demonware

General

Target

https://github.com/jstrosch/malware-samples/raw/master/binaries/gamma_ransomware/2020/May/samples_pcap.zip
Sample

230701-1wpvzahg34

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\README.txt

Ransom Note

Tango Down Bitch! Seems like you got hit by GAmmA Group! Don't Panic, you get to have your files back! GAmmAWare uses a basic encryption script to lock your files. This type of ransomware is known as CRYPTO. You'll need a decryption key to unlock your files. Your files will be deleted when the timer runs out, so you better hurry. You have 10 hours to find your key! Payment is accepted with Bitcoin only, Or Google [How to buy Bitcoin] Payment 0.052 BTC to: 1sd2WD1fEJnUPkGgfTEciWENKtLeUGMQe After Payment is confirmed Please Email: [email protected] with your IP/hostname & BTC transaction ID to receive your decryption key. Kind regards, GAmmA GrouP

Emails

[email protected]

Wallets

1sd2WD1fEJnUPkGgfTEciWENKtLeUGMQe

Targets

- Target
  
  https://github.com/jstrosch/malware-samples/raw/master/binaries/gamma_ransomware/2020/May/samples_pcap.zip
Score

10^/10

demonware pyinstaller ransomware
- DemonWare
  Ransomware first seen in mid-2020.
  ransomware demonware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
behavioral1