General
-
Target
10106272231.zip
-
Size
2.8MB
-
Sample
230414-yhk9hsda7v
-
MD5
bcbccf230350d9f446b5564f7be94661
-
SHA1
5684ad2f6f7d0388694b9d6a4430da55d6e78140
-
SHA256
5592c91362b538d7592216ec062b518a587f25e192c935c92d1346a8325845e7
-
SHA512
c75202442c6337bf38ffa22c7ea653aedffb3e0f3baaad2a37674fa41f877dcc00c7469da62fa01f00906d141abad2558e7579bd9e5094365d9915efbd23523c
-
SSDEEP
49152:d83AOWdsAJy2Qmi5QXiRzTRHWcaoEWMOwVupk6y9GUbqpFEUwj3y2UACSjoxZ:6w5dZJnWKi9TR2NUwBvtqw3Slpz
Behavioral task
behavioral1
Sample
f6108f33ce141564f1989471bd4e9747a1bc37e6c7d242caa3163a4495c85b8a.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
f6108f33ce141564f1989471bd4e9747a1bc37e6c7d242caa3163a4495c85b8a.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenda
-
company_id
MmXReVIxLV
-
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: MmXReVIxLV Domain: ueegj65kwr3v3sjhli73gjtmfnh2uqlte3vyg2kkyqq7cja2yx2ptaad.onion login: 6f031ccd-526a-4806-82a8-2e7d926243d4 password:
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
https://www.getmonero.org/
https://qtox.github.io/
https://wiki.bitmessage.org/
https://github.com/Bitmessage/PyBitmessage/releases/
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
https://www.getmonero.org/
https://qtox.github.io/
https://wiki.bitmessage.org/
https://github.com/Bitmessage/PyBitmessage/releases/
Targets
-
-
Target
f6108f33ce141564f1989471bd4e9747a1bc37e6c7d242caa3163a4495c85b8a
-
Size
9.3MB
-
MD5
743d9d9b3c39206b0a2de0dbb107fb7d
-
SHA1
bdff586c4ae0366813335569427b1aeda2815808
-
SHA256
f6108f33ce141564f1989471bd4e9747a1bc37e6c7d242caa3163a4495c85b8a
-
SHA512
574402c7f2eff1fdb8edcfc7a78cf741aeb20bd4775db792d44e74156e926c8e143c106623f2f024be20bd28ab46159e18b540862c4a22581c3c17ac2eb5b17c
-
SSDEEP
98304:4fXT9wuCHGLu1TIRtUOV5ZbvoVUq+kScfFbUs:NuCmTRtnvoVUq+6fFbL
Score10/10-
Downloads MZ/PE file
-
Downloads PsExec from SysInternals website
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Drops desktop.ini file(s)
-