDF-X3TBBB7-AYGJLXA-3ZYFB5A-ZDBOEJF-WSJCWVC 5UQUUVL-RG55OCL-ONDL5GU-ULUFNIR-6F35MAX-WNJUXVF-IZP5HSO-D7K73BF Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-kfkizxi.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 67CLYI7-WMSQVTZ-IXA2UUB-X4WOHZ2-7ZO4HWO-SKGMPDT-AFZOFJL-GEKR3EU 3HFVE35-GZY53SA-AZDUJDF-X3TBBB7-AYGJLXA-3ZYFB5A-ZDBOEJF-WSJCWVC 5UQUUVL-RG55OCL-ONDL5GU-ULUFNIR-6F35YSX-OWJUXVF-IZP5HSO-D7KP4RN Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\ProgramData\zlwdkgg.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Targets

- Target
  
  0e4893b6d43728b8d7b9c1483ac5aa03eaa2be552963703369461bb77e653303
- Size
  
  748KB
- MD5
  
  233f3620139e38ec5ae44f2ea73b2122
- SHA1
  
  4e582a1411167b7eb59633fe3102c4c1cd19b92f
- SHA256
  
  0e4893b6d43728b8d7b9c1483ac5aa03eaa2be552963703369461bb77e653303
- SHA512
  
  76764469bf253fe56a8c9d543ce327b4bdb60a058041dcd97ceebc9d47999e47221326315d7616fb04dd19376ed64a7857f6f06ce7fa7fbcb841873044262593
- SSDEEP
  
  12288:geWzt13drPsKlgTA0Ow/WnX5m9stu1EgpU55jgG4HdRUdWQiHL:gee4KCOznX5R4KgQ5RBC
Score

10^/10

ctblocker ransomware
- CTB-Locker
  Ransomware family which uses Tor to hide its C2 communications.
  ransomware ctblocker
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2