Overview

overview

10

Static

static

b8ee83f09c...e0.exe

windows7-x64

10

b8ee83f09c...e0.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b8ee83f09c15c7a11f5c0a7fa686cf0cfa7f561e8d7d9dfb303cbfc2bce246e0

  • Size

    939KB

  • Sample

    221126-rhb8aahg75

  • MD5

    d9b017b1800c44d367ff21125a528d17

  • SHA1

    c01d613dc8bf2e251b7d3e6180e01895f175697c

  • SHA256

    b8ee83f09c15c7a11f5c0a7fa686cf0cfa7f561e8d7d9dfb303cbfc2bce246e0

  • SHA512

    9a0b22b4ff1f73a64e39c94a47eb8d1eabd13e6909add29d921130b1549b65a806fd8b62e2e30f1fc1e882f6ba44f23b2f664428b82ffc7a6566fc9d322e01a9

  • SSDEEP

    24576:+/5UCvsU0yUU1Rm2k/gqTT8MfECZPcxvSD:EeCvszrU1HCg0TcCZP/D

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-tswflmn.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. JFXKG6Y-MPOHA2W-CGL3N45-A5UHDTS-4LCAMV6-OXCE7DH-7SHGQ3J-IAYGW6N WMBLFAB-NRVRJ73-6LS5BLC-CWJYRPQ-JSN76U5-HTW4IUB-O7VECON-J3IO6RG A7LOSS4-OMXKZ7J-7222MAP-NFLGJBQ-MPXTH6L-LPXHC4J-NWISC4S-KUR5KAQ Follow the instructions on the server.
URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-tswflmn.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. JFXKG6Y-MPOHA2W-CGL3N45-A5UHDTS-4LCAMV6-OXCE7DH-7SHGQ3J-IAYGW6N WMBLFAB-NRVRJ73-6LS5BLC-CWJYRPQ-JSN76U5-HTW4IUB-O7VECON-J3IO6RG A7LOSS4-OMXKZ7J-7222MAP-NFLGJBQ-MPXT7PL-DWXHC4J-NWISC4S-KUR5FAB Follow the instructions on the server.
URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion/

Targets

    • Target

      b8ee83f09c15c7a11f5c0a7fa686cf0cfa7f561e8d7d9dfb303cbfc2bce246e0

    • Size

      939KB

    • MD5

      d9b017b1800c44d367ff21125a528d17

    • SHA1

      c01d613dc8bf2e251b7d3e6180e01895f175697c

    • SHA256

      b8ee83f09c15c7a11f5c0a7fa686cf0cfa7f561e8d7d9dfb303cbfc2bce246e0

    • SHA512

      9a0b22b4ff1f73a64e39c94a47eb8d1eabd13e6909add29d921130b1549b65a806fd8b62e2e30f1fc1e882f6ba44f23b2f664428b82ffc7a6566fc9d322e01a9

    • SSDEEP

      24576:+/5UCvsU0yUU1Rm2k/gqTT8MfECZPcxvSD:EeCvszrU1HCg0TcCZP/D

    Score
    10/10
    ctblockerransomware

    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

      ransomwarectblocker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks