Overview

overview

10

Static

static

10

sample.exe

windows7-x64

10

sample.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    snatch.bin.gz

  • Size

    2.5MB

  • Sample

    230607-bzsctsgh8v

  • MD5

    6220287f87ff3faca8c13a1e3538992e

  • SHA1

    43347dc4b7de70047299a94077d01c8db01573de

  • SHA256

    5d81030fa79538850bef6375df9bdaebffd251271a04b984d356de49ac208bfb

  • SHA512

    b8d1bac09527428b185acba9ed8742d164695315aa9b34935f409ef78213840c4c01aa430b98725ba83f5b4c6ee301c4449e41c248e8a96ca36dcd46dff7eaac

  • SSDEEP

    49152:8+C0sw8Opz8dLYy9H0qIorAj9tXt+krhcnfceKu09BjArM1rqDO4rJunWqo:LCPIpcLY4IorAj9Rt+OhKfcdBjAKWDOY

Score
10/10
snatchransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
Hello! All your files are encrypted and only we can decrypt them. Contact us: Recoverybat@protonmail.com or Recoverybat@cock.li Write us if you want to return your files - we can do it very quickly! The header of letter must contain extension of encrypted files. We always reply within 24 hours. If not - check spam folder, resend your letter or try send letter from another email service (like protonmail.com). Attention! Do not rename or edit encrypted files: you may have permanent data loss. To prove that we can recover your files, we am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups). HURRY UP! If you do not email us in the next 48 hours then your data may be lost permanently.
Emails

Recoverybat@protonmail.com

Recoverybat@cock.li

Targets

    • Target

      sample

    • Size

      2.5MB

    • MD5

      2bbff2111232d73a93cd435300d0a07e

    • SHA1

      b93d633d379052f0a15b0f9c7094829461a86dbb

    • SHA256

      3160b4308dd9434ebb99e5747ec90d63722a640d329384b1ed536b59352dace6

    • SHA512

      566ebe109cc4550363a4336fb905b8009bd66a1389cc9cfcd79ffbbd59fe957b1f2cbcfb431b9d707e03f78133b802c8367b022421dff6eb71962c5b6d4ea402

    • SSDEEP

      49152:B+CUkw0e9xep5A4354qUoJo5DtjDgk9bcnfoEKSMBB90hMhlqTO4rpun4I:4CVG9y5ASUoJo5D5DgmbKfotB902QTOw

    Score
    10/10
    snatchransomwarespywarestealerupx

    • Detecting the common Go functions and variables names used by Snatch ransomware

    • Snatch Ransomware

      Ransomware family generally distributed through RDP bruteforce attacks.

      ransomwaresnatch

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (7775) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Renames multiple (8974) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks