General
-
Target
fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.zip
-
Size
29KB
-
Sample
230420-ssddrscf5z
-
MD5
0f025715a5cb507fc46a4df12cfa74d4
-
SHA1
f8b2c1eb3d8c77aa3dd57e5b86018d10c2f5c4fc
-
SHA256
2f3446c2b663193e85c11e08af62a74abc28b44ed3d43f815b78b22dd4a25c35
-
SHA512
43d18b7885e3dff68f6f42737717b2bfa9ca4756ac813be077d2c119936ccf7cdd319c20f24cda2733dbb1857be4bb5b1d793674f5424c1a9bc36ed8d25670d9
-
SSDEEP
384:cGTTnA+Q+BN166R5aeGxlEmeaX+4nsPpU8vP2T+jdoCFuj4mfuCMG8Isrlde:RTsWHplmvnsxUEP6Ko4mfHlx
Score
10/10
Malware Config
Extracted
Path
C:\ProgramData\regid.1991-06.com.microsoft\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������15 BF AB 86 5C 9E 24 AF 2C 72 EB AE 9F 3F 33 FF
1C B7 28 B4 48 04 77 69 6E A8 EA 0B A4 BB 79 52
71 D4 49 E5 F9 40 F8 4F 88 A9 44 A4 E3 D8 E8 A8
0E 0F 50 B2 54 9A 73 6B 6A 93 AC BF 1F 2E D2 E7
B7 9D 6C 02 27 C6 20 50 8E 9E 25 48 60 2D 87 F8
56 63 3D A6 81 F0 24 E7 D7 24 A0 30 3F EE 3B 96
64 34 C9 F5 20 63 86 E4 7C 4E 69 58 71 1D E8 82
20 46 E2 72 0E B5 F1 DF EF 03 C8 C7 B9 EA 91 CF
88 0C 0D CC C8 55 BD 85 83 7E B5 BB 79 01 F4 E2
19 A9 8E 35 5F 6B 2A 5D AB C8 CB 3B 4F 8B 84 B2
1C 1A 40 FE 59 38 7B 26 15 8E 4E 07 BB ED 60 6E
EC 3B AD 03 66 6D D6 97 B9 A7 6B C8 48 59 74 BD
81 3D 94 39 4E E9 9F E8 22 CA D4 A5 42 C1 88 82
B0 6C 80 BB D8 24 7B 93 E0 57 CF 16 DF CF B3 40
8C 42 93 53 A5 BE 91 49 46 3B 69 C5 87 97 95 95
00 E0 13 FA DA E5 18 03 70 BF C7 0E AE 5C B7 DC
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Extracted
Path
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\how_to_back_files.html
Family
medusalocker
Ransom Note
Your personal ID:
����������15 BF AB 86 5C 9E 24 AF 2C 72 EB AE 9F 3F 33 FF 1C B7 28 B4 48 04 77 69 6E A8 EA 0B A4 BB 79 52 71 D4 49 E5 F9 40 F8 4F 88 A9 44 A4 E3 D8 E8 A8 0E 0F 50 B2 54 9A 73 6B 6A 93 AC BF 1F 2E D2 E7 B7 9D 6C 02 27 C6 20 50 8E 9E 25 48 60 2D 87 F8 56 63 3D A6 81 F0 24 E7 D7 24 A0 30 3F EE 3B 96 64 34 C9 F5 20 63 86 E4 7C 4E 69 58 71 1D E8 82 20 46 E2 72 0E B5 F1 DF EF 03 C8 C7 B9 EA 91 CF 88 0C 0D CC C8 55 BD 85 83 7E B5 BB 79 01 F4 E2 19 A9 8E 35 5F 6B 2A 5D AB C8 CB 3B 4F 8B 84 B2 1C 1A 40 FE 59 38 7B 26 15 8E 4E 07 BB ED 60 6E EC 3B AD 03 66 6D D6 97 B9 A7 6B C8 48 59 74 BD 81 3D 94 39 4E E9 9F E8 22 CA D4 A5 42 C1 88 82 B0 6C 80 BB D8 24 7B 93 E0 57 CF 16 DF CF B3 40 8C 42 93 53 A5 BE 91 49 46 3B 69 C5 87 97 95 95 00 E0 13 FA DA E5 18 03 70 BF C7 0E AE 5C B7 DC
/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\
All your important files have been encrypted!
Your files are safe! Only modified. (RSA+AES)
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE
WILL PERMANENTLY CORRUPT IT.
DO NOT MODIFY ENCRYPTED FILES.
DO NOT RENAME ENCRYPTED FILES.
No software available on internet can help you. We are the only ones able to
solve your problem.
We gathered highly confidential/personal data. These data are currently stored on
a private server. This server will be immediately destroyed after your payment.
If you decide to not pay, we will release your data to public or re-seller.
So you can expect your data to be publicly available in the near future..
We only seek money and our goal is not to damage your reputation or prevent
your business from running.
You will can send us 2-3 non-important files and we will decrypt it for free
to prove we are able to give your files back.
Contact us for price and get decryption software.
qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
* Note that this server is available via Tor browser only
Follow the instructions to open the link:
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.
3. Now you have Tor browser. In the Tor Browser open qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
4. Start a chat and follow the further instructions.
If you can not use the above link, use the email:
[email protected]
[email protected]
* To contact us, create a new free email account on the site: protonmail.com
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.
Extracted
Path
C:\Users\Public\Music\Sample Music\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������28 89 19 87 44 DF B0 9E E3 4B E7 F1 DB 5A E2 15
09 F1 4C 21 4E E9 9D 0E F6 EE D3 05 12 E4 AA 7B
16 42 6A D1 10 E0 E8 14 C2 ED CC AD 14 3F A3 B4
3A 3D 0D B3 69 37 9B 68 8C 7F CF 91 4F 38 29 67
A0 D8 64 C9 37 08 AC 61 1E 05 E5 6E 58 79 93 35
94 BA 98 AA 03 DF 01 D4 67 4E B0 25 2A 63 1F BB
D6 6F 21 4D B4 25 2D A3 EE 91 11 BA 46 3A B8 C5
7A F1 9F 69 06 5A 9D D0 44 47 B2 9F 5B E2 4B 80
84 AD 9D BA 10 31 E1 7B 66 CC 1F A5 A6 49 71 A9
51 7E 06 2C 9E 72 71 D1 56 11 C6 1F 60 05 5F BD
D7 BE 6B 7E 9D BE 2F E4 68 72 9F AB CF EF 41 A4
92 CE 2B 81 22 A5 1B 52 BB C1 E9 78 53 BE 50 FE
7A D3 2F 3C 9B 2E F1 FB C4 79 40 DB DA 91 2C D8
36 A7 59 55 8F 27 9B 9D 98 22 52 66 CF 9E C5 91
FE 23 CE 8E D4 E8 A7 BA C1 9A 9E FC C7 8A 5C F0
03 7B 6D 88 3B 44 66 9F C8 EC 05 6A CD 9A 39 C4
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Extracted
Path
C:\Users\Public\Desktop\how_to_back_files.html
Family
medusalocker
Ransom Note
Your personal ID:
����������28 89 19 87 44 DF B0 9E E3 4B E7 F1 DB 5A E2 15 09 F1 4C 21 4E E9 9D 0E F6 EE D3 05 12 E4 AA 7B 16 42 6A D1 10 E0 E8 14 C2 ED CC AD 14 3F A3 B4 3A 3D 0D B3 69 37 9B 68 8C 7F CF 91 4F 38 29 67 A0 D8 64 C9 37 08 AC 61 1E 05 E5 6E 58 79 93 35 94 BA 98 AA 03 DF 01 D4 67 4E B0 25 2A 63 1F BB D6 6F 21 4D B4 25 2D A3 EE 91 11 BA 46 3A B8 C5 7A F1 9F 69 06 5A 9D D0 44 47 B2 9F 5B E2 4B 80 84 AD 9D BA 10 31 E1 7B 66 CC 1F A5 A6 49 71 A9 51 7E 06 2C 9E 72 71 D1 56 11 C6 1F 60 05 5F BD D7 BE 6B 7E 9D BE 2F E4 68 72 9F AB CF EF 41 A4 92 CE 2B 81 22 A5 1B 52 BB C1 E9 78 53 BE 50 FE 7A D3 2F 3C 9B 2E F1 FB C4 79 40 DB DA 91 2C D8 36 A7 59 55 8F 27 9B 9D 98 22 52 66 CF 9E C5 91 FE 23 CE 8E D4 E8 A7 BA C1 9A 9E FC C7 8A 5C F0 03 7B 6D 88 3B 44 66 9F C8 EC 05 6A CD 9A 39 C4
/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\
All your important files have been encrypted!
Your files are safe! Only modified. (RSA+AES)
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE
WILL PERMANENTLY CORRUPT IT.
DO NOT MODIFY ENCRYPTED FILES.
DO NOT RENAME ENCRYPTED FILES.
No software available on internet can help you. We are the only ones able to
solve your problem.
We gathered highly confidential/personal data. These data are currently stored on
a private server. This server will be immediately destroyed after your payment.
If you decide to not pay, we will release your data to public or re-seller.
So you can expect your data to be publicly available in the near future..
We only seek money and our goal is not to damage your reputation or prevent
your business from running.
You will can send us 2-3 non-important files and we will decrypt it for free
to prove we are able to give your files back.
Contact us for price and get decryption software.
qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
* Note that this server is available via Tor browser only
Follow the instructions to open the link:
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.
3. Now you have Tor browser. In the Tor Browser open qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
4. Start a chat and follow the further instructions.
If you can not use the above link, use the email:
[email protected]
[email protected]
* To contact us, create a new free email account on the site: protonmail.com
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.
Targets
-
-
Target
fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
-
Size
53KB
-
MD5
5efa19dc204e46e8d8c57482f80e7a40
-
SHA1
5c83b3ddc8417fe64e0bbd3495445ddcee52e35e
-
SHA256
fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f
-
SHA512
0cdf4a1263b9a341240acea245155f0afbaac864eccd1d9623a9a152a9287e8a65cd62f12804d5a1293c9d960a4958c2aa05a720f35d42699fec5d4ac0accfc1
-
SSDEEP
768:FKcvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5YW:F9eytM3alnawrRIwxVSHMweio3+
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
Downloads MZ/PE file
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Stops running service(s)
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-