crimsonrat | 78a28b25b330513649439305a5d9293cb07fb796ad6521ef31f39a5453a549d8

Resubmissions

07-09-2023 14:45

230907-r45fysaf5s 10

07-09-2023 14:12

230907-rjbyxaad5s 10

Sharing

Copy URL

Twitter E-mail

General

Target

gm.rar
Size

22.6MB
Sample

230907-r45fysaf5s
MD5

d9aa719336b223b19cc30d1066a6955e
SHA1

a5ba381e11b859554431ecd3b1d89c1d6524421c
SHA256

78a28b25b330513649439305a5d9293cb07fb796ad6521ef31f39a5453a549d8
SHA512

26de419b91c188182616195ce3c0c2adcc0e9cfb1b77a7bb504deb9327a968251d86aa35c356c4b23c0e87831fd7935d03b05b81403ec82aebcbc7c71579a7fd
SSDEEP

393216:1WCDBR5/qcMb6ezNjpONekKdZKE1R2GjCEyvuCE3EZuzJy3Dzc1Ktp:1WCtDgb1ztpO4OE1IGmEWuhXzJIDzc1e

Score

10^/10

crimsonrat sodinokibi troldesh 15 19 20 33 1186 296 35 46 microsoft discovery persistence phishing ransomware spyware stealer themida trojan upx

Malware Config

Extracted

Family

sodinokibi

Botnet

Campaign

296

Decoy

craftron.com

piestar.com

tages-geldvergleich.de

pxsrl.it

framemyballs.com

photographycreativity.co.uk

cincinnatiphotocompany.org

billyoart.com

midwestschool.org

supercarhire.co.uk

encounter-p.net

ncn.nl

fanuli.com.au

gosouldeep.com

greenrider.nl

renehartman.nl

entdoctor-durban.com

astrographic.com

advesa.com

skyscanner.ro

Attributes

net
true
pid
33
prc
sqlbrowser.exe
sqlwriter.exe
firefoxconfig.exe
thunderbird.exe
agntsvc.exe
thebat.exe
infopath.exe
mysqld_nt.exe
winword.exe
tbirdconfig.exe
sqlagent.exe
onenote.exe
ocautoupds.exe
msaccess.exe
sqlservr.exe
mydesktopservice.exe
outlook.exe
wordpad.exe
dbeng50.exe
thebat64.exe
msftesql.exe
dbsnmp.exe
mydesktopqos.exe
oracle.exe
ocssd.exe
excel.exe
visio.exe
isqlplussvc.exe
mysqld_opt.exe
sqbcoreservice.exe
mspub.exe
ocomm.exe
mysqld.exe
steam.exe
synctime.exe
encsvc.exe
xfssvccon.exe
powerpnt.exe
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
296

Extracted

Family

sodinokibi

Botnet

Campaign

Decoy

eshop.design

harleystreetspineclinic.com

qrs-international.com

stabilisateur.fr

imaginekithomes.co.nz

watchsale.biz

levencovka.ru

acornishstudio.co.uk

kroophold-sjaelland.dk

frameshift.it

aberdeenartwalk.org

leadforensics.com

craftron.com

diverfiestas.com.es

kenmccallum.com

billscars.net

ncn.nl

towelroot.co

sochi-okna23.ru

oro.ae

Attributes

net
true
pid
19
prc
mysqld_nt
mysqld
firefoxconfig
encsvc
mydesktopqos
visio
infopath
agntsvc
wordpad
mysqld_opt
outlook
ocautoupds
mydesktopservice
mspub
msaccess
powerpnt
ocomm
sqlbrowser
winword
sqbcoreservice
sqlagent
synctime
thunderbird
thebat64
sqlwriter
onenote
xfssvccon
ocssd
tbirdconfig
dbeng50
thebat
excel
dbsnmp
oracle
sqlservr
steam
msftesql
isqlplussvc
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
35
svc
vss
mepocs
sql
svc$
backup
sophos
memtas
veeam

Extracted

Family

crimsonrat

81.17.56.2260

111.115.6.118

Extracted

Family

sodinokibi

Botnet

Campaign

1186

Decoy

oexebusiness.com

mondolandscapes.com

thiagoperez.com

hawaiisteelbuilding.com

cleanroomequipment.ie

dinedrinkdetroit.com

craftingalegacy.com

sambaglow.com

thegrinningmanmusical.com

chinowarehousespace.com

jlwilsonbooks.com

rentsportsequip.com

advesa.com

nauticmarine.dk

fi-institutionalfunds.com

agriturismocastagneto.it

c-sprop.com

fysiotherapierijnmond.nl

masecologicos.com

otpusk.zp.ua

Attributes

net
true
pid
15
prc
mysqld
thebat64
sqlbrowser
dbeng50
dbsnmp
sqlservr
infopath
thebat
winword
steam
tbirdconfig
mysqld_opt
ocautoupds
mysqld_nt
msftesql
sqlagent
ocomm
synctime
outlook
xfssvccon
sqlwriter
powerpnt
isqlplussvc
excel
ocssd
thunderbird
visio
mydesktopservice
agntsvc
oracle
msaccess
encsvc
onenote
sqbcoreservice
mspub
wordpad
mydesktopqos
firefoxconfig
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
1186
svc
mepocs
sophos
vss
memtas
backup
sql
svc$
veeam

Extracted

Family

sodinokibi

Botnet

Campaign

Decoy

marcandy.com

tzn.nu

alcye.com

barbaramcfadyenjewelry.com

parentsandkids.com

nieuwsindeklas.be

the-cupboard.co.uk

molinum.pt

alabamaroofingllc.com

hensleymarketing.com

hnkns.com

comoserescritor.com

charlesfrancis.photos

michaelfiegel.com

sveneulberg.de

modamarfil.com

mollymccarthydesign.com

evsynthacademy.org

precisetemp.com

domaine-des-pothiers.com

Attributes

net
true
pid
20
prc
mysql
sqlservr
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
46
svc
sophos
backup
sql
mepocs
memtas
veeam
vss
svc$

Extracted

Path

C:\Users\48t15w-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 48t15w. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/46E8EC66AF7F37CD 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/46E8EC66AF7F37CD Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: sYoAuNwu8txDdr0LbHOh6diEwoWBNnaK9qzQbt3NJEQucD6bsmsGO1wod2g3UGqX b6wRyb0MlIrKPPrCYdCtsh89+uJjcvC4y2Oa/tJCyOoGsY/NiBnfYYEYNPo2CCRi LePbZ4dQOftXxvSaN1+zxjK99g+8UlxXVsaFsi5uHXk0Xlu+sqQA97zoqUdrCDV1 VEoSmfu5dUi3wdoVy4ZD3StFBYvFqvfvBA6O9stXZ4vAXew41mGO62kTCc+v/Fse 41o4wfNWRKGYB+UR1BDIWY88GDE68y2p7Dn2qHY35KUbPaFBCCHC7pTCs2JLJwHD 9TI52gMgf5X73Wr4RaPbIvpqHmdXWLTPVZM2K37ouyTvfexBNpO8oUaes8BXzzrX j4qg9+qfic6H/f/v+QEVtBrdp/ACZxI5WhxQHiC70qKWhO2uQcmb1BVob3E30vH/ gNwg+c7kfz1g8RIOoQQxifvb6cnYZQH/LjZMHxHa2HTooTz0yDNnhNmvIHOqdwcz Qtl7cj03OJx5dyQM0acdRp/R3D4VQK33ledJKxqiDIQeNHanhUNBgXOcNhohHiRC g/JJYHwBXYfSfnmeEmxHw0Y6vfpqNy56E1ptOzbcxU9XH5OXyiJrWxZzxUzzziNB T3ykIx4VvWiTL6G/jFX2kMbKCVmXtniwsmEnZWlhatXauIO+nr4vK5lVvtD1dc23 HnccXLY4Qa2H81SA4a85sdF7F5fBxmKak7MP1sMLW7gCSuzkNtazk9Bg40xDWWii 4Dafa/r3+D08Dg+vxHJoA7MOIif4nwo/qKyHGd5HwCCmRD08RbYonjHGseyAI4ai dlH39up5ZRTacuvdiUva+/+ewowKeco+QTauc8hY8ox+lJnPKnEBPVSOG8gTs6Rm BGoqumf+yY8YDrvth26i+Huok/JtMtKIW0uQ02onykgZjEo/NkLTLVgGfN6FPfr8 BHLTUXBZfjMST3EaXyyq6K4h8mpFH6ioo+YTzjF9wuvXnfye+XVGQfKUK7iecKvB JH4OE4UyIKT1Prp+wICF42PNgR8CAtOcwh+nzmB4ZuutIwfMUN72fnYUYYMEiZVx 4fciRf9StssZISEv5lDZ0IhKzqvY1qAyzhQmeTrYFSQSwctyMiYwM7FOKJadtJoM zhWb17ctwdTJnIcRNgn2lTPMp5xFQn01nyQgxQv0hxyQGJw6Yq8ZK1KQPo2xCQub Ohk3GCBmlCo= Extension name: 48t15w ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/46E8EC66AF7F37CD

http://decryptor.top/46E8EC66AF7F37CD

Extracted

Path

C:\Recovery\o1xf2r4269-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion o1xf2r4269. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0CD84EC953F2A1BD 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/0CD84EC953F2A1BD Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Cc0zmEAhlbRTlftjL8rX3SNUppQkhGKjAJQ9x4CSGYe5/TjCpff3RioZTjlO3lH5 MfxnUOkkAfhyogEGtRqoXbDyIAAelBhvZ+84eWlvbs+Y8mzN2G8ALbHzGEkkGIyx 0tgvAS1wVN2XNdlor+KENnbz6ok6gXXkKr572Hzu59YUhOIiPRN60V/X8zNdm08j eTK2xPP84a/aEin1HwaAB7OgCYNLvOxe220IHGv/gwEkYOKuMpb2iJeQpHaJr1i3 quRzPijM77eX4vqqZG8wEXf7Bt1UEvcesTBxkOQaP1m19ehGQcrsN2DTU+wiHRSl YmM5+AbneJBT7Ox8JMXQFfowNOT6sbhLJDhJ5oJT7Y+38m167BVrsRiUvHdUmuJZ oY/sBao+Qm8yPB0aK9u8j3kRJRra3YkMcLWrN7w+mJfcBsMu9gvODgLJ1u4GX8Pi fZuIubefViky+f7tUW6HVBp6R1wtogKaQ2Ak4Y6jtwJ5D+5o8CAhGJqq1l/s6aN2 jrjyjTpb6j+O55uEMmckthgG/9Dsy6zosFxddji1lNgirfA+gBV1LqXcfuJsyzqX oD0pLlhgKi9yYcojANDgELvW9O1NOCudsCkop56k3NeVPnT5LedrnZrPKCff6Otb 6NyuFBxEMh7zwcj+36F1dMvI9kvg0lCHTpT+6YFW0lyAyWAhAlwcepMMjRoCQDBJ rvQfetBOiZquxqRdAsmmsWqdZGwm8K5RGlkcD79tHh2CU8GFw5UFJr+eRwhuYzLm AvYVJMK8dkBEwmre5vEhfOiUzU6Ohr8nKmTM7bBLekylgz7nC0TkoO+HwdyWkrVq n+6YETkZJuj1CyVou6WdD6d+pxSa9KIClnzKX4PpF5T2zfEa6modWslbEH4ocBBm f4ubH/SWr/RJCGf5dq9eaRaId/wp7cMvlUiIok9MIuUKFjuGegPGYTdhO3PyDqSe 09Z6K5Yk43JsrMDq6nbROwSYs0duBpWEGi0sv98V7Puu5Ci3QVrgdcs4phTmNTdI EGiSsIKl05q6SBLcZv/p2MQDnPuL4UGVpm1Yt5SLjfl2Hojdc2GHVR+y6l9oStKm 1QQeXRpr03WqWysC1+Z2TFBLeEUeAVHVs2E0hESILqrYYuSAH5zFhWDas4sbuAuH +IAb0P7d7wonvDgnOtStns6oewp77GIiW0Q5NByEjCEud3ZMyuXw34crNWXE4qmP L3fqLUtoFN5V8j96OGyiG5A3AK93wQ== Extension name: o1xf2r4269 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0CD84EC953F2A1BD

http://decryptor.top/0CD84EC953F2A1BD

Targets

- Target
  
  gm.rar
- Size
  
  22.6MB
- MD5
  
  d9aa719336b223b19cc30d1066a6955e
- SHA1
  
  a5ba381e11b859554431ecd3b1d89c1d6524421c
- SHA256
  
  78a28b25b330513649439305a5d9293cb07fb796ad6521ef31f39a5453a549d8
- SHA512
  
  26de419b91c188182616195ce3c0c2adcc0e9cfb1b77a7bb504deb9327a968251d86aa35c356c4b23c0e87831fd7935d03b05b81403ec82aebcbc7c71579a7fd
- SSDEEP
  
  393216:1WCDBR5/qcMb6ezNjpONekKdZKE1R2GjCEyvuCE3EZuzJy3Dzc1Ktp:1WCtDgb1ztpO4OE1IGmEWuhXzJIDzc1e
Score

3^/10
behavioral1 behavioral2
- Target
  
  17ffd90d20cbd49c4e0d65a484eeae65a107d5bad9582afc51c4ead8bbc147e1
- Size
  
  160KB
- MD5
  
  b49aedab270215f327ab95ea98cb7e33
- SHA1
  
  10b4aafcdeaba91e0140b581fd397e5db94c106d
- SHA256
  
  17ffd90d20cbd49c4e0d65a484eeae65a107d5bad9582afc51c4ead8bbc147e1
- SHA512
  
  eebc06bc7c6f79be5c1fe0020e17b808e17c259fe99ac4d8455849c6ae383258ed637fa067ae5e203152d271494f1b2ff735973f4d2e09797ec787426418327a
- SSDEEP
  
  1536:Gls0QszjGz02ZPO9nEpXiMpi28p7Pbi4eTMluxtXDCntTnICS4Ay4bbaTIL5CMdS:8RwOWpXiIgLbi4eTMlwDCnuo47pd+
Score

1^/10
behavioral3 behavioral4
- Target
  
  1caf5105988781e29d93e58abcbf3bf4c973eca1a207803629bd5cf901ef5be1
- Size
  
  1.1MB
- MD5
  
  40b111fdffe33c4c776d87ce7ff02431
- SHA1
  
  dd6eee81a397d0b94c3532d62c613070501d0048
- SHA256
  
  1caf5105988781e29d93e58abcbf3bf4c973eca1a207803629bd5cf901ef5be1
- SHA512
  
  07ef4139a40d8f08acb489c4c1ced0ffe787f536d59d185ef43aaa0f17e391ca000b8c1c10813feb573241314000b7a91d52fcfcaaa4311f73432cdaaa0f921b
- SSDEEP
  
  24576:LzWuYg/8kz9ncHy/B5uwMp1p4pGj3m91dscI/P:LCuYA8kZnpB5uw+1p44S91gP
Score

10^/10

troldesh discovery persistence ransomware spyware stealer trojan upx
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral5 behavioral6
- Target
  
  1d88c47417c082378c735c9e8180ea63627d5efff35852f1bb06fe6705581267
- Size
  
  97KB
- MD5
  
  e24c6b66b4e5ad59853678feed836f8d
- SHA1
  
  db8a87d1c47004aadb871b0f1a03dc59ec0dffe7
- SHA256
  
  1d88c47417c082378c735c9e8180ea63627d5efff35852f1bb06fe6705581267
- SHA512
  
  c10a18e6252c05380c49f9c5c96470d091d6ebf3d51841c566f5700d10fd569f45200af0681909547eebcbd4503a71856fc8b7c87d1ae21f76cd782065104ab3
- SSDEEP
  
  1536:JYd7Q+s7EIEne/UO6Ki1wO33sGINt/PogTXF5MJeVG7MpmPy4MPlT1SISS:JYdsihneniS+3akgTXYigMAy5PN1f
Score

5^/10

microsoft phishing
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
behavioral7 behavioral8
- Target
  
  1ecb59774182d0d0a04b418249428b621159838bd2bcdc1a3a7b871a65dd90af
- Size
  
  611KB
- MD5
  
  93c5f1cb9b83533edf1dee9cc40628e2
- SHA1
  
  788731b2715d1d1f2405bd6169cede470445fdbc
- SHA256
  
  1ecb59774182d0d0a04b418249428b621159838bd2bcdc1a3a7b871a65dd90af
- SHA512
  
  f6fafb62d752083f97b54cfd72937e4d5483df812fe2d3425b90b98776356ab7bd049ea735db0ba93d1f424a8d7d8bc627b23a5244080917ef2c9b2400c9c526
- SSDEEP
  
  12288:ffHVNgJDiUk6UICjj5Lx/q3RqmRNnw8ZnCeMN0pGoMLTcI1dJH8MSsn3dMVziVH:X1yJDdhlyxCIm3nwQCeMNqGjLYcteAdf
Score

10^/10

persistence upx
- Modifies WinLogon for persistence
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral10 behavioral9
- Target
  
  2a5fe7d49fcf65525cfbefaca92a12a0d2917d15f348a48fc7a4de7ae50776b5
- Size
  
  24KB
- MD5
  
  ce0e55a50737e81695b675cc13692322
- SHA1
  
  6936cf5411534d80e2765bac129bda7472b5713f
- SHA256
  
  2a5fe7d49fcf65525cfbefaca92a12a0d2917d15f348a48fc7a4de7ae50776b5
- SHA512
  
  5d43b82290b91042343958d1f6485e602a29935e2bcc720d4698060941129a294cb89a81d6dc34ab60722dbff2c34f8b31591f4c60b4cc4a930535814dcb6e1e
- SSDEEP
  
  384:SIa8CfT5HO7Jbh1BcNsiLv2in+HigbmIAjy/xsNXKW:ZaXfTJ4Jbh1Asib2inCuAsxKW
Score

1^/10
behavioral11 behavioral12
- Target
  
  2c1aa4fa14d7055f2239dbb29ab15089cb2752e9f94ec7a360d275dd607314dc
- Size
  
  620KB
- MD5
  
  5376a226b33db36b51bf85b910071031
- SHA1
  
  ee89a2daf45bda00154a181b0713d351a19b6e00
- SHA256
  
  2c1aa4fa14d7055f2239dbb29ab15089cb2752e9f94ec7a360d275dd607314dc
- SHA512
  
  38fae7a2ef4ba9d8633dd6898f525a6d4ef91813700eb5b95a4e13dfe6caea8d291eedfd092916a50b401cb9bef24adb2a2878b327a4f00c0590d09948483083
- SSDEEP
  
  12288:wUA9qXSileJnwNoFp1ayIfKIemXyYL1LyV/G/0HCO3ZaqEmhENt:wVoXcw2FpZ+9egiU0iofEmG/
Score

1^/10
behavioral13 behavioral14
- Target
  
  34d62f47e1fe45dd6309326ef696012f2473b0157e1278eea3826a95829da36e
- Size
  
  432KB
- MD5
  
  95d298e38d0ffa1d4bed5bcd98739195
- SHA1
  
  f17fbf42b73628a694079801b0680559ee01328b
- SHA256
  
  34d62f47e1fe45dd6309326ef696012f2473b0157e1278eea3826a95829da36e
- SHA512
  
  f5e96cb68a1ed9f7b66b7bdecc1abe0f4cb1c80b196ef85445a150acbb9fe4fc649e6cf557c6f84d19d2da8de06f19d3fe6e686802684f9b23043e37d5d48578
- SSDEEP
  
  6144:+CPCz2/aWNJ+bpHE7u5ZBFCn7Qf7oqQ1I+4M5GmOBVkc4PksaX2XA87cegDj8+j:Xaz2ivtk7q0i7oDhnGHimw7cHDj8+
Score

3^/10
behavioral15 behavioral16
- Target
  
  38f1b8c86870354a31878d55c6897d7eb9e83f9418aafbfe9f6ff897dd3c2f05
- Size
  
  1.1MB
- MD5
  
  38d1e069b9e9b3e0c255e49115295b7e
- SHA1
  
  151b38a5fc8271cfdd03c72367b55242f7891f78
- SHA256
  
  38f1b8c86870354a31878d55c6897d7eb9e83f9418aafbfe9f6ff897dd3c2f05
- SHA512
  
  a8334a202415641ca9706de45df45dc9304643b141ba4651bbe80c1c524b72ad56ab4cda01f45f08c3727991ed7789f9bf238d9304a5b8d8a41140fbd7c53610
- SSDEEP
  
  24576:PtO+RduDZwmzMo5sD5AgT4CoCTisqywkPOsxwZms3Qhg:PtOAuWmIOe2ZCoC+sWzZms3Qa
Score

10^/10

troldesh discovery persistence ransomware spyware stealer trojan upx
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral17 behavioral18
- Target
  
  40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04
- Size
  
  164KB
- MD5
  
  5117dc6337d71e68262ddc6124ff1b33
- SHA1
  
  41890b9a7043d3d6300ed2a128425f321c69ea0c
- SHA256
  
  40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04
- SHA512
  
  71534faf779387a35e28f64d26a8d032c93f4273a30d0102ac8265399f198c9dbd119ae1e186d902ebd5b19e0c57094ec171bc101d5c073a75346f62d17fbc8c
- SSDEEP
  
  3072:9fg0NBlu9CNTed7/kBazzFbULRU0pNa+eGfiN82R:9Y0NvuUN6F/M4qtXpNHE82R
Score

10^/10

sodinokibi ransomware spyware stealer
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral19 behavioral20
- Target
  
  410ee08c8a84fbb947d5f4635c95c6c8d244a51855afd4f6aa0e82dba1c38a59
- Size
  
  370KB
- MD5
  
  d607888bc583a5712928c7c02555930a
- SHA1
  
  76963321489e6ac40ed10b54cc233e6e3a031235
- SHA256
  
  410ee08c8a84fbb947d5f4635c95c6c8d244a51855afd4f6aa0e82dba1c38a59
- SHA512
  
  3ff95cbaa21d56b51946a88f7034a812b6941f0f18c67694d7c2a53605a7475a04c2641c524c6dabc529a00b8b46e7e091b600b902973aa68410f1132b3f7f6d
- SSDEEP
  
  6144:Us/n1Xe/+6AZbw0aeBQMZb+zpnBvkgr4YXNgyt5lcFT7GeLhLZYl:z/n1O/+6AZFaem8O4YRliTqe9Zu
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral21 behavioral22
- Target
  
  423b7b37b1925762c4417d81bd0f434f9760c1ed844b4b47ee7f25c8d0740242
- Size
  
  20KB
- MD5
  
  e480106d096f6a5ed69ecbf74f0a1007
- SHA1
  
  48c612190f9aca3dc4b5af70a760b17597edc402
- SHA256
  
  423b7b37b1925762c4417d81bd0f434f9760c1ed844b4b47ee7f25c8d0740242
- SHA512
  
  6962a66118fd13335bbeddad901c3db91e43f6549d576b69e50e2e00816862517003d50965ad22bc87bcb59eb2e435d0b449d33cadacc989a4a6691ee7cbffef
- SSDEEP
  
  384:2fkfodG6s/04vMLk24jXPl8a3XEW5/5YiEB8:rfyQ/vg2XPrY
Score

1^/10
behavioral23 behavioral24
- Target
  
  4315b6e87c88972648fac6610116046b7af4aca6bd445839ecc8f21515591a0b
- Size
  
  3.9MB
- MD5
  
  05e136c5e18d962fc7cc490a48bf43c5
- SHA1
  
  db3a52fb85741df954508410d864a3b8d8a7bb36
- SHA256
  
  4315b6e87c88972648fac6610116046b7af4aca6bd445839ecc8f21515591a0b
- SHA512
  
  e5770d49869f22761d6984298dfb34292719e743a018d48ebcef1c0430067eab83436b846a98b7e7439ead01d80ad0078d132e1333f404b0d0a14edc92f7c487
- SSDEEP
  
  98304:wuv7TVLSNplylkdcHc6H5aE1LQx84rK5aKYea:XLSNpl2hya0x84rKcKYea
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral25 behavioral26
- Target
  
  453c6fe9e176af08b176430630a4eec6f1de09f7f147248dc905dc9823af1b91
- Size
  
  9.2MB
- MD5
  
  b9a3cc40fd0e73538c2500455572fc44
- SHA1
  
  dfd804af79f2438bcbb01f6560b51cc6f9efed9f
- SHA256
  
  453c6fe9e176af08b176430630a4eec6f1de09f7f147248dc905dc9823af1b91
- SHA512
  
  b2591fcfd97c156cf056319373516c87f76fe865cf92805fe823fe2580edb29e51fb1fc91329a5bc906dd335791087777b9b425eef5b5de807f8afbece038695
- SSDEEP
  
  384:uNqsjDr0sG2Sah6EzHCkbvllAoQS1qcL2QxrNbSyskR+f6scNTFmfOu:HsjDy2Sahjv31Vt++NTgOu
Score

1^/10
behavioral27 behavioral28
- Target
  
  4a841216cbbd4a587cc579434a043c17f54e3eb0e7ff615b3985411587dfa837
- Size
  
  14KB
- MD5
  
  898b24cd1105ff108bbe18d9b2b39b22
- SHA1
  
  2cc018123c389c5c8c741cb4ed4085674f417fc3
- SHA256
  
  4a841216cbbd4a587cc579434a043c17f54e3eb0e7ff615b3985411587dfa837
- SHA512
  
  ae2bc3e82bc4e36d4d756151d223b12a54f4097733b7cf4eabb9561bb3bf074ba40f40fcbc43aac4c6cb0267961ca4aa57ac3a6f8abba4bc0c0368b40f3d866c
- SSDEEP
  
  192:OJLd5quhzqEQVRMI+cM3xbeaV19ZKcxBRkWM2X48xQI+9y5n0kfz7:OJJ5quqTRNuXvgW48x09y50kf
Score

1^/10
behavioral29 behavioral30
- Target
  
  4e180437ef807b6ded234ad54f506d0cff518c980a055013871529b5905a46a9
- Size
  
  71KB
- MD5
  
  7d09bbc0aee91d29b3e62aa7889d75ac
- SHA1
  
  dcc48feec76915615fca1db6e2e726543fba9566
- SHA256
  
  4e180437ef807b6ded234ad54f506d0cff518c980a055013871529b5905a46a9
- SHA512
  
  3f476f40f9a17919946df05bca46d0169531fd32982cc7c62ec685aef680c2fe064361da928fb174274c88f25b64db75f9c996e271e5b3a0836aa4101649a275
- SSDEEP
  
  192:YKA9x8uHsLXl0Hjo7WLom8YHwOrDU0U4cbHaF55n3nN7a:YKA9WuwXl0YZm8eDr40/cuF73Za
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Indicator Removal

T1070

File Deletion

T1070.004

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Troldesh, Shade, Encoder.858

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Checks installed software on the system

Detected potential entity reuse from brand microsoft.

Modifies WinLogon for persistence

UPX packed file

Maps connected drives based on registry

Troldesh, Shade, Encoder.858

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Checks installed software on the system

Sodin,Sodinokibi,REvil

Deletes shadow copies

Checks computer location settings

Reads user/profile data of web browsers

Enumerates connected drives

Drops file in System32 directory

Sets desktop wallpaper using registry

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32