Overview

overview

10

Static

static

10

2020-07-20.zip

windows10-2004-x64

10

Resubmissions

24-07-2023 06:32

230724-haylwaag65 10

16-07-2023 18:15

230716-wwbacshb7z 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2020-07-20.zip

  • Size

    347.3MB

  • Sample

    230716-wwbacshb7z

  • MD5

    712b5aa5e08566a0f01a0a39418d6132

  • SHA1

    91349082a104f862b531278769f3d0c587244fc0

  • SHA256

    18fcb8604dc88c010d786be917f618a461876f5db6f80f1f8a64bc3b8fe48a98

  • SHA512

    12642ecf4ebc7be19bd78b5b18d4a283ce5d7008eaa616dcc962e9fd21a083bb59821f72995843a8884fd1e6722a74da1461dea6bb49e789b4bf7b4fcb019016

  • SSDEEP

    6291456:7EC9ko9Z5jyHn8ly4KT5uOXAKcXPAANTaqWXmhN0pxn+UeXiGf9dHh2hWFr40VCn:7E09Z5mc4FcfAAvhWpxnoLf9dHZxVQrz

Score
10/10
agentteslaasyncratemotetformbookmassloggermodiloadernanocoresodinokibi$2a$10$dnoarqjmluspylr6hh6sdumn4xmqbhpyuwfktagjzvnubouo7ognc$2a$10$mn/9plt2mnk8i7uvjwbr0ep8gpm9h4snofd0lcgzoh4.2q72ihskk$2a$10$r6jfdy.02ns/tl60z.a74o5dw8.5eqxa63yzup5x2nso0l.4y0gfa$2a$10$umiybwuiiy9i8r8vbxsoi.cxshbb0zx3gsd8gbyrag9afcnsaj43idefaultepoch1epoch31428397947104874bankermacromacro_on_actionrattrojanupx

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$MN/9PlT2MnK8i7UVjwbr0ep8gPm9H4sNOFD0lcgzoH4.2q72IHSkK

Campaign

4710

Decoy

coastalbridgeadvisors.com

comparatif-lave-linge.fr

thomasvicino.com

colorofhorses.com

nacktfalter.de

global-kids.info

xoabigail.com

cursoporcelanatoliquido.online

brawnmediany.com

importardechina.info

plastidip.com.ar

higadograsoweb.com

wari.com.pe

blgr.be

mastertechengineering.com

d2marketing.co.uk

littlebird.salon

geekwork.pl

101gowrie.com

beyondmarcomdotcom.wordpress.com
Attributes
  • net

    true

  • pid

    $2a$10$MN/9PlT2MnK8i7UVjwbr0ep8gPm9H4sNOFD0lcgzoH4.2q72IHSkK

  • prc

    encsvc

    steam

    intuit

    mspub

    tbirdconfig

    ^MSExchange.*$

    ocssd

    isqlplussvc

    wordpa

    agntsvc

    sqbcoreservice

    sql

    mydesktopservice

    ^store$

    mydesktopqos

    dbeng50

    msaccess

    xfssvccon

    onenote

    winword

    ^qb.*$

    infopath

    thebat

    ocomm

    synctime

    ntdbsmgr

    ^Microsoft.Exchange.*$

    oracle

    thunderbird

    ^store.exe$

    outlook

    ocautoupds

    excel

    dbsnmp

    visio

    powerpnt

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instructions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4710

  • svc

    mepocs

    vss

    backup

    veeam

    sql

    sophos

    svc$

    memtas

Extracted

Family

nanocore

Version

1.2.2.0

C2

dera118.hopto.org:7031

185.140.53.135:7031
Mutex

4ca1922c-b93c-4fb2-826c-d0806938edcc

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    185.140.53.135

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-04-30T22:08:05.557339036Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    7031

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    4ca1922c-b93c-4fb2-826c-d0806938edcc

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    dera118.hopto.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

sodinokibi

Botnet

$2a$10$DNoARQjmlusPylr6hH6sDuMN4xmQbhpYUWfKtAGJzvnUBouo7OgnC

Campaign

4874

Decoy

educar.org

chrissieperry.com

bookspeopleplaces.com

itelagen.com

craftleathermnl.com

testzandbakmetmening.online

bordercollie-nim.nl

kidbucketlist.com.au

lubetkinmediacompanies.com

vorotauu.ru

presseclub-magdeburg.de

siluet-decor.ru

xtptrack.com

buymedical.biz

panelsandwichmadrid.es

body-armour.online

makeurvoiceheard.com

lapinvihreat.fi

fannmedias.com

americafirstcommittee.org
Attributes
  • net

    true

  • pid

    $2a$10$DNoARQjmlusPylr6hH6sDuMN4xmQbhpYUWfKtAGJzvnUBouo7OgnC

  • prc

    tbirdconfig

    isqlplussvc

    firefox

    powerpnt

    mydesktopservice

    dbeng50

    thunderbird

    agntsvc

    mydesktopqos

    sql

    ocomm

    encsvc

    synctime

    ocautoupds

    mspub

    xfssvccon

    winword

    steam

    sqbcoreservice

    msaccess

    visio

    infopath

    excel

    dbsnmp

    oracle

    wordpad

    outlook

    ocssd

    thebat

    onenote

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-read-me.txt and follow instuctions

  • ransom_template

    ---=== Welcome Churchill Corporate Services Inc., IT Vortex LLC, Nest Seekers LLC ===--- [+] Whats Happen? [+] Your internal network has been penetrated. Your files are encrypted with strong military algorithm, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). Also, all your business info copyed to our servers. Personal data of your patient and business contacts extracted. If you do not take action to contact us, the data will be published fo free access everyone. As soon as we receive the payment, all data will be deleted from our servers. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Contact with us in chat on website. You have 3 days. If you need more time to make a decision and collect money for payment - inform the support chat about this. [+] How will the decryption process proceed after payment? [+] After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4874

  • svc

    memtas

    sophos

    mepocs

    vss

    veeam

    backup

    svc$

    sql

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

172.94.47.80:4411

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

sodinokibi

Botnet

$2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

Campaign

1428

Decoy

firstpaymentservices.com

krcove-zily.eu

softsproductkey.com

naturavetal.hr

corelifenutrition.com

leda-ukraine.com.ua

beaconhealthsystem.org

acomprarseguidores.com

extraordinaryoutdoors.com

mardenherefordshire-pc.gov.uk

stopilhan.com

triggi.de

anteniti.com

aunexis.ch

boosthybrid.com.au

bee4win.com

gadgetedges.com

tandartspraktijkheesch.nl

8449nohate.org

simoneblum.de
Attributes
  • net

    true

  • pid

    $2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

  • prc

    excel

    mydesktopservice

    sqlwriter

    ocomm

    powerpnt

    oracle

    mydesktopqos

    ocautoupds

    ocssd

    encsvc

    mysqld_opt

    msaccess

    visio

    agntsvc

    winword

    sqlservr

    tbirdconfig

    wordpad

    xfssvccon

    msftesql

    firefoxconfig

    dbsnmp

    onenote

    thunderbird

    outlook

    isqlplussvc

    dbeng50

    mspub

    thebat64

    sqbcoreservice

    synctime

    sqlbrowser

    steam

    sqlagent

    infopath

    mysqld

    mysqld_nt

    thebat

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    vss

    mepocs

    veeam

    svc$

    backup

    sophos

    memtas

    sql

Extracted

Family

sodinokibi

Botnet

$2a$10$umiybwuiiY9i8r8VBXSOi.CXsHbB0Zx3GSd8GbYRag9aFCNsAJ43i

Campaign

3979

Decoy

lorenacarnero.com

resortmtn.com

haremnick.com

allentownpapershow.com

idemblogs.com

toreria.es

boldcitydowntown.com

teczowadolina.bytom.pl

faroairporttransfers.net

rushhourappliances.com

mediaclan.info

digi-talents.com

xtptrack.com

bridgeloanslenders.com

gopackapp.com

rimborsobancario.net

almosthomedogrescue.dog

forestlakeuca.org.au

tenacitytenfold.com

theapifactory.com
Attributes
  • net

    true

  • pid

    $2a$10$umiybwuiiY9i8r8VBXSOi.CXsHbB0Zx3GSd8GbYRag9aFCNsAJ43i

  • prc

    thunderbird

    oracle

    onenote

    ocomm

    msaccess

    xfssvccon

    sqbcoreservice

    isqlplussvc

    mspub

    dbeng50

    ocautoupds

    agntsvc

    mydesktopqos

    steam

    excel

    mydesktopservice

    thebat

    synctime

    powerpnt

    wordpad

    ocssd

    encsvc

    tbirdconfig

    winword

    sql

    infopath

    dbsnmp

    visio

    firefox

    outlook

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3979

  • svc

    mepocs

    svc$

    veeam

    sophos

    memtas

    backup

    sql

    vss

Extracted

Family

emotet

Botnet

Epoch1

C2

177.144.135.2:80

104.247.221.104:443

201.213.32.59:80

190.147.137.153:443

178.79.163.131:8080

190.17.195.202:80

212.71.237.140:8080

68.183.190.199:8080

12.162.84.2:8080

186.250.52.226:8080

181.129.96.162:8080

185.94.252.12:80

77.55.211.77:8080

177.72.13.80:80

70.32.115.157:8080

114.109.179.60:80

68.183.170.114:8080

5.196.35.138:7080

87.106.46.107:8080

190.163.1.31:8080
rsa_pubkey.plain

Extracted

Family

emotet

Botnet

Epoch3

C2

201.212.78.182:80

74.207.230.187:8080

81.214.253.80:443

181.167.35.84:80

195.201.56.70:8080

37.46.129.215:8080

190.251.235.239:80

192.163.221.191:8080

177.0.241.28:80

41.185.29.128:8080

46.105.131.68:8080

78.188.170.128:80

45.118.136.92:8080

163.172.107.70:8080

37.70.131.107:80

177.144.130.105:443

181.230.65.232:80

192.210.217.94:8080

181.164.110.7:80

50.116.78.109:8080
rsa_pubkey.plain

Targets

    • Target

      2020-07-20.zip

    • Size

      347.3MB

    • MD5

      712b5aa5e08566a0f01a0a39418d6132

    • SHA1

      91349082a104f862b531278769f3d0c587244fc0

    • SHA256

      18fcb8604dc88c010d786be917f618a461876f5db6f80f1f8a64bc3b8fe48a98

    • SHA512

      12642ecf4ebc7be19bd78b5b18d4a283ce5d7008eaa616dcc962e9fd21a083bb59821f72995843a8884fd1e6722a74da1461dea6bb49e789b4bf7b4fcb019016

    • SSDEEP

      6291456:7EC9ko9Z5jyHn8ly4KT5uOXAKcXPAANTaqWXmhN0pxn+UeXiGf9dHh2hWFr40VCn:7E09Z5mc4FcfAAvhWpxnoLf9dHZxVQrz

    Score
    10/10
    emotetepoch1epoch3bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Emotet payload

      Detects Emotet payload in memory.

      trojanbanker

    • Executes dropped EXE

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks