Overview

overview

10

Static

static

e8a091a84d...84.exe

windows7-x64

10

e8a091a84d...84.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f83fb9ce6a83da58b20685c1d7e1e546.zip.zip

  • Size

    417KB

  • Sample

    221231-s44p4ahg98

  • MD5

    5f5e0c106041d9a391d1be6671dc82f3

  • SHA1

    aa43e1ecc45a4ae28642235b9f1e891a78f54e65

  • SHA256

    120ed7339a50b5d82ffa35bb5abf29d73957cdbfa99af83721533f5f8c238bf7

  • SHA512

    4e3b61b8830d03a1b1562c251ed498ef64d9d014cf8a30d8ef6b469d81f4eaa72a095edb02f165ca7462d62c4cbfa70129169df59fedf6ce825d1fef7c45d607

  • SSDEEP

    6144:Rc6PYa7JJKz3zZi8qAFEa4KCJl8LNci8IeAxWidb85XF0MCVphibcC2bzt9CcaNs:u6Lk3dFEdj8YzcbOQplC2ftZ+HM

Score
10/10
gozimazebankerpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.html

Ransom Note
<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000000; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5 px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><b>Maze ransomware</b></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> </div> <div style="text-align: center; font-size: 18px;"> <p><b>What is going on?</b><br>Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system</p> <p>You can read more about this cryptosystem here: <a href=https://en.wikipedia.org/wiki/RSA_(cryptosystem)>https://en.wikipedia.org/wiki/RSA_(cryptosystem)</a></p> <p>The only way to recover (decrypt) your files is to buy decryptor with the unique private key</p> <p><u>Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!</u></p> <p>By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.</p> <p>In order to either buy the private key or make test decryption contact us via email: <br> <u><b>Main e-mail: koreadec@tutanota.com<br>Reserve e-mail: yourrealdecrypt@airmail.cc</b></u> <p>Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies <p>If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">lIwaUpHTQMTDHmibKCC7ZZwLcxeufyViypH1R7X52JDtFWFI0ztmmrStDP1QHoFXnaHT8Ip2sVNdnuR4+pCG5cRetFM69SN1VWKti7k/qPvtjHwvbMKnRPmi3y2c4H6XoephcW4KrcBsZZMELkn7jS+goTYdKIhywk08Uzv0w4Z8lykmfx03dRURMp9wKeDcOcZ4woAgd0wj9ICJYJ2tWZusu+4LpbGBdaf5hSaoe+NHe//Nc7aF2Q2j/9frtJl8zBSPiyEdlqVnQAjGRL62AaOk4yvaAr5wnyg3H7zz78LiHdC4CWwb044USRLD7m0yykfgRAOwfuRmxWaZcXpb49zfU5uf0WwOvsU3+6rlNF4WCVv8d5KG9CbyWy/Gff5DB0jnVAS4kmkflAjibrZ0N1bi3ntMbgsedhp6sDeqpWb+3rx91BmPFxXKp98p9OtI7S2M+Q+69D042jS55hTSb8oDrRZT1Twn6yS6tQJXdbRLqjjFDaoaUHDwBNmHe8grBgti8wp7nWbDp3IkDYP0UhHE8fiXD0a7mI8ixna/5GY1AdmPCef/i3Xv5XHg3JRBhVmZXsP0RWjllrlXJ+8Y14CfdTcS1EeKfkLyRxk0w+d6BtX0Gj6SvPeqYHr5qe1p3InjSq9TblQla5Cm43HmPtYUdtAnis5fCoTJ66XLbZUgloSR0t0B02rdqyxbbOz0S+nkp8619+8RA8tKVWXOxunTLr5ZqDmTjZ0EJlSgk4UDSNmHCENOnFNLdUlacovmEZbjcSQlFPwB+aDvvD/toCv/otVI4Kiw8Yu9mkDplh9LGwEyGdDBp/TAvbXkBdPn0vxBol8cVeNwpiKdUi20pHaMdA1SDBo9dZd1bZv+upcPFevlbV9kyA5W6uATvffV/3eXJ/matEHIwZW5un4zAkPd3uFe/lfULQ0tQVQNYrjoK/RYFxMAXyOXz2cRieG3CltmCC0Vp6pk1n4pvP4njmP7Rmh4u3P5vlro1h040C/QfJ0UF8337l+8B4oLTF8CgLbR3mPmjbCokBG33ISW8slTZmbgKUWkgHEGsvoJKM4BJmd2bdlDJK/2tzBy4yb0T/tYw3riCfDrJXGDoljOPiBflMo4UNO66IcMBS6eAKKogwy8UnYpW+VU6bPdNTrvjyHWrDEc1G8yWB1EB/0vnL9gwYmzb789gfApKOkwgo25LeRXKw5OMmRfnft570ZgorfHnMkLrPHutb55y7kRmclhgXgxMktNCQ7CM7z61/+08c8xiOuNb2p9Ip7P6lBXU8PvYMUDiZKAMQXGtmr0ARFysoKWSN8L+FIw61pbKP+wHhh/CqJuFrYnnsNJMZSddjlol9ttLrgloRY1zMtewZ7d1m2z/OjIWw0IKiOko2Uk4FIwQUzbwRtia0DLnwRL+8aZxphrtKCd47LWVmQRLPzxCt613/04m2w1HGIpQ8lGXYH2/OZZM2GAGZgeDucQxw6Iy1w4iaqtnDxHN769fSvIbnI53LIwWy+9RVNp6dyVbHAQDF77mq+gGF1nebzUS+BZpBFp1QTkwZegQ45qEvYb9xZ4aa7HVL+M1UNHgSGZV/mmdIvBUs5gF6a4z9EKRck27sijYpMeyfhNy9XlAlbY9Sc66MkqsW+JRb8rJ3SgSuWtIZ6IBby73Z4wILZsEhkTBeLG+QBS6CLmeu260cYlFlP0/hcPHRwJngnLTJVnA2KnbGNWM53Nqihrv6rmGJHVau5flXnSQvu0MhOpu8G57KyQNHVt/U4coYGgx949sxzqHuLnTqpEdYuxLUn+frcasqSKkHVm4tQbCbXylwc7+oM5VwhQJxkKNEPDc/Q5/1CjOiD8dIEUhRQh7+EfeefyJDjU1SoMCqyrg28fb8Vi6UNAVmE/wKlKE2QMpeMmjkuVabjNlpx50Xd7xPQ7dulk2gSkX4ESogdrGPJYaNoIvOrzov4tUSQp2OO1JbSLPr+D8dsNESurmmJBgKf+YitKvJbAJYGnYBiMBMd94L/1/mHaArHJxYeUkydfOILEJCsW4yVxPGGhe6P/L+U7HfCr+P2VF3MIvRvU8tNE7wg6hGXrQiwUM4h91asvPd5MOBUJfcLAt2+6RPb1A1FoUY7ft4mEnFK9Luwgu+tUUS6+XzbWl31HJSwnCaNey9TG8dU+Rfie8ADXYqHA9YNi2/O5u43FbUM5d68z8hl1Pn0JMDMBn4bFmGf4AHjNtfm9HPIC+rdG50aCCQoGMQc1vDTO1woiOAA4ADIAYwAwADkAOAA4ADkANABhADgAOQBkADgAYwAAABCAYBoMQQBkAG0AaQBuAAAAIhJHAFIAWABOAE4ASQBJAEUAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwo7qwA3gDgAECigEFMS4wLjI=<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"></tr></table></body></html>
Emails

koreadec@tutanota.com<br>Reserve

yourrealdecrypt@airmail.cc</b></u>

Extracted

Path

C:\Users\Public\Desktop\DECRYPT-FILES.html

Ransom Note
Maze ransomware ********************************************************************************************************************* Attention! Your documents, photos, databases, and other important files have been encrypted! ********************************************************************************************************************* What is going on? Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system You can read more about this cryptosystem here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) The only way to recover (decrypt) your files is to buy decryptor with the unique private key By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data. In order to either buy the private key or make test decryption contact us via email: Main e-mail: koreadec@tutanota.com Reserve e-mail: yourrealdecrypt@airmail.cc Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one Below you will see a big base64 blob, you will need to email us and copy this blob to us. you can click on it, and it will be copied into the clipboard. If you have troubles copying it, just send us the file you are currently reading, as an attachment. Base64: lIwaUpHTQMTDHmibKCC7ZZwLcxeufyViypH1R7X52JDtFWFI0ztmmrStDP1QHoFXnaHT8Ip2sVNdnuR4+pCG5cRetFM69SN1VWKti7k/qPvtjHwvbMKnRPmi3y2c4H6XoephcW4KrcBsZZMELkn7jS+goTYdKIhywk08Uzv0w4Z8lykmfx03dRURMp9wKeDcOcZ4woAgd0wj9ICJYJ2tWZusu+4LpbGBdaf5hSaoe+NHe//Nc7aF2Q2j/9frtJl8zBSPiyEdlqVnQAjGRL62AaOk4yvaAr5wnyg3H7zz78LiHdC4CWwb044USRLD7m0yykfgRAOwfuRmxWaZcXpb49zfU5uf0WwOvsU3+6rlNF4WCVv8d5KG9CbyWy/Gff5DB0jnVAS4kmkflAjibrZ0N1bi3ntMbgsedhp6sDeqpWb+3rx91BmPFxXKp98p9OtI7S2M+Q+69D042jS55hTSb8oDrRZT1Twn6yS6tQJXdbRLqjjFDaoaUHDwBNmHe8grBgti8wp7nWbDp3IkDYP0UhHE8fiXD0a7mI8ixna/5GY1AdmPCef/i3Xv5XHg3JRBhVmZXsP0RWjllrlXJ+8Y14CfdTcS1EeKfkLyRxk0w+d6BtX0Gj6SvPeqYHr5qe1p3InjSq9TblQla5Cm43HmPtYUdtAnis5fCoTJ66XLbZUgloSR0t0B02rdqyxbbOz0S+nkp8619+8RA8tKVWXOxunTLr5ZqDmTjZ0EJlSgk4UDSNmHCENOnFNLdUlacovmEZbjcSQlFPwB+aDvvD/toCv/otVI4Kiw8Yu9mkDplh9LGwEyGdDBp/TAvbXkBdPn0vxBol8cVeNwpiKdUi20pHaMdA1SDBo9dZd1bZv+upcPFevlbV9kyA5W6uATvffV/3eXJ/matEHIwZW5un4zAkPd3uFe/lfULQ0tQVQNYrjoK/RYFxMAXyOXz2cRieG3CltmCC0Vp6pk1n4pvP4njmP7Rmh4u3P5vlro1h040C/QfJ0UF8337l+8B4oLTF8CgLbR3mPmjbCokBG33ISW8slTZmbgKUWkgHEGsvoJKM4BJmd2bdlDJK/2tzBy4yb0T/tYw3riCfDrJXGDoljOPiBflMo4UNO66IcMBS6eAKKogwy8UnYpW+VU6bPdNTrvjyHWrDEc1G8yWB1EB/0vnL9gwYmzb789gfApKOkwgo25LeRXKw5OMmRfnft570ZgorfHnMkLrPHutb55y7kRmclhgXgxMktNCQ7CM7z61/+08c8xiOuNb2p9Ip7P6lBXU8PvYMUDiZKAMQXGtmr0ARFysoKWSN8L+FIw61pbKP+wHhh/CqJuFrYnnsNJMZSddjlol9ttLrgloRY1zMtewZ7d1m2z/OjIWw0IKiOko2Uk4FIwQUzbwRtia0DLnwRL+8aZxphrtKCd47LWVmQRLPzxCt613/04m2w1HGIpQ8lGXYH2/OZZM2GAGZgeDucQxw6Iy1w4iaqtnDxHN769fSvIbnI53LIwWy+9RVNp6dyVbHAQDF77mq+gGF1nebzUS+BZpBFp1QTkwZegQ45qEvYb9xZ4aa7HVL+M1UNHgSGZV/mmdIvBUs5gF6a4z9EKRck27sijYpMeyfhNy9XlAlbY9Sc66MkqsW+JRb8rJ3SgSuWtIZ6IBby73Z4wILZsEhkTBeLG+QBS6CLmeu260cYlFlP0/hcPHRwJngnLTJVnA2KnbGNWM53Nqihrv6rmGJHVau5flXnSQvu0MhOpu8G57KyQNHVt/U4coYGgx949sxzqHuLnTqpEdYuxLUn+frcasqSKkHVm4tQbCbXylwc7+oM5VwhQJxkKNEPDc/Q5/1CjOiD8dIEUhRQh7+EfeefyJDjU1SoMCqyrg28fb8Vi6UNAVmE/wKlKE2QMpeMmjkuVabjNlpx50Xd7xPQ7dulk2gSkX4ESogdrGPJYaNoIvOrzov4tUSQp2OO1JbSLPr+D8dsNESurmmJBgKf+YitKvJbAJYGnYBiMBMd94L/1/mHaArHJxYeUkydfOILEJCsW4yVxPGGhe6P/L+U7HfCr+P2VF3MIvRvU8tNE7wg6hGXrQiwUM4h91asvPd5MOBUJfcLAt2+6RPb1A1FoUY7ft4mEnFK9Luwgu+tUUS6+XzbWl31HJSwnCaNey9TG8dU+Rfie8ADXYqHA9YNi2/O5u43FbUM5d68z8hl1Pn0JMDMBn4bFmGf4AHjNtfm9HPIC+rdG50aCCQoGMQc1vDTO1woiOAA4ADIAYwAwADkAOAA4ADkANABhADgAOQBkADgAYwAAABCAYBoMQQBkAG0AaQBuAAAAIhJHAFIAWABOAE4ASQBJAEUAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwo7qwA3gDgAECigEFMS4wLjI= Click here to copy function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } }
Emails

koreadec@tutanota.com

yourrealdecrypt@airmail.cc

Extracted

Path

C:\DECRYPT-FILES.html

Ransom Note
<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000000; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5 px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><b>Maze ransomware</b></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> </div> <div style="text-align: center; font-size: 18px;"> <p><b>What is going on?</b><br>Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system</p> <p>You can read more about this cryptosystem here: <a href=https://en.wikipedia.org/wiki/RSA_(cryptosystem)>https://en.wikipedia.org/wiki/RSA_(cryptosystem)</a></p> <p>The only way to recover (decrypt) your files is to buy decryptor with the unique private key</p> <p><u>Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!</u></p> <p>By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.</p> <p>In order to either buy the private key or make test decryption contact us via email: <br> <u><b>Main e-mail: koreadec@tutanota.com<br>Reserve e-mail: yourrealdecrypt@airmail.cc</b></u> <p>Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies <p>If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">Zjy72xsQgv16la8fiWEBGBuI/41nYTdP3LQb0z+SyBg6fAdZlZClaWwvSctNp6dCgHrTI9m/Sm6T0fnqu0yLpthh5OU85ZeQ4iEXyrJIyKliSd4PK/jQ1syAZg8CKgr4u03y6RuQo20J8yGxkXvvbdIzBMNpUmfdG9c0aA88UU48qrdOn5mkE8276M5s+3R8BTXg4eOOf3rIn6jJeXAqmTONqEIlxBo5NAd/FkJK03CgohUFy0DwbkdwVGEcVjb6+/QLwlIAvRK6fmxLP4uFr8m4WZ44DFeoFsaV44eae0sfmGIDJlN6S7BmbiE3ArJmdw4N9+WUGMx7/z8LbgBGWbq4UL77AqdOmXDC4/NXSBZ5VjTEanph1MpAPLt61+BqDh7K4IsHEZklEZi9coyJexNdH5LcOwNU3dIBggf7rfZU6fDL1E6yuDh6OyBbf4gyyCEMCCEM1jBhnga7gL4gQgT6hdLhxKMqyjYrDQaoR+ZR6/RcmbriBwO4bDRHwJb/zNT3OrlBNrBtn1hx3UWLMIhvFNR+dDBGBgZmUYvcT3Csc3ByAT5yUu2q0NN03hhmTdh1C11n7TQPDI1w+K2aw8qsb09EaUILGBO8ytZnf1qVV0g5g6/NLW8kMKgHoKAc8sj25XX6mRWeNo6nWFZcCoDIBc/vHIFCdqOTOX43P7oT5gp4NBUmpqTCBltxlNUsqTEW+tKXe7Q7FAoHQ4QAnQlvE45ucfMU6HXycRtcrsnOAjl+BNmk93DQzCPF12ncOBgpEOMZHNewhV6bJ65av2E9UjiLskx7hvT1PAo3Gyl33QolfJJQdOmA8w3XGuecjKosWCKEa1e1FxARJWohBMACavRp2/XvkMbLTPpgNwW3jhkbWw8pctLWkGs42BvQRqz1aWGmASZqMuScPEf8+hzHr444yBuswmVZTV4TP13AnbS23kZ2y3eEFe46mPSNuwIrrVVktu57pwOp/iitMA15Nx6h/klU1Q1wQy3Jkr+vrEz7LlgAU13VM21xevn/+DpQeDcV+Sqn7lsNjAYKgp1XJU6GaP4Bbifr5uARxHwAsq8ykMCmpV5AQjIjkVY2+qwV23ACnIqwEaNXWWGPYeOyTZ/T09mDLT1MZ9s8fpiUq8PU6ccuvXrwMWuBlM03kD/xifERhZmvBkFA0SGyNpuWpbY0GnTvTX3hxz/1TRy+C03i49jTCHOQO8j1zwNQSQa57604BZsMTEYHbw8E9KEDTKuvX0Ja7hMBUNl5dfXg11nRyzg9M7iMuUwappqgquCpvQZPBl61uF9W1YuYrPfMZO/7e+rcFBOiEiiEzWDgqOOvL//SrNfI11cm+CcKEnsjhPX1NRvEC49P1YoDicoc58ZYy/zgTSyp4LsC4FOs379FQgAOgERdDgoFpONsN1ZUjCpYFUP/cCufCH3Wc1xAiUDwc8ilTHwevxA9MuFYupCgg3fI36We5HTpbXfPxWJ89eQr8UiRWm/jrbZ9QzVrfCSEYdo8c7qyww4yvOwFHPglQVJnJjAeIRpMD+Go/moj+UFnOeta2msyOUHB1nsIRKlJpFoXZ1byBnt6nc6zoGcnXAbsLYlB7vJ3TiAnp9gdDmmXieaZZBTB/deS8+EJ0sHmApeFzOE8DIwUCZ6w864kMXRtV2MbUxjpOKVRasz008idDD0mwc90BucdzJFk7ly0s3Q0qoqD8XGs8ekMTKQDN0SJ8Pu+smqBQEiXX1gy7bVqVEl/s9eZAss2RNBNiEN5f3rddF5qwtKNmfgbtxEsKTlrvbGLkUh4qbei8WN3fhDvf/yjtYAFJ67MAv2GnpuMQWZrjp/5zCZ3LJMLIGgL7Hu5+lsUImxxzxAOcY/AtdrDTSJx8Mn7AmJtQnBJYxkQnZdDErGIyj+gxAMcOuCNvcjdZOqsC9YChfAn4RMLAqY4PAyQzErpD+W9OeMCpDo1+VB9n5Y/6mvFkAbqDJmqMJf5doQj2sbJ1l1eO13Lyoi6etXrWITBqs2chqon8yDnBEGg7FHX7N9U4Qwp5flP801IgwT4A3d8mH89urPOOOB5CaOf8jgqk8oKkn4SWo+v0ijiQqEFHZsI97TFNBApAPCVjOmmAfRfnjEwXFbYlsO3Wz6lmlRxYodrCWzFVSeZUnWrXP3jyAJi9iRTtBOo1rzu39ibkeZ/b7P3aK/xcP8C7fxnQFr33Chue0DX5DQaPRCERNhVB4oaGSEzA1hrcc+GDDZZB+5KxeCla2tXRgoiOAA3AGIAMAAwADkAOAA4ADkAMwBjADkAYgBiAGUAYQAAABCAYBoMQQBkAG0AaQBuAAAAIhJXAEkASgBCAEYAUwBLAFQAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhw69racngDgAECigEFMS4wLjI=<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"></tr></table></body></html>
Emails

koreadec@tutanota.com<br>Reserve

yourrealdecrypt@airmail.cc</b></u>

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\DECRYPT-FILES.html

Ransom Note
Maze ransomware ********************************************************************************************************************* Attention! Your documents, photos, databases, and other important files have been encrypted! ********************************************************************************************************************* What is going on? Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system You can read more about this cryptosystem here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) The only way to recover (decrypt) your files is to buy decryptor with the unique private key By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data. In order to either buy the private key or make test decryption contact us via email: Main e-mail: koreadec@tutanota.com Reserve e-mail: yourrealdecrypt@airmail.cc Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one Below you will see a big base64 blob, you will need to email us and copy this blob to us. you can click on it, and it will be copied into the clipboard. If you have troubles copying it, just send us the file you are currently reading, as an attachment. Base64: Zjy72xsQgv16la8fiWEBGBuI/41nYTdP3LQb0z+SyBg6fAdZlZClaWwvSctNp6dCgHrTI9m/Sm6T0fnqu0yLpthh5OU85ZeQ4iEXyrJIyKliSd4PK/jQ1syAZg8CKgr4u03y6RuQo20J8yGxkXvvbdIzBMNpUmfdG9c0aA88UU48qrdOn5mkE8276M5s+3R8BTXg4eOOf3rIn6jJeXAqmTONqEIlxBo5NAd/FkJK03CgohUFy0DwbkdwVGEcVjb6+/QLwlIAvRK6fmxLP4uFr8m4WZ44DFeoFsaV44eae0sfmGIDJlN6S7BmbiE3ArJmdw4N9+WUGMx7/z8LbgBGWbq4UL77AqdOmXDC4/NXSBZ5VjTEanph1MpAPLt61+BqDh7K4IsHEZklEZi9coyJexNdH5LcOwNU3dIBggf7rfZU6fDL1E6yuDh6OyBbf4gyyCEMCCEM1jBhnga7gL4gQgT6hdLhxKMqyjYrDQaoR+ZR6/RcmbriBwO4bDRHwJb/zNT3OrlBNrBtn1hx3UWLMIhvFNR+dDBGBgZmUYvcT3Csc3ByAT5yUu2q0NN03hhmTdh1C11n7TQPDI1w+K2aw8qsb09EaUILGBO8ytZnf1qVV0g5g6/NLW8kMKgHoKAc8sj25XX6mRWeNo6nWFZcCoDIBc/vHIFCdqOTOX43P7oT5gp4NBUmpqTCBltxlNUsqTEW+tKXe7Q7FAoHQ4QAnQlvE45ucfMU6HXycRtcrsnOAjl+BNmk93DQzCPF12ncOBgpEOMZHNewhV6bJ65av2E9UjiLskx7hvT1PAo3Gyl33QolfJJQdOmA8w3XGuecjKosWCKEa1e1FxARJWohBMACavRp2/XvkMbLTPpgNwW3jhkbWw8pctLWkGs42BvQRqz1aWGmASZqMuScPEf8+hzHr444yBuswmVZTV4TP13AnbS23kZ2y3eEFe46mPSNuwIrrVVktu57pwOp/iitMA15Nx6h/klU1Q1wQy3Jkr+vrEz7LlgAU13VM21xevn/+DpQeDcV+Sqn7lsNjAYKgp1XJU6GaP4Bbifr5uARxHwAsq8ykMCmpV5AQjIjkVY2+qwV23ACnIqwEaNXWWGPYeOyTZ/T09mDLT1MZ9s8fpiUq8PU6ccuvXrwMWuBlM03kD/xifERhZmvBkFA0SGyNpuWpbY0GnTvTX3hxz/1TRy+C03i49jTCHOQO8j1zwNQSQa57604BZsMTEYHbw8E9KEDTKuvX0Ja7hMBUNl5dfXg11nRyzg9M7iMuUwappqgquCpvQZPBl61uF9W1YuYrPfMZO/7e+rcFBOiEiiEzWDgqOOvL//SrNfI11cm+CcKEnsjhPX1NRvEC49P1YoDicoc58ZYy/zgTSyp4LsC4FOs379FQgAOgERdDgoFpONsN1ZUjCpYFUP/cCufCH3Wc1xAiUDwc8ilTHwevxA9MuFYupCgg3fI36We5HTpbXfPxWJ89eQr8UiRWm/jrbZ9QzVrfCSEYdo8c7qyww4yvOwFHPglQVJnJjAeIRpMD+Go/moj+UFnOeta2msyOUHB1nsIRKlJpFoXZ1byBnt6nc6zoGcnXAbsLYlB7vJ3TiAnp9gdDmmXieaZZBTB/deS8+EJ0sHmApeFzOE8DIwUCZ6w864kMXRtV2MbUxjpOKVRasz008idDD0mwc90BucdzJFk7ly0s3Q0qoqD8XGs8ekMTKQDN0SJ8Pu+smqBQEiXX1gy7bVqVEl/s9eZAss2RNBNiEN5f3rddF5qwtKNmfgbtxEsKTlrvbGLkUh4qbei8WN3fhDvf/yjtYAFJ67MAv2GnpuMQWZrjp/5zCZ3LJMLIGgL7Hu5+lsUImxxzxAOcY/AtdrDTSJx8Mn7AmJtQnBJYxkQnZdDErGIyj+gxAMcOuCNvcjdZOqsC9YChfAn4RMLAqY4PAyQzErpD+W9OeMCpDo1+VB9n5Y/6mvFkAbqDJmqMJf5doQj2sbJ1l1eO13Lyoi6etXrWITBqs2chqon8yDnBEGg7FHX7N9U4Qwp5flP801IgwT4A3d8mH89urPOOOB5CaOf8jgqk8oKkn4SWo+v0ijiQqEFHZsI97TFNBApAPCVjOmmAfRfnjEwXFbYlsO3Wz6lmlRxYodrCWzFVSeZUnWrXP3jyAJi9iRTtBOo1rzu39ibkeZ/b7P3aK/xcP8C7fxnQFr33Chue0DX5DQaPRCERNhVB4oaGSEzA1hrcc+GDDZZB+5KxeCla2tXRgoiOAA3AGIAMAAwADkAOAA4ADkAMwBjADkAYgBiAGUAYQAAABCAYBoMQQBkAG0AaQBuAAAAIhJXAEkASgBCAEYAUwBLAFQAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhw69racngDgAECigEFMS4wLjI= Click here to copy function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } }
Emails

koreadec@tutanota.com

yourrealdecrypt@airmail.cc

Targets

    • Target

      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

    • Size

      473KB

    • MD5

      f83fb9ce6a83da58b20685c1d7e1e546

    • SHA1

      01c459b549c1c2a68208d38d4ba5e36d29212a4f

    • SHA256

      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684

    • SHA512

      934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396

    • SSDEEP

      12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ

    Score
    10/10
    gozimazebankerransomwarespywarestealertrojanpersistence

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Maze

      Ransomware family also known as ChaCha.

      trojanransomwaremaze

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Deletion

1
T1107

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Defacement

1
T1491

Tasks