Resubmissions

07-09-2023 14:45

230907-r45fysaf5s 10

07-09-2023 14:12

230907-rjbyxaad5s 10

General

  • Target

    gm.rar

  • Size

    22.6MB

  • Sample

    230907-r45fysaf5s

  • MD5

    d9aa719336b223b19cc30d1066a6955e

  • SHA1

    a5ba381e11b859554431ecd3b1d89c1d6524421c

  • SHA256

    78a28b25b330513649439305a5d9293cb07fb796ad6521ef31f39a5453a549d8

  • SHA512

    26de419b91c188182616195ce3c0c2adcc0e9cfb1b77a7bb504deb9327a968251d86aa35c356c4b23c0e87831fd7935d03b05b81403ec82aebcbc7c71579a7fd

  • SSDEEP

    393216:1WCDBR5/qcMb6ezNjpONekKdZKE1R2GjCEyvuCE3EZuzJy3Dzc1Ktp:1WCtDgb1ztpO4OE1IGmEWuhXzJIDzc1e

Malware Config

Extracted

Family

sodinokibi

Botnet

33

Campaign

296

Decoy

craftron.com

piestar.com

tages-geldvergleich.de

pxsrl.it

framemyballs.com

photographycreativity.co.uk

cincinnatiphotocompany.org

billyoart.com

midwestschool.org

supercarhire.co.uk

encounter-p.net

ncn.nl

fanuli.com.au

gosouldeep.com

greenrider.nl

renehartman.nl

entdoctor-durban.com

astrographic.com

advesa.com

skyscanner.ro

Attributes
  • net

    true

  • pid

    33

  • prc

    sqlbrowser.exe

    sqlwriter.exe

    firefoxconfig.exe

    thunderbird.exe

    agntsvc.exe

    thebat.exe

    infopath.exe

    mysqld_nt.exe

    winword.exe

    tbirdconfig.exe

    sqlagent.exe

    onenote.exe

    ocautoupds.exe

    msaccess.exe

    sqlservr.exe

    mydesktopservice.exe

    outlook.exe

    wordpad.exe

    dbeng50.exe

    thebat64.exe

    msftesql.exe

    dbsnmp.exe

    mydesktopqos.exe

    oracle.exe

    ocssd.exe

    excel.exe

    visio.exe

    isqlplussvc.exe

    mysqld_opt.exe

    sqbcoreservice.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    296

Extracted

Family

sodinokibi

Botnet

19

Campaign

35

Decoy

eshop.design

harleystreetspineclinic.com

qrs-international.com

stabilisateur.fr

imaginekithomes.co.nz

watchsale.biz

levencovka.ru

acornishstudio.co.uk

kroophold-sjaelland.dk

frameshift.it

aberdeenartwalk.org

leadforensics.com

craftron.com

diverfiestas.com.es

kenmccallum.com

billscars.net

ncn.nl

towelroot.co

sochi-okna23.ru

oro.ae

Attributes
  • net

    true

  • pid

    19

  • prc

    mysqld_nt

    mysqld

    firefoxconfig

    encsvc

    mydesktopqos

    visio

    infopath

    agntsvc

    wordpad

    mysqld_opt

    outlook

    ocautoupds

    mydesktopservice

    mspub

    msaccess

    powerpnt

    ocomm

    sqlbrowser

    winword

    sqbcoreservice

    sqlagent

    synctime

    thunderbird

    thebat64

    sqlwriter

    onenote

    xfssvccon

    ocssd

    tbirdconfig

    dbeng50

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    35

  • svc

    vss

    mepocs

    sql

    svc$

    backup

    sophos

    memtas

    veeam

Extracted

Family

crimsonrat

C2

81.17.56.2260

111.115.6.118

Extracted

Family

sodinokibi

Botnet

15

Campaign

1186

Decoy

oexebusiness.com

mondolandscapes.com

thiagoperez.com

hawaiisteelbuilding.com

cleanroomequipment.ie

dinedrinkdetroit.com

craftingalegacy.com

sambaglow.com

thegrinningmanmusical.com

chinowarehousespace.com

jlwilsonbooks.com

rentsportsequip.com

advesa.com

nauticmarine.dk

fi-institutionalfunds.com

agriturismocastagneto.it

c-sprop.com

fysiotherapierijnmond.nl

masecologicos.com

otpusk.zp.ua

Attributes
  • net

    true

  • pid

    15

  • prc

    mysqld

    thebat64

    sqlbrowser

    dbeng50

    dbsnmp

    sqlservr

    infopath

    thebat

    winword

    steam

    tbirdconfig

    mysqld_opt

    ocautoupds

    mysqld_nt

    msftesql

    sqlagent

    ocomm

    synctime

    outlook

    xfssvccon

    sqlwriter

    powerpnt

    isqlplussvc

    excel

    ocssd

    thunderbird

    visio

    mydesktopservice

    agntsvc

    oracle

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1186

  • svc

    mepocs

    sophos

    vss

    memtas

    backup

    sql

    svc$

    veeam

Extracted

Family

sodinokibi

Botnet

20

Campaign

46

Decoy

marcandy.com

tzn.nu

alcye.com

barbaramcfadyenjewelry.com

parentsandkids.com

nieuwsindeklas.be

the-cupboard.co.uk

molinum.pt

alabamaroofingllc.com

hensleymarketing.com

hnkns.com

comoserescritor.com

charlesfrancis.photos

michaelfiegel.com

sveneulberg.de

modamarfil.com

mollymccarthydesign.com

evsynthacademy.org

precisetemp.com

domaine-des-pothiers.com

Attributes
  • net

    true

  • pid

    20

  • prc

    mysql

    sqlservr

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    46

  • svc

    sophos

    backup

    sql

    mepocs

    memtas

    veeam

    vss

    svc$

Extracted

Path

C:\Users\48t15w-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 48t15w. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/46E8EC66AF7F37CD 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/46E8EC66AF7F37CD Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: sYoAuNwu8txDdr0LbHOh6diEwoWBNnaK9qzQbt3NJEQucD6bsmsGO1wod2g3UGqX b6wRyb0MlIrKPPrCYdCtsh89+uJjcvC4y2Oa/tJCyOoGsY/NiBnfYYEYNPo2CCRi LePbZ4dQOftXxvSaN1+zxjK99g+8UlxXVsaFsi5uHXk0Xlu+sqQA97zoqUdrCDV1 VEoSmfu5dUi3wdoVy4ZD3StFBYvFqvfvBA6O9stXZ4vAXew41mGO62kTCc+v/Fse 41o4wfNWRKGYB+UR1BDIWY88GDE68y2p7Dn2qHY35KUbPaFBCCHC7pTCs2JLJwHD 9TI52gMgf5X73Wr4RaPbIvpqHmdXWLTPVZM2K37ouyTvfexBNpO8oUaes8BXzzrX j4qg9+qfic6H/f/v+QEVtBrdp/ACZxI5WhxQHiC70qKWhO2uQcmb1BVob3E30vH/ gNwg+c7kfz1g8RIOoQQxifvb6cnYZQH/LjZMHxHa2HTooTz0yDNnhNmvIHOqdwcz Qtl7cj03OJx5dyQM0acdRp/R3D4VQK33ledJKxqiDIQeNHanhUNBgXOcNhohHiRC g/JJYHwBXYfSfnmeEmxHw0Y6vfpqNy56E1ptOzbcxU9XH5OXyiJrWxZzxUzzziNB T3ykIx4VvWiTL6G/jFX2kMbKCVmXtniwsmEnZWlhatXauIO+nr4vK5lVvtD1dc23 HnccXLY4Qa2H81SA4a85sdF7F5fBxmKak7MP1sMLW7gCSuzkNtazk9Bg40xDWWii 4Dafa/r3+D08Dg+vxHJoA7MOIif4nwo/qKyHGd5HwCCmRD08RbYonjHGseyAI4ai dlH39up5ZRTacuvdiUva+/+ewowKeco+QTauc8hY8ox+lJnPKnEBPVSOG8gTs6Rm BGoqumf+yY8YDrvth26i+Huok/JtMtKIW0uQ02onykgZjEo/NkLTLVgGfN6FPfr8 BHLTUXBZfjMST3EaXyyq6K4h8mpFH6ioo+YTzjF9wuvXnfye+XVGQfKUK7iecKvB JH4OE4UyIKT1Prp+wICF42PNgR8CAtOcwh+nzmB4ZuutIwfMUN72fnYUYYMEiZVx 4fciRf9StssZISEv5lDZ0IhKzqvY1qAyzhQmeTrYFSQSwctyMiYwM7FOKJadtJoM zhWb17ctwdTJnIcRNgn2lTPMp5xFQn01nyQgxQv0hxyQGJw6Yq8ZK1KQPo2xCQub Ohk3GCBmlCo= Extension name: 48t15w ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/46E8EC66AF7F37CD

http://decryptor.top/46E8EC66AF7F37CD

Extracted

Path

C:\Recovery\o1xf2r4269-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion o1xf2r4269. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0CD84EC953F2A1BD 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/0CD84EC953F2A1BD Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Cc0zmEAhlbRTlftjL8rX3SNUppQkhGKjAJQ9x4CSGYe5/TjCpff3RioZTjlO3lH5 MfxnUOkkAfhyogEGtRqoXbDyIAAelBhvZ+84eWlvbs+Y8mzN2G8ALbHzGEkkGIyx 0tgvAS1wVN2XNdlor+KENnbz6ok6gXXkKr572Hzu59YUhOIiPRN60V/X8zNdm08j eTK2xPP84a/aEin1HwaAB7OgCYNLvOxe220IHGv/gwEkYOKuMpb2iJeQpHaJr1i3 quRzPijM77eX4vqqZG8wEXf7Bt1UEvcesTBxkOQaP1m19ehGQcrsN2DTU+wiHRSl YmM5+AbneJBT7Ox8JMXQFfowNOT6sbhLJDhJ5oJT7Y+38m167BVrsRiUvHdUmuJZ oY/sBao+Qm8yPB0aK9u8j3kRJRra3YkMcLWrN7w+mJfcBsMu9gvODgLJ1u4GX8Pi fZuIubefViky+f7tUW6HVBp6R1wtogKaQ2Ak4Y6jtwJ5D+5o8CAhGJqq1l/s6aN2 jrjyjTpb6j+O55uEMmckthgG/9Dsy6zosFxddji1lNgirfA+gBV1LqXcfuJsyzqX oD0pLlhgKi9yYcojANDgELvW9O1NOCudsCkop56k3NeVPnT5LedrnZrPKCff6Otb 6NyuFBxEMh7zwcj+36F1dMvI9kvg0lCHTpT+6YFW0lyAyWAhAlwcepMMjRoCQDBJ rvQfetBOiZquxqRdAsmmsWqdZGwm8K5RGlkcD79tHh2CU8GFw5UFJr+eRwhuYzLm AvYVJMK8dkBEwmre5vEhfOiUzU6Ohr8nKmTM7bBLekylgz7nC0TkoO+HwdyWkrVq n+6YETkZJuj1CyVou6WdD6d+pxSa9KIClnzKX4PpF5T2zfEa6modWslbEH4ocBBm f4ubH/SWr/RJCGf5dq9eaRaId/wp7cMvlUiIok9MIuUKFjuGegPGYTdhO3PyDqSe 09Z6K5Yk43JsrMDq6nbROwSYs0duBpWEGi0sv98V7Puu5Ci3QVrgdcs4phTmNTdI EGiSsIKl05q6SBLcZv/p2MQDnPuL4UGVpm1Yt5SLjfl2Hojdc2GHVR+y6l9oStKm 1QQeXRpr03WqWysC1+Z2TFBLeEUeAVHVs2E0hESILqrYYuSAH5zFhWDas4sbuAuH +IAb0P7d7wonvDgnOtStns6oewp77GIiW0Q5NByEjCEud3ZMyuXw34crNWXE4qmP L3fqLUtoFN5V8j96OGyiG5A3AK93wQ== Extension name: o1xf2r4269 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0CD84EC953F2A1BD

http://decryptor.top/0CD84EC953F2A1BD

Targets

    • Target

      gm.rar

    • Size

      22.6MB

    • MD5

      d9aa719336b223b19cc30d1066a6955e

    • SHA1

      a5ba381e11b859554431ecd3b1d89c1d6524421c

    • SHA256

      78a28b25b330513649439305a5d9293cb07fb796ad6521ef31f39a5453a549d8

    • SHA512

      26de419b91c188182616195ce3c0c2adcc0e9cfb1b77a7bb504deb9327a968251d86aa35c356c4b23c0e87831fd7935d03b05b81403ec82aebcbc7c71579a7fd

    • SSDEEP

      393216:1WCDBR5/qcMb6ezNjpONekKdZKE1R2GjCEyvuCE3EZuzJy3Dzc1Ktp:1WCtDgb1ztpO4OE1IGmEWuhXzJIDzc1e

    Score
    3/10
    • Target

      17ffd90d20cbd49c4e0d65a484eeae65a107d5bad9582afc51c4ead8bbc147e1

    • Size

      160KB

    • MD5

      b49aedab270215f327ab95ea98cb7e33

    • SHA1

      10b4aafcdeaba91e0140b581fd397e5db94c106d

    • SHA256

      17ffd90d20cbd49c4e0d65a484eeae65a107d5bad9582afc51c4ead8bbc147e1

    • SHA512

      eebc06bc7c6f79be5c1fe0020e17b808e17c259fe99ac4d8455849c6ae383258ed637fa067ae5e203152d271494f1b2ff735973f4d2e09797ec787426418327a

    • SSDEEP

      1536:Gls0QszjGz02ZPO9nEpXiMpi28p7Pbi4eTMluxtXDCntTnICS4Ay4bbaTIL5CMdS:8RwOWpXiIgLbi4eTMlwDCnuo47pd+

    Score
    1/10
    • Target

      1caf5105988781e29d93e58abcbf3bf4c973eca1a207803629bd5cf901ef5be1

    • Size

      1.1MB

    • MD5

      40b111fdffe33c4c776d87ce7ff02431

    • SHA1

      dd6eee81a397d0b94c3532d62c613070501d0048

    • SHA256

      1caf5105988781e29d93e58abcbf3bf4c973eca1a207803629bd5cf901ef5be1

    • SHA512

      07ef4139a40d8f08acb489c4c1ced0ffe787f536d59d185ef43aaa0f17e391ca000b8c1c10813feb573241314000b7a91d52fcfcaaa4311f73432cdaaa0f921b

    • SSDEEP

      24576:LzWuYg/8kz9ncHy/B5uwMp1p4pGj3m91dscI/P:LCuYA8kZnpB5uw+1p44S91gP

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      1d88c47417c082378c735c9e8180ea63627d5efff35852f1bb06fe6705581267

    • Size

      97KB

    • MD5

      e24c6b66b4e5ad59853678feed836f8d

    • SHA1

      db8a87d1c47004aadb871b0f1a03dc59ec0dffe7

    • SHA256

      1d88c47417c082378c735c9e8180ea63627d5efff35852f1bb06fe6705581267

    • SHA512

      c10a18e6252c05380c49f9c5c96470d091d6ebf3d51841c566f5700d10fd569f45200af0681909547eebcbd4503a71856fc8b7c87d1ae21f76cd782065104ab3

    • SSDEEP

      1536:JYd7Q+s7EIEne/UO6Ki1wO33sGINt/PogTXF5MJeVG7MpmPy4MPlT1SISS:JYdsihneniS+3akgTXYigMAy5PN1f

    Score
    5/10
    • Target

      1ecb59774182d0d0a04b418249428b621159838bd2bcdc1a3a7b871a65dd90af

    • Size

      611KB

    • MD5

      93c5f1cb9b83533edf1dee9cc40628e2

    • SHA1

      788731b2715d1d1f2405bd6169cede470445fdbc

    • SHA256

      1ecb59774182d0d0a04b418249428b621159838bd2bcdc1a3a7b871a65dd90af

    • SHA512

      f6fafb62d752083f97b54cfd72937e4d5483df812fe2d3425b90b98776356ab7bd049ea735db0ba93d1f424a8d7d8bc627b23a5244080917ef2c9b2400c9c526

    • SSDEEP

      12288:ffHVNgJDiUk6UICjj5Lx/q3RqmRNnw8ZnCeMN0pGoMLTcI1dJH8MSsn3dMVziVH:X1yJDdhlyxCIm3nwQCeMNqGjLYcteAdf

    Score
    10/10
    • Modifies WinLogon for persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      2a5fe7d49fcf65525cfbefaca92a12a0d2917d15f348a48fc7a4de7ae50776b5

    • Size

      24KB

    • MD5

      ce0e55a50737e81695b675cc13692322

    • SHA1

      6936cf5411534d80e2765bac129bda7472b5713f

    • SHA256

      2a5fe7d49fcf65525cfbefaca92a12a0d2917d15f348a48fc7a4de7ae50776b5

    • SHA512

      5d43b82290b91042343958d1f6485e602a29935e2bcc720d4698060941129a294cb89a81d6dc34ab60722dbff2c34f8b31591f4c60b4cc4a930535814dcb6e1e

    • SSDEEP

      384:SIa8CfT5HO7Jbh1BcNsiLv2in+HigbmIAjy/xsNXKW:ZaXfTJ4Jbh1Asib2inCuAsxKW

    Score
    1/10
    • Target

      2c1aa4fa14d7055f2239dbb29ab15089cb2752e9f94ec7a360d275dd607314dc

    • Size

      620KB

    • MD5

      5376a226b33db36b51bf85b910071031

    • SHA1

      ee89a2daf45bda00154a181b0713d351a19b6e00

    • SHA256

      2c1aa4fa14d7055f2239dbb29ab15089cb2752e9f94ec7a360d275dd607314dc

    • SHA512

      38fae7a2ef4ba9d8633dd6898f525a6d4ef91813700eb5b95a4e13dfe6caea8d291eedfd092916a50b401cb9bef24adb2a2878b327a4f00c0590d09948483083

    • SSDEEP

      12288:wUA9qXSileJnwNoFp1ayIfKIemXyYL1LyV/G/0HCO3ZaqEmhENt:wVoXcw2FpZ+9egiU0iofEmG/

    Score
    1/10
    • Target

      34d62f47e1fe45dd6309326ef696012f2473b0157e1278eea3826a95829da36e

    • Size

      432KB

    • MD5

      95d298e38d0ffa1d4bed5bcd98739195

    • SHA1

      f17fbf42b73628a694079801b0680559ee01328b

    • SHA256

      34d62f47e1fe45dd6309326ef696012f2473b0157e1278eea3826a95829da36e

    • SHA512

      f5e96cb68a1ed9f7b66b7bdecc1abe0f4cb1c80b196ef85445a150acbb9fe4fc649e6cf557c6f84d19d2da8de06f19d3fe6e686802684f9b23043e37d5d48578

    • SSDEEP

      6144:+CPCz2/aWNJ+bpHE7u5ZBFCn7Qf7oqQ1I+4M5GmOBVkc4PksaX2XA87cegDj8+j:Xaz2ivtk7q0i7oDhnGHimw7cHDj8+

    Score
    3/10
    • Target

      38f1b8c86870354a31878d55c6897d7eb9e83f9418aafbfe9f6ff897dd3c2f05

    • Size

      1.1MB

    • MD5

      38d1e069b9e9b3e0c255e49115295b7e

    • SHA1

      151b38a5fc8271cfdd03c72367b55242f7891f78

    • SHA256

      38f1b8c86870354a31878d55c6897d7eb9e83f9418aafbfe9f6ff897dd3c2f05

    • SHA512

      a8334a202415641ca9706de45df45dc9304643b141ba4651bbe80c1c524b72ad56ab4cda01f45f08c3727991ed7789f9bf238d9304a5b8d8a41140fbd7c53610

    • SSDEEP

      24576:PtO+RduDZwmzMo5sD5AgT4CoCTisqywkPOsxwZms3Qhg:PtOAuWmIOe2ZCoC+sWzZms3Qa

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04

    • Size

      164KB

    • MD5

      5117dc6337d71e68262ddc6124ff1b33

    • SHA1

      41890b9a7043d3d6300ed2a128425f321c69ea0c

    • SHA256

      40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04

    • SHA512

      71534faf779387a35e28f64d26a8d032c93f4273a30d0102ac8265399f198c9dbd119ae1e186d902ebd5b19e0c57094ec171bc101d5c073a75346f62d17fbc8c

    • SSDEEP

      3072:9fg0NBlu9CNTed7/kBazzFbULRU0pNa+eGfiN82R:9Y0NvuUN6F/M4qtXpNHE82R

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      410ee08c8a84fbb947d5f4635c95c6c8d244a51855afd4f6aa0e82dba1c38a59

    • Size

      370KB

    • MD5

      d607888bc583a5712928c7c02555930a

    • SHA1

      76963321489e6ac40ed10b54cc233e6e3a031235

    • SHA256

      410ee08c8a84fbb947d5f4635c95c6c8d244a51855afd4f6aa0e82dba1c38a59

    • SHA512

      3ff95cbaa21d56b51946a88f7034a812b6941f0f18c67694d7c2a53605a7475a04c2641c524c6dabc529a00b8b46e7e091b600b902973aa68410f1132b3f7f6d

    • SSDEEP

      6144:Us/n1Xe/+6AZbw0aeBQMZb+zpnBvkgr4YXNgyt5lcFT7GeLhLZYl:z/n1O/+6AZFaem8O4YRliTqe9Zu

    Score
    6/10
    • Target

      423b7b37b1925762c4417d81bd0f434f9760c1ed844b4b47ee7f25c8d0740242

    • Size

      20KB

    • MD5

      e480106d096f6a5ed69ecbf74f0a1007

    • SHA1

      48c612190f9aca3dc4b5af70a760b17597edc402

    • SHA256

      423b7b37b1925762c4417d81bd0f434f9760c1ed844b4b47ee7f25c8d0740242

    • SHA512

      6962a66118fd13335bbeddad901c3db91e43f6549d576b69e50e2e00816862517003d50965ad22bc87bcb59eb2e435d0b449d33cadacc989a4a6691ee7cbffef

    • SSDEEP

      384:2fkfodG6s/04vMLk24jXPl8a3XEW5/5YiEB8:rfyQ/vg2XPrY

    Score
    1/10
    • Target

      4315b6e87c88972648fac6610116046b7af4aca6bd445839ecc8f21515591a0b

    • Size

      3.9MB

    • MD5

      05e136c5e18d962fc7cc490a48bf43c5

    • SHA1

      db3a52fb85741df954508410d864a3b8d8a7bb36

    • SHA256

      4315b6e87c88972648fac6610116046b7af4aca6bd445839ecc8f21515591a0b

    • SHA512

      e5770d49869f22761d6984298dfb34292719e743a018d48ebcef1c0430067eab83436b846a98b7e7439ead01d80ad0078d132e1333f404b0d0a14edc92f7c487

    • SSDEEP

      98304:wuv7TVLSNplylkdcHc6H5aE1LQx84rK5aKYea:XLSNpl2hya0x84rKcKYea

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      453c6fe9e176af08b176430630a4eec6f1de09f7f147248dc905dc9823af1b91

    • Size

      9.2MB

    • MD5

      b9a3cc40fd0e73538c2500455572fc44

    • SHA1

      dfd804af79f2438bcbb01f6560b51cc6f9efed9f

    • SHA256

      453c6fe9e176af08b176430630a4eec6f1de09f7f147248dc905dc9823af1b91

    • SHA512

      b2591fcfd97c156cf056319373516c87f76fe865cf92805fe823fe2580edb29e51fb1fc91329a5bc906dd335791087777b9b425eef5b5de807f8afbece038695

    • SSDEEP

      384:uNqsjDr0sG2Sah6EzHCkbvllAoQS1qcL2QxrNbSyskR+f6scNTFmfOu:HsjDy2Sahjv31Vt++NTgOu

    Score
    1/10
    • Target

      4a841216cbbd4a587cc579434a043c17f54e3eb0e7ff615b3985411587dfa837

    • Size

      14KB

    • MD5

      898b24cd1105ff108bbe18d9b2b39b22

    • SHA1

      2cc018123c389c5c8c741cb4ed4085674f417fc3

    • SHA256

      4a841216cbbd4a587cc579434a043c17f54e3eb0e7ff615b3985411587dfa837

    • SHA512

      ae2bc3e82bc4e36d4d756151d223b12a54f4097733b7cf4eabb9561bb3bf074ba40f40fcbc43aac4c6cb0267961ca4aa57ac3a6f8abba4bc0c0368b40f3d866c

    • SSDEEP

      192:OJLd5quhzqEQVRMI+cM3xbeaV19ZKcxBRkWM2X48xQI+9y5n0kfz7:OJJ5quqTRNuXvgW48x09y50kf

    Score
    1/10
    • Target

      4e180437ef807b6ded234ad54f506d0cff518c980a055013871529b5905a46a9

    • Size

      71KB

    • MD5

      7d09bbc0aee91d29b3e62aa7889d75ac

    • SHA1

      dcc48feec76915615fca1db6e2e726543fba9566

    • SHA256

      4e180437ef807b6ded234ad54f506d0cff518c980a055013871529b5905a46a9

    • SHA512

      3f476f40f9a17919946df05bca46d0169531fd32982cc7c62ec685aef680c2fe064361da928fb174274c88f25b64db75f9c996e271e5b3a0836aa4101649a275

    • SSDEEP

      192:YKA9x8uHsLXl0Hjo7WLom8YHwOrDU0U4cbHaF55n3nN7a:YKA9WuwXl0YZm8eDr40/cuF73Za

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks

static1

33296upx19351511862046themidasodinokibicrimsonrat
Score
10/10

behavioral1

Score
3/10

behavioral2

Score
3/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

troldeshdiscoverypersistenceransomwarespywarestealertrojanupx
Score
10/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

microsoftphishing
Score
5/10

behavioral9

persistenceupx
Score
10/10

behavioral10

persistenceupx
Score
10/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
3/10

behavioral16

Score
3/10

behavioral17

troldeshdiscoverypersistenceransomwarespywarestealertrojanupx
Score
10/10

behavioral18

troldeshdiscoverypersistenceransomwarespywarestealertrojanupx
Score
10/10

behavioral19

sodinokibiransomwarespywarestealer
Score
10/10

behavioral20

sodinokibiransomwarespywarestealer
Score
10/10

behavioral21

persistence
Score
6/10

behavioral22

persistence
Score
6/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
7/10

behavioral26

Score
7/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10