dharma

General

Target

b3984a2de76eee3ad20c4b13e0c0cbbab2dd6db65e3f6ca34418e79c21cf5c39.exe
Size

92KB
Sample

230113-m76qzacb4z
MD5

b178705190001fcb012000eed9ba33d2
SHA1

db6d85f58ad3e6ebb62d92be1dbe7741023a1e7b
SHA256

b3984a2de76eee3ad20c4b13e0c0cbbab2dd6db65e3f6ca34418e79c21cf5c39
SHA512

b099931aececa1f2468140da13bf8defa9075f812919acc7d9f36d8c2e5d201f2282d02238a4b77dd6c70001c3583dd0581e84bfa2bccc6add13f48c4ec28306
SSDEEP

1536:mBwl+KXpsqN5vlwWYyhY9S4A25CONwm4+SCuIlzbU4l5c4Ci/6:Qw+asqN5aW/hLSNwi/xY4lu4Ci

Score

10^/10

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED 1024 Don't worry, you can return all your files! If you want to restore them, write to the mail: snowwind@tutanota.com YOUR ID snowwind@msgsafe.io ATTENTION! We recommend you contact us directly to avoid overpaying agents Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

snowwind@tutanota.com

snowwind@msgsafe.io

Targets

- Target
  
  b3984a2de76eee3ad20c4b13e0c0cbbab2dd6db65e3f6ca34418e79c21cf5c39.exe
- Size
  
  92KB
- MD5
  
  b178705190001fcb012000eed9ba33d2
- SHA1
  
  db6d85f58ad3e6ebb62d92be1dbe7741023a1e7b
- SHA256
  
  b3984a2de76eee3ad20c4b13e0c0cbbab2dd6db65e3f6ca34418e79c21cf5c39
- SHA512
  
  b099931aececa1f2468140da13bf8defa9075f812919acc7d9f36d8c2e5d201f2282d02238a4b77dd6c70001c3583dd0581e84bfa2bccc6add13f48c4ec28306
- SSDEEP
  
  1536:mBwl+KXpsqN5vlwWYyhY9S4A25CONwm4+SCuIlzbU4l5c4Ci/6:Qw+asqN5aW/hLSNwi/xY4lu4Ci
Score

10^/10

dharma persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral1 behavioral2