General
-
Target
acbc86b4d8068db472463de8b9c6d50809307af594cbd056feb0f19961f9462c
-
Size
360KB
-
Sample
221128-kzksesbe26
-
MD5
15130b436ed87bd0973a4d346cc97f35
-
SHA1
ce60d23f48664b2882e61562e7dec5c8480502b5
-
SHA256
acbc86b4d8068db472463de8b9c6d50809307af594cbd056feb0f19961f9462c
-
SHA512
8f568d962666ab94aac8401b3218ca8e40957d69c35d63c63ba9a59295f76612fc6e60cdda6b5fdeef7d9adece38cd0cb39b0946ca16d2b5ebf1750473d4c0a0
-
SSDEEP
6144:Jy2BDEfHtIs1AeVh4kjINbvI5pwUGGXGPeT3LvHyvMNGyoN0zM5GuObOuNAvwu:REGs1Zj4kjINbSwU3Lzyv7y9eObOmAvB
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\_RECOVERY_+wllkk.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6787E10DB9C3ABC
http://tes543berda73i48fsdfsd.keratadze.at/6787E10DB9C3ABC
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6787E10DB9C3ABC
http://xlowfznrg4wf7dli.ONION/6787E10DB9C3ABC
Extracted
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\_RECOVERY_+equqc.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/CA241907DECF1
http://tes543berda73i48fsdfsd.keratadze.at/CA241907DECF1
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/CA241907DECF1
http://xlowfznrg4wf7dli.ONION/CA241907DECF1
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\_RECOVERY_+equqc.html
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/CA241907DECF1
http://tes543berda73i48fsdfsd.keratadze.at/CA241907DECF1
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/CA241907DECF1
http://xlowfznrg4wf7dli.onion/CA241907DECF1
Targets
-
-
Target
acbc86b4d8068db472463de8b9c6d50809307af594cbd056feb0f19961f9462c
-
Size
360KB
-
MD5
15130b436ed87bd0973a4d346cc97f35
-
SHA1
ce60d23f48664b2882e61562e7dec5c8480502b5
-
SHA256
acbc86b4d8068db472463de8b9c6d50809307af594cbd056feb0f19961f9462c
-
SHA512
8f568d962666ab94aac8401b3218ca8e40957d69c35d63c63ba9a59295f76612fc6e60cdda6b5fdeef7d9adece38cd0cb39b0946ca16d2b5ebf1750473d4c0a0
-
SSDEEP
6144:Jy2BDEfHtIs1AeVh4kjINbvI5pwUGGXGPeT3LvHyvMNGyoN0zM5GuObOuNAvwu:REGs1Zj4kjINbSwU3Lzyv7y9eObOmAvB
Score10/10-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-