General
-
Target
Zeppelinbggaehbcdj18_browsingExe.exe
-
Size
100KB
-
Sample
230802-wtl9vahh8t
-
MD5
cf5a358a22326f09fd55983bb812b7d8
-
SHA1
1addcffae4fd4211ea24202783c2ffad6771aa34
-
SHA256
dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f
-
SHA512
5e4129009c716286c9a2d85f846c75053d71251c9ab52f440da5a3f1a5cc6d9d7d795753bc7e37ef11353fb694f1c0991d127c28d6cd1188316623aa57cb2e5b
-
SSDEEP
3072:ge2IWDaNiBBXtw4KLStagKwbzCcO8WWZ5:kIeoiBBXGLSYgZzCx8Wq5
Malware Config
Extracted
C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion
Targets
-
-
Target
Zeppelinbggaehbcdj18_browsingExe.exe
-
Size
100KB
-
MD5
cf5a358a22326f09fd55983bb812b7d8
-
SHA1
1addcffae4fd4211ea24202783c2ffad6771aa34
-
SHA256
dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f
-
SHA512
5e4129009c716286c9a2d85f846c75053d71251c9ab52f440da5a3f1a5cc6d9d7d795753bc7e37ef11353fb694f1c0991d127c28d6cd1188316623aa57cb2e5b
-
SSDEEP
3072:ge2IWDaNiBBXtw4KLStagKwbzCcO8WWZ5:kIeoiBBXGLSYgZzCx8Wq5
Score10/10-
Detects Zeppelin payload
-
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (269) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-