General
-
Target
NitroRansomware.exe
-
Size
1.7MB
-
Sample
230707-2p3zpadb6w
-
MD5
6e4c9fe77dd12b68a62fb669bc33224e
-
SHA1
dc6c3b8e5f286834071b5cc649395d2e5a7cf29d
-
SHA256
9a3e5872a07bf6b187b184764bab6b4e199b3de9c83454632911038d76cb2024
-
SHA512
c32526c1aaa2435d20c08ec34459830ea5788713795e237b396e80e8b6ba435873c338864eb2eda18f33eb9adfe1a7bb4984c0d051b75c69a6518bc3e2aebfb5
-
SSDEEP
49152:zRmYGwfZPnlXgNuTdngwwHv5VbtHw1kqXfd+/9A:zRnDZdQNuNgNhVRw1kqXf0F
Malware Config
Extracted
nitro
https://api.telegram.org/bot6006307805:AAEDDUx2GEUK5B9sfISAl5uogpVR7Py-iFY/sendMessage?chat_id=-1001950887599
-
decrypt_key
e14a1a875002aa43e3b7869ef81c4f675abfcfa3563a2dbd191d0c96a03a7c75/
Targets
-
-
Target
NitroRansomware.exe
-
Size
1.7MB
-
MD5
6e4c9fe77dd12b68a62fb669bc33224e
-
SHA1
dc6c3b8e5f286834071b5cc649395d2e5a7cf29d
-
SHA256
9a3e5872a07bf6b187b184764bab6b4e199b3de9c83454632911038d76cb2024
-
SHA512
c32526c1aaa2435d20c08ec34459830ea5788713795e237b396e80e8b6ba435873c338864eb2eda18f33eb9adfe1a7bb4984c0d051b75c69a6518bc3e2aebfb5
-
SSDEEP
49152:zRmYGwfZPnlXgNuTdngwwHv5VbtHw1kqXfd+/9A:zRnDZdQNuNgNhVRw1kqXf0F
Score10/10-
Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
-
UAC bypass
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-