e2fabfc18fc498c954376ae4bc18bed9a832a162b09ea5213c3204cbfa6ee8cd

General

Target

10562853704.zip
Size

56KB
Sample

230530-1b6b8acb4x
MD5

0345b34da02f14a431cefa1f3b822b0e
SHA1

0f38c99d1920d227189ceb5d35c627811d66577d
SHA256

e2fabfc18fc498c954376ae4bc18bed9a832a162b09ea5213c3204cbfa6ee8cd
SHA512

bbc53f8059b784e5cf160d7721bd293c7faf39446b5c6a45ee18c11ecfad4c945a01f8887cf05b9304c3965df9b60db95b32be6446e2ff76bd2e90b860776061
SSDEEP

768:6TCEBWKRd4AcmoEngTVNlOwsThVhfySY1rYGLCcsTOs6POhmXSUn0c:6TYK/EmPgTVDK1fYh86POEXSUnB

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\PerfLogs\Admin\How To Restore Your Files.txt

Ransom Note

GREETINGS FROM BL00DY RANSOMWARE GANG What happened ? Your entire company network is penetrated and encrypted with ".bl00dy" entension All files on servers and computers locked and not usable Dont panic All files are decryptable We will recover all your files to normal What Bl00dy Gang take / steal from your company network ? We download your company important files / documents / databases/ mails / accounts We publish it to the public if you dont cooperate . What BL00DY Gang needs from YOU ? We expect nothing except appreciating our work PAY US in this way you appreciate our work How to contact the BL00DY Gang for ransom negotiations ? [email protected] What Quarantees ? we are not a politically motivated group and we do not need anything other than your money. If you pay, we provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We will help protect your company from any other attacks ; we will give you tips to secure company network We always keep our promises. !!! BEWARE !!! If you have Backups and try to restore from backups . All entire company files / databases / everything we DOWNLOADED will be posted online DON'T try to rename or modify encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! - Don't try because you will damage all the files Any changes in encrypted files may entail damage of the private key and, as result, the loss all data. Do not report to Police or FBI , they dont care about your business .They will tell you not to pay and you will lose all your files. Recovery Company Cannot help You . things will get rather worse . speak for yourself. we DO NOT TAKE MUCH

Emails

[email protected]

Targets

- Target
  
  ef0ee6a6a643347082e097f29cd351150b2d4196faef4ce926a307c2ca46f96a
- Size
  
  18.1MB
- MD5
  
  72b4851a0410780bc1d3b65b9b540c33
- SHA1
  
  b7d1a21f0c13c1bf363048af00fa23ddb9846272
- SHA256
  
  ef0ee6a6a643347082e097f29cd351150b2d4196faef4ce926a307c2ca46f96a
- SHA512
  
  2f4647b731f329c4dfd0edd38fb9867dc94e61d2ad39fd27fc8d3c616ee7cec2222c18d1567c24581c6c0bfffd7c40c38a340f28d0db3784094a540a3a63a643
- SSDEEP
  
  6144:IROPsrQLOJgpZp8LHD4GaNH71dLdGiiFM2AHcH8s:1cH8s
Score

10^/10

ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (204) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (207) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2