C8153913F53C267AC883B23B8DB79E415872BF4FFABE6503F9652A69FC96D77E[.]rl[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

C8153913F53C267AC883B23B8DB79E415872BF4FFABE6503F9652A69FC96D77E.rl.zip
Size

328KB
MD5

35725d5f99c5a00ed07ae9273ccbc143
SHA1

7d1b0450279929408a851cbb504a00422b555e9d
SHA256

0b1cd9eb08653c836972d4e1c74a0a792b2433c812c523e9f3e841f8b66a7b38
SHA512

73603a185c986b1acbce91782c93066f10704258e1eba0fee72cb6026265aec30431f15fa7ac40923becd30a0d2b7c342fa21d0d1534028a4fb49e946e3efff9
SSDEEP

6144:LgQ7NkbqK7QqW7NfsbGnkOcjqD31AI6ic88dWreSBP5233vwO6VP:LgQJkGSZW7NvnkOcM+wcJki2IfwV

Score

5^/10

ransomware_note

Malware Config

Signatures

Often Ransomware samples write a note containing information on how to pay the ransom. 1 IoCs

Often Ransomware samples write a note containing information on how to pay the ransom.

ransomware_note

resource	yara_rule
static1/unpack001/b7f3f23374618ab549c6c093a5e09a8435e52415.rl	generic_ransomware_note

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/b7f3f23374618ab549c6c093a5e09a8435e52415.rl

Files

C8153913F53C267AC883B23B8DB79E415872BF4FFABE6503F9652A69FC96D77E.rl.zip
.zip

Password: infected
b7f3f23374618ab549c6c093a5e09a8435e52415.rl
.exe windows x64

Password: infected

18bc8d5cd3d64934f7cb5393b492babf

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetFullPathNameW
FindNextFileW
FindFirstFileW
FindClose
GetEnvironmentStringsW
FreeEnvironmentStringsW
CompareStringOrdinal
GetModuleFileNameW
GetSystemDirectoryW
GetWindowsDirectoryW
CreateProcessW
GetFileAttributesW
GetFileInformationByHandleEx
GetCurrentProcessId
CreateFileW
CreateNamedPipeW
CreateThread
WriteFileEx
CreateEventW
CancelIo
ReadFile
GetFileInformationByHandle
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetCurrentDirectoryW
RtlCaptureContext
GetDriveTypeW
GetVolumeInformationW
GetDiskFreeSpaceExW
DeviceIoControl
OpenProcess
SetUnhandledExceptionFilter
FormatMessageW
RtlLookupFunctionEntry
GetModuleHandleW
GetProcAddress
GetProcessTimes
GetSystemTimes
GetProcessIoCounters
IsProcessorFeaturePresent
LocalFree
VirtualQueryEx
UnhandledExceptionFilter
GetTickCount64
GetEnvironmentVariableW
GetLogicalDrives
IsDebuggerPresent
RtlVirtualUnwind
InitializeSListHead
GetCurrentThreadId
ReleaseMutex
GetModuleHandleA
Sleep
GlobalMemoryStatusEx
CreateMutexA
WakeConditionVariable
LoadLibraryA
WaitForSingleObjectEx
SetLastError
SleepConditionVariableSRW
PostQueuedCompletionStatus
GetQueuedCompletionStatusEx
TryAcquireSRWLockExclusive
CreateIoCompletionPort
GetSystemInfo
AcquireSRWLockShared
ReleaseSRWLockShared
WriteConsoleW
AcquireSRWLockExclusive
SwitchToThread
ReleaseSRWLockExclusive
HeapReAlloc
GetConsoleMode
HeapFree
GetProcessHeap
HeapAlloc
SetThreadStackGuarantee
GetStdHandle
ReadProcessMemory
AddVectoredExceptionHandler
GetExitCodeProcess
WaitForSingleObject
SleepEx
ReadFileEx
GetOverlappedResult
WaitForMultipleObjects
UnmapViewOfFile
MoveFileExW
FlushFileBuffers
FlushViewOfFile
VirtualProtect
DuplicateHandle
GetCurrentProcess
MapViewOfFile
CreateFileMappingW
CloseHandle
GetCurrentThread
WakeAllConditionVariable
GetLastError
QueryPerformanceFrequency
DeleteFileW

bcrypt

BCryptGenRandom
BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider

advapi32

OpenProcessToken
GetTokenInformation
SystemFunction036
LookupAccountSidW

psapi

GetModuleFileNameExW
GetPerformanceInfo

ntdll

NtQuerySystemInformation
NtQueryInformationProcess
RtlGetVersion

shell32

CommandLineToArgvW

ole32

CoUninitialize
CoInitializeEx
CoInitializeSecurity
CoCreateInstance
CoSetProxyBlanket

iphlpapi

GetIfTable2
FreeMibTable
GetIfEntry2

netapi32

NetUserGetLocalGroups
NetUserEnum
NetApiBufferFree

secur32

LsaFreeReturnBuffer
LsaEnumerateLogonSessions
LsaGetLogonSessionData

pdh

PdhGetFormattedCounterValue
PdhRemoveCounter
PdhCloseQuery
PdhOpenQueryA
PdhAddEnglishCounterW
PdhCollectQueryData

powrprof

CallNtPowerInformation

oleaut32

VariantClear
SysAllocString
SysFreeString

vcruntime140

memcmp
memcpy
memset
memmove
__current_exception_context
__current_exception
__C_specific_handler
_CxxThrowException
__CxxFrameHandler3

api-ms-win-crt-string-l1-1-0

wcslen

api-ms-win-crt-runtime-l1-1-0

__p___argc
_c_exit
_register_thread_local_exe_atexit_callback
_exit
exit
_initialize_onexit_table
_register_onexit_function
_crt_atexit
terminate
_initterm_e
_cexit
_initterm
_get_initial_narrow_environment
_initialize_narrow_environment
_seh_filter_exe
_set_app_type
__p___argv
_configure_narrow_argv

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-stdio-l1-1-0

_set_fmode
__p__commode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-heap-l1-1-0

free
_set_new_mode

Sections

.text
Size: 546KB - Virtual size: 546KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 164KB - Virtual size: 164KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

18bc8d5cd3d64934f7cb5393b492babf

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

bcrypt

advapi32

psapi

ntdll

shell32

ole32

iphlpapi

netapi32

secur32

pdh

powrprof

oleaut32

vcruntime140

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-heap-l1-1-0

Sections

.text Size: 546KB - Virtual size: 546KB

.rdata Size: 164KB - Virtual size: 164KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 32KB - Virtual size: 31KB

.reloc Size: 3KB - Virtual size: 3KB

.text
Size: 546KB - Virtual size: 546KB

.rdata
Size: 164KB - Virtual size: 164KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 32KB - Virtual size: 31KB

.reloc
Size: 3KB - Virtual size: 3KB