45fcdd90b1268f6d5dd2a99a78c3df1a95b7809cbe13b68d9f164edd2264005e

General

Target

Trojan-Ransom.Win32.Bart.i-45fcdd90b1268f6d5dd2a99a78c3df1a95b7809cbe13b68d9f164edd2264005e
Size

121KB
Sample

230425-v1gghabh35
MD5

6de7324c37519831cf586e3b2c786e53
SHA1

abb423454abd2caa431634667903640037b6ee9b
SHA256

45fcdd90b1268f6d5dd2a99a78c3df1a95b7809cbe13b68d9f164edd2264005e
SHA512

6172a9b52749e89017c4ad2f685a4399e5d092e0517ef98dff6d071b61e5db7343ca5298d00c57b1fed2d5a7afc9b63d2be8cd89b83af0c09b3e6c950c227227
SSDEEP

3072:3s+7qZCqeKW9cafSypBCaJDftXdCD66X:377qZCqeKW9cotpBfVVoDX

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\User Account Pictures\recover.txt

Ransom Note

!!! IMPORTANT INFORMATION !!! All your files are encrypted. Decrypting of your files is only possible with the private key, which is on our secret server. To receive your private key follow one of the links: 1. http://s3clm4lufbmfhmeb.tor2web.org/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d 2. http://s3clm4lufbmfhmeb.onion.to/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d 3. http://s3clm4lufbmfhmeb.onion.cab/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d 4. http://s3clm4lufbmfhmeb.onion.link/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d If all addresses are not available, follow these steps: 1. Download and install Tor Browser: https://torproject.org/download/download-easy.html 2. After successfull installation, run the browser and wait for initialization. 3. Type in the address bar: s3clm4lufbmfhmeb.onion/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d 4. Follow the instructions on the site. !!! Your personal identification ID: Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g== !!!

URLs

http://s3clm4lufbmfhmeb.tor2web.org/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d

http://s3clm4lufbmfhmeb.onion.to/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d

http://s3clm4lufbmfhmeb.onion.cab/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d

http://s3clm4lufbmfhmeb.onion.link/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d

http://s3clm4lufbmfhmeb.onion/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d

Extracted

Path

C:\ProgramData\Microsoft\Diagnosis\recover.txt

Ransom Note

!!! IMPORTANT INFORMATION !!! All your files are encrypted. Decrypting of your files is only possible with the private key, which is on our secret server. To receive your private key follow one of the links: 1. http://s3clm4lufbmfhmeb.tor2web.org/?id=A3bYgJO%2bp9bflSwUVvPROn6QThzPlD9GxCX%2bGsFIC6UG9w%3d%3d 2. http://s3clm4lufbmfhmeb.onion.to/?id=A3bYgJO%2bp9bflSwUVvPROn6QThzPlD9GxCX%2bGsFIC6UG9w%3d%3d 3. http://s3clm4lufbmfhmeb.onion.cab/?id=A3bYgJO%2bp9bflSwUVvPROn6QThzPlD9GxCX%2bGsFIC6UG9w%3d%3d 4. http://s3clm4lufbmfhmeb.onion.link/?id=A3bYgJO%2bp9bflSwUVvPROn6QThzPlD9GxCX%2bGsFIC6UG9w%3d%3d If all addresses are not available, follow these steps: 1. Download and install Tor Browser: https://torproject.org/download/download-easy.html 2. After successfull installation, run the browser and wait for initialization. 3. Type in the address bar: s3clm4lufbmfhmeb.onion/?id=A3bYgJO%2bp9bflSwUVvPROn6QThzPlD9GxCX%2bGsFIC6UG9w%3d%3d 4. Follow the instructions on the site. !!! Your personal identification ID: A3bYgJO+p9bflSwUVvPROn6QThzPlD9GxCX+GsFIC6UG9w== !!!

URLs

http://s3clm4lufbmfhmeb.tor2web.org/?id=A3bYgJO%2bp9bflSwUVvPROn6QThzPlD9GxCX%2bGsFIC6UG9w%3d%3d

http://s3clm4lufbmfhmeb.onion.to/?id=A3bYgJO%2bp9bflSwUVvPROn6QThzPlD9GxCX%2bGsFIC6UG9w%3d%3d

http://s3clm4lufbmfhmeb.onion.cab/?id=A3bYgJO%2bp9bflSwUVvPROn6QThzPlD9GxCX%2bGsFIC6UG9w%3d%3d

http://s3clm4lufbmfhmeb.onion.link/?id=A3bYgJO%2bp9bflSwUVvPROn6QThzPlD9GxCX%2bGsFIC6UG9w%3d%3d

http://s3clm4lufbmfhmeb.onion/?id=A3bYgJO%2bp9bflSwUVvPROn6QThzPlD9GxCX%2bGsFIC6UG9w%3d%3d

Targets

- Target
  
  Trojan-Ransom.Win32.Bart.i-45fcdd90b1268f6d5dd2a99a78c3df1a95b7809cbe13b68d9f164edd2264005e
- Size
  
  121KB
- MD5
  
  6de7324c37519831cf586e3b2c786e53
- SHA1
  
  abb423454abd2caa431634667903640037b6ee9b
- SHA256
  
  45fcdd90b1268f6d5dd2a99a78c3df1a95b7809cbe13b68d9f164edd2264005e
- SHA512
  
  6172a9b52749e89017c4ad2f685a4399e5d092e0517ef98dff6d071b61e5db7343ca5298d00c57b1fed2d5a7afc9b63d2be8cd89b83af0c09b3e6c950c227227
- SSDEEP
  
  3072:3s+7qZCqeKW9cafSypBCaJDftXdCD66X:377qZCqeKW9cotpBfVVoDX
Score

10^/10

evasion ransomware
- Modifies visibility of file extensions in Explorer
  evasion
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2