quantum | hxxps://www[.]google[.]com/search?q=quantum+ransomware+sample

General

Target

https://www.google.com/search?q=quantum+ransomware+sample
Sample

230407-tgtgaabe7z

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

USA

C2

109.107.191.169:34067

Attributes

auth_value
efb1b17e182f1e7cdb54a3e91436c48c

Extracted

Path

C:\Users\Admin\3D Objects\README_TO_DECRYPT.html

Family

quantum

Ransom Note

<html> <head> <title>Quantum</title> </head> <body> <h1>Your ID:</h1> <pre> 9064d8b148a0f19a9e3598a6e0b0aeb16d39de856d2a9249164eefdf45b6ef48 </pre> <hr/> This message contains an information how to fix the troubles you've got with your network. Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content. The only way to get files back is a decryption with Key, provided by the Quantum Locker. During the period your network was under our control, we downloaded a huge volume of information. Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data. Publishing of such data will cause serious consequences and even business disruption. It's not a threat, on the contrary - it's a manual how to get a way out. Quantum team doesn't aim to damage your company, our goals are only financial. After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points. If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc. To contact our support and start the negotiations, please visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. <a href="http://tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion/?cid=9064d8b148a0f19a9e3598a6e0b0aeb16d39de856d2a9249164eefdf45b6ef48">http://tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion/?cid=9064d8b148a0f19a9e3598a6e0b0aeb16d39de856d2a9249164eefdf45b6ef48</a> <ul> <li>Password field should be blank for the first login. <li>Note that this server is available via Tor browser only. </ul> P.S. How to get TOR browser - see at https://www.torproject.org </body> </html>

Targets

- Target
  
  https://www.google.com/search?q=quantum+ransomware+sample
Score

10^/10

quantum redline usa discovery infostealer persistence ransomware spyware stealer
- Quantum Ransomware
  A rebrand of the MountLocker ransomware first seen in August 2021.
  ransomware quantum
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Downloads MZ/PE file
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1