crimsonrat | 78a28b25b330513649439305a5d9293cb07fb796ad6521ef31f39a5453a549d8

Resubmissions

07-09-2023 14:45

230907-r45fysaf5s 10

07-09-2023 14:12

230907-rjbyxaad5s 10

Sharing

Copy URL

Twitter E-mail

General

Target

gm.rar
Size

22.6MB
Sample

230907-rjbyxaad5s
MD5

d9aa719336b223b19cc30d1066a6955e
SHA1

a5ba381e11b859554431ecd3b1d89c1d6524421c
SHA256

78a28b25b330513649439305a5d9293cb07fb796ad6521ef31f39a5453a549d8
SHA512

26de419b91c188182616195ce3c0c2adcc0e9cfb1b77a7bb504deb9327a968251d86aa35c356c4b23c0e87831fd7935d03b05b81403ec82aebcbc7c71579a7fd
SSDEEP

393216:1WCDBR5/qcMb6ezNjpONekKdZKE1R2GjCEyvuCE3EZuzJy3Dzc1Ktp:1WCtDgb1ztpO4OE1IGmEWuhXzJIDzc1e

Score

10^/10

Malware Config

Extracted

Family

sodinokibi

Botnet

Campaign

296

Decoy

craftron.com

piestar.com

tages-geldvergleich.de

pxsrl.it

framemyballs.com

photographycreativity.co.uk

cincinnatiphotocompany.org

billyoart.com

midwestschool.org

supercarhire.co.uk

encounter-p.net

ncn.nl

fanuli.com.au

gosouldeep.com

greenrider.nl

renehartman.nl

entdoctor-durban.com

astrographic.com

advesa.com

skyscanner.ro

Attributes

net
true
pid
33
prc
sqlbrowser.exe
sqlwriter.exe
firefoxconfig.exe
thunderbird.exe
agntsvc.exe
thebat.exe
infopath.exe
mysqld_nt.exe
winword.exe
tbirdconfig.exe
sqlagent.exe
onenote.exe
ocautoupds.exe
msaccess.exe
sqlservr.exe
mydesktopservice.exe
outlook.exe
wordpad.exe
dbeng50.exe
thebat64.exe
msftesql.exe
dbsnmp.exe
mydesktopqos.exe
oracle.exe
ocssd.exe
excel.exe
visio.exe
isqlplussvc.exe
mysqld_opt.exe
sqbcoreservice.exe
mspub.exe
ocomm.exe
mysqld.exe
steam.exe
synctime.exe
encsvc.exe
xfssvccon.exe
powerpnt.exe
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
296

Extracted

Family

sodinokibi

Botnet

Campaign

Decoy

eshop.design

harleystreetspineclinic.com

qrs-international.com

stabilisateur.fr

imaginekithomes.co.nz

watchsale.biz

levencovka.ru

acornishstudio.co.uk

kroophold-sjaelland.dk

frameshift.it

aberdeenartwalk.org

leadforensics.com

craftron.com

diverfiestas.com.es

kenmccallum.com

billscars.net

ncn.nl

towelroot.co

sochi-okna23.ru

oro.ae

Attributes

net
true
pid
19
prc
mysqld_nt
mysqld
firefoxconfig
encsvc
mydesktopqos
visio
infopath
agntsvc
wordpad
mysqld_opt
outlook
ocautoupds
mydesktopservice
mspub
msaccess
powerpnt
ocomm
sqlbrowser
winword
sqbcoreservice
sqlagent
synctime
thunderbird
thebat64
sqlwriter
onenote
xfssvccon
ocssd
tbirdconfig
dbeng50
thebat
excel
dbsnmp
oracle
sqlservr
steam
msftesql
isqlplussvc
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
35
svc
vss
mepocs
sql
svc$
backup
sophos
memtas
veeam

Extracted

Family

crimsonrat

81.17.56.2260

111.115.6.118

Extracted

Family

sodinokibi

Botnet

Campaign

1186

Decoy

oexebusiness.com

mondolandscapes.com

thiagoperez.com

hawaiisteelbuilding.com

cleanroomequipment.ie

dinedrinkdetroit.com

craftingalegacy.com

sambaglow.com

thegrinningmanmusical.com

chinowarehousespace.com

jlwilsonbooks.com

rentsportsequip.com

advesa.com

nauticmarine.dk

fi-institutionalfunds.com

agriturismocastagneto.it

c-sprop.com

fysiotherapierijnmond.nl

masecologicos.com

otpusk.zp.ua

Attributes

net
true
pid
15
prc
mysqld
thebat64
sqlbrowser
dbeng50
dbsnmp
sqlservr
infopath
thebat
winword
steam
tbirdconfig
mysqld_opt
ocautoupds
mysqld_nt
msftesql
sqlagent
ocomm
synctime
outlook
xfssvccon
sqlwriter
powerpnt
isqlplussvc
excel
ocssd
thunderbird
visio
mydesktopservice
agntsvc
oracle
msaccess
encsvc
onenote
sqbcoreservice
mspub
wordpad
mydesktopqos
firefoxconfig
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
1186
svc
mepocs
sophos
vss
memtas
backup
sql
svc$
veeam

Extracted

Family

sodinokibi

Botnet

Campaign

Decoy

marcandy.com

tzn.nu

alcye.com

barbaramcfadyenjewelry.com

parentsandkids.com

nieuwsindeklas.be

the-cupboard.co.uk

molinum.pt

alabamaroofingllc.com

hensleymarketing.com

hnkns.com

comoserescritor.com

charlesfrancis.photos

michaelfiegel.com

sveneulberg.de

modamarfil.com

mollymccarthydesign.com

evsynthacademy.org

precisetemp.com

domaine-des-pothiers.com

Attributes

net
true
pid
20
prc
mysql
sqlservr
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
46
svc
sophos
backup
sql
mepocs
memtas
veeam
vss
svc$

Extracted

Path

C:\MSOCache\OUBFQI-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .OUBFQI The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/cc0c4e2b858daf20 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAAp2s2ar3ePG/KIzNVKjYlJ8qeNMPEWJgFvblaGFZFXMqVnXR+Ul/Yuw+EenOuqOhl5fTULHb5h4zPW7k0V9TECzfX4D1owuZWsi8RbafpGbjMCf9mjSmGhnA4yZ2yaglZWn9VDQttZ42zULrzOrz0fkTCDi+r/1tPOkWFnK/JLpLM64WXG7Ul5Z8H6vt1G1XNBNmWHjtjTT93AGNs3PKkiIGkviiJLKie5FPUqLgMUyIATYHzwSMFYtQ4Lmrye0cON333DFDRnXUIhh1nSDftics1rljXxgmdb00oHmTtrh3V6H8pbMxKfXLnq9dREglHvrFnStlf8M8iSDrtLSJU/aMUWUwvjv6AfHkTfmaJXXV+Za+6KymsJ8tCKSVGiR1kWN0MIiZOg+PaPcYAquAgB5hyd5NIXRY/bq0wmGuU1JQmB+rsV7JTWSdcZXF53aY3I3vs/6dmLDUfI1gmokXlCv7Wyp1by+X6ZhQpLz4n7ryZF6xQ+OEJTGl6ikwfq83dCVpxGFiB8SV+3UGMjyXq/B7LReriKuh0awMmunncm3ZpDnW3GuLYS2GNcMH2sO8u2kgce3jP3TgGE7IqiTlqPfyh0VtVWvDb4mIEHBexh48ZiwiLAAS/19gQZPe7OF0Ge6++qhzKZ3lvefk056HMwaXbMN27aIPHpPqsO+WbqPF5hTgAE7thBM1QuKARPEwOctJYAwOmenYcKvyG/slk4aDzUyeIG3lbPYiS+0mysMzOhL6kx5Mvt8shqu7rIWcqQT6e4UNHouBJK1mpZFiI9H3/Ys5xhZ1mHzpkvZoXcT21wVz6Ob56PL2fjnjbFsVYDQXgja9EYQnEDYbEovU7WrgRFHoLr4xiRen0Qw724r6jMSlLBZKDoowZkCh+W4kxw+UxZrmqHbtB1PWH6Ss92qtBnSH0Xgf51jQxk607lu0DwSSbNSHLkdAgcqGfWblpLVuw1aM8RxIw+ilz9/DinPtfA9XZSpU7wQmuXCm8zQOt2Jm46Zd3Z6tKZgrvMjvIa1LzkVMBbbC9L+nZ88lr+XeARtK5mJpTJ3nsHrcPsBxT3kj9pkhPxrgBLTU6cdZx52D92vaEV3zS39NISiyf65k+CHelRqL27e0QXkxrZ/yiIDmPfbJwJoIf1CQyt/MpY8v2xyvZwLJCZO/xhdvMmJYpV/2fRoIVBXO2Wg20dU55l9rT5MRHRl9zUnkTdrAIdz3bpAzBeMlVgd/S4o5mzmBHjegKU3bj8V1C0RvHzdw/+PLbEVv0GEta1I0eiFCm38EZCm0d/waQvAWW/xm0LEUnUVk5p6MMdhS2zJxG3808fNXjEDUQJ1jYLmPPNmm9Fdtu+Dg98anoEZYjKi+5qtCiWXz4CRLQy4d3n7+Dn60Z3M+NCSw+i4jte/ROxrpaAOJwLheNYawp4n/jRpUo3I2sRHaKm52R9o3VAAVU/smH584Puter14NP2F04bG8iBm6m/+/ImbjvMAi1D+AvkSkkJwcxajT6bfVYN7Kr2sFe1yV8p0enKPnFFRTHUmm3v7I0G4aH71oM6oVt/4vPkPjaLAoGEHaY85TFQ0WAHCY993l2bJpQWjlCCzR5vxPvxCfg39gJB47IS/OGirZXeNzntqrfwvstpYy41f/oIQM1YHRJeEy1B84zFB3NbzkglPDHP9cEOOnpD9LsA+KhJkzl0F5Zmd/LIp8/XtMgiRwqkzAci0bkAQV7/ODI4PmuEGmHzptnTwJr8SUAOyac+XZy2wcJ3i8wg43IKshNUTYsnQxtKUOiwyx3/za+UGjv3xXCH1vwbWUS9q+0yPb8HVbwc7PU9+V27qDs/2ih8r2Aid+vnPwPPgQXRciEwgJ4/KU4hS7xruGg+bc3RmsijxvsnjWfz7PLXMpZuoljPXg8N11Ci5dfgQsgPTDSHAVO+sFL/EGgoXkMX7syvShr4sAWgDCLD89HBaFGie69h51cP24nJ2qQVv555aOUfVleZBEWKIYFcsyNkVZxaC5Ge/Y8mivlXxJsB9QhVl11S/fCIVom82Bcbp3jAEQzlPXAY8dZjKRsLb+xqIs5Kr0d8pWUC+fQRjSry3tF81t0zeXStKmsLQ5wHare1ALCYynrDB7cwgN+d3VwJv6mhmqJTOJcco7WtY7cKTBdK3PQWBzSqNRsgUYcPVaam2Gq688HVMuzGSpW9Bx94HLSTjRkpsQqZzgWKIEN+xcw9BWEjyZc5/OuYsy86EgX5CJfsRltLSQv4= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZQTodRuHYZ7m9WqbfFTGiHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+BisLEhkUjBs+Kg/zM2E+t0GtNYaVqLBnPt/BGAEdsboScE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg73ZibpCRFE3vHLMOat1wIZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJH8Hp4Oar+NRZwP9okRV/rusrPFzMH9OHYBh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhOVLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/cc0c4e2b858daf20

Extracted

Path

C:\Recovery\07e255630-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 07e255630. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4F974E09500AD20B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/4F974E09500AD20B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: jX8QnoidfK8c3h58xcGP14uJEV9ExeDW2VRFYstcQTLrzrcXaHzD8/4udLv2X00D cjArzRj+zqP0Pc1dDUKYtc1+/O/GhBlz3FhgvZUHvN0OET31FvkYJ7pJm+cgWEta tOk7Ovmw/mBaPPDJEWp9+A35jrcBtX0gtpPOmiZEVugEUsWQ85CNGNZCv5Ef/FuH xu4ek7hUek+7lMZL/pY8ny4luZ/BA9dTD6duFDC1yLjG5EJ+E0qIpgFJvReaNAmv m2nYi1fKbLuAb1hUQU2VKIP53jP1DVmSxto+bytMT/zKRDntmjHy9ldoruYVuPmq UNPZycJv3Sph1Tn91d8tdPWurcwAHPh3LXiWFqPJNA1WIhTfrgZFQm0j0Ib4jg/l 7B9WeesCR1eDOHxTgYh4UgxlqpIPRhmH/4Ttvue0bBYqxKuAHNBXQqAGELGENrSO GRpyoluoOkKrxOD3n2kSMQWYAanOmCgkcOnVPvkxRKOoNq2Z56+/stQC3SHctTTo VtqIXDEHLj3tpRSUa3C8A4ENQ7mo+VD9YDVcQblMZ+QdeNJFJZme/XxZ9M//635W 7Cwpl2hTzQ8TRkXitB6p6A7lVbKmBFFyi7IGvBLHSTdi7bvoUcy0ZpJwN0IcIxGs KnGHo6jTBD2EJfiEdH7rDvYW5Rq+6s+JSdrP4FHeuhkUKq/LCEiP7tqCmAWcyk+B wiOHDPJdN8/Yf8bqB9h58mUvfd4ssXSvk5KOqEMWij02SFz4o1KI1xXVo00S4QV4 02SG+m3NI0LdMZdStv2BE7aGMAWtlwJSxFJrVMVjmTKLEmxMDNViZeJlqiECT6W/ EY2rDRlHoJkijLJHmezrgBEYW4nj773ZP/v6+gekEGILC2t99Uc4szW1w6ernN+u uKa/2pGHl56M9mE7SA8XoP6mpwWCUTHO/0rO0Oc4CtCs9I1Lu4z5+XNeUWMQm4LB WCHS0U6zgTEJc9ugBU7v6hcjrYwatLgSwmmvy96nQLS6rYqTRLKpRAXdES8PLKjr dgMt9Bz33V5xAQylydvGvlQ2CAFlIguKPx1+AqMImY/fRXnhuu7XBy+0TztXPNNL 6o+Qc8IzP5Cvh8E+iY/93fSkdkjeWrmJv6r74dqIDmc7RGKtmetXA49hP+GgM1Gp U0DS+uotIYEiMezIaxD0T/uzRvz1mUj0NOdIbQ8NdA0W6wleCjpdfn1o32JCJh/e LMptchfooN0Z2kiFX1jpydK1 Extension name: 07e255630 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4F974E09500AD20B

http://decryptor.top/4F974E09500AD20B

Extracted

Path

C:\Users\46nq28a1y-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 46nq28a1y. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/92E721391799B020 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/92E721391799B020 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 2odI4YXUoImYYq//TjI7VlsGNOX5QrZ+NFxJMkRvqVZSogt5kN1thqNyKx1vvBpb vqwofNQUjS3gjrnSH0Qbb8mc6SlOtXpiLnBdAVly+li6SWNClQoXdiZLpvAiD0q5 W37QlMbMV/KHcFHUbEtyfSIo764O09+FIhhTeJqx+JJbu6wmDOprUR2VNBJOKA9h TQP5MaFWYEa6khC2RwmSRPQvJLoft9xEF4/cXvbuuP0IOgUMHKlRMAIzyMH/jmur dU3pj1zvIhTrJFEu6fJXcWYYufstXYEFS3vw5FLbGHFn3o/qkqqhMFQUcEFddnR0 5BY9l4Ei001vZtaoohluwxqz+gqH31Yb5trsXWfxBmkSaQotLeRyJyk7J8rOJdOI puHQIc50QFKNEF/zzNUxXrlUBzfUNszDyBsgtuZAxGV9YyjLz4GG3weDdC6ZAT0h ZJ7hXQngngvpSiGFn03EiXAGWqWP58bwd37z817Nf5sawXQdPTQM9QMDYsIhuoKq 4dqgCzZi8NadIWX9N+rm19mVdovKB46yLWwAvFCf7w1kF3XQq/3FIcg8LNEIC1v7 sOvYbqFI24M4A6xJ8w0fQP/LywEEoN27g/ZWVuTIsU69iV51jWQPDGpm1489LibF 9IPS+Q7cPCGg0Xs1M5ZowCBEUlvqVcGhJhdbCUkH3itL8JxzEHGGQ42U2izNQKLA xeFcpctadx4vRB0wuyZC/4iOe70WUWKtkyhjyc54KT+0YIZjuQkgB+D2DXE1f5wt zbbDv/AZ15M5aOifR6GbsGqodtRpGxjiupxZwhLnrNLFgMuwXoX1EazWxK4p4ATr C0zZCSSaj9s8/YoldZ+aOvzDxMevjgO5AJpRJNd4ODvGe2NdcOIEng91DwLY8Erg tQl+XPTsTrWzyoRamNfhCBHa/3LGLlvVC6mHMvzmUVKRsBS7ub/VYyurOmdmlzsH /u+I7WzKfDfFvytqx2AmAeHLWCSJ0muU6PxH6N7rfy8N2VqhBb/ja0woAuZjybU0 uKpGS52JwUejgUo3qyHi/9khr+ejZcNhjQokmkIUsLmga4t5MWdJAVhDI1Q4Otod S1TAaOl03Xn9H2z0mz4YBUGlaqucUZxkwkyN8IdYkOLtu4MFp9LvRJPEddi2d3SF 1EQxZw00RWuDNT8Oh+NOp9CQadiXlRonIyT5zOIcC0kxXcVqJ+TsIhRvL4JHRXd2 zTIPmGaRolXocv1kGWI= Extension name: 46nq28a1y ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/92E721391799B020

http://decryptor.top/92E721391799B020

Extracted

Path

C:\Users\q4324-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion q4324. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F532935A60F544FF 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/F532935A60F544FF Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: DfWcgB8lsqBiqlISVsG+RlWIsnFf70qJseANqqX8d8GM9uvPoEE4WLTGiG1wwJ4g szAp6q8K5upTLwTXHmpS1+rRyh+xl4wX5jW8w0NWgTbaQp/HX//KBAH79fJ9LDzF Tsu5lS1PmY7+f3f8Bv3c2LXb5Nwi4EM/tD/acqmkRMZyPGs5bRjeStmWe26WYMea cik+eqSESiBlfWeoiwNVS94woTixXnVPNp0m78B541EC1NCZ15BCdyp73HD3DJcY Eaq3UylFwe4qgGqfylqNyL1Vcy/XPMrMI8Sm8r37ipg6hXil7st/kSx67M0eXM6u gkhhVaZ6Ozn1DzCzyzCWpeExSWTDQ/jXpElBpxWudqDQxYoLm5v9EG2nXc09k1bt f7zIl0d9cbNn0soUFwj8y+lZFGUdwyaPK8Kqs5W7kENOdVtLL5N8NaBzbldHoQV9 3LxIljSAZ3GySV6TEFpQ0o/7jgp9HMGx3hgQOky6k7tSsaypLdZCdrIgsPFA3a8E TBaPvhKVnqrmi3EpA6qo7Feuv3bOBLAc408E8YzQOCV+CmDr05wK2hLMvRqg4zqv 7N6NDUlLeNV6MvknX3aVpREWB21fT2PmgOUSauJUbkoHgHSYgmyUvk36EascMh4I gnyCVAhYHxEe1IY8c5L49jaT4xwVwcAtHq+0L8bbN32CRhgYqNl067vD92HMoyPA 40hR3U4NHtKhwOST6B6INIng1ROOTejIBlakeFkKsZGg9NSYpyxONdlNdJaDSVbQ hZYl92gIRtxHCM/mCLHbUk3T0bX1GT3owBbGZMkhLCiFQP+iSc2mWphKUiaNcBPV tshFnIcp/fgpU9IFiTRdZSMxtDqgKnALBJTdwyw9kAbjiaeHiwwRPUL2F3SM5+Zl FepiwTtzd+qDHn8bJI35fn9uu5m8gFaFKLLTwv/mbyejJ+p1+vMo35yndPrASG6Q umHUajal2k/xZ6YZhOsFCp6pBDztXuzoJBb/A4kKRAPcpCPsQrDgJG102AQHLMQR tQgxbSQ9NSDwDDnPcOBHV48+rMNczCGy/NoLtKHwZrdYSxXNk913fbGJl7hAYsHy CO+3UJe5Itwxu8FHtpozpr0mNdgxILuU9tfsQ6dwNAd/9OHI+OXcnqYaPkWl9fRj 1vvCN1wFPveqWlY+UROzcEKobACgcNLi2ht+QiPmjtQzDi68v2B6RwwVVm2PMb2Y wb+Nm/L9 Extension name: q4324 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F532935A60F544FF

http://decryptor.top/F532935A60F544FF

Targets

- Target
  
  17ffd90d20cbd49c4e0d65a484eeae65a107d5bad9582afc51c4ead8bbc147e1
- Size
  
  160KB
- MD5
  
  b49aedab270215f327ab95ea98cb7e33
- SHA1
  
  10b4aafcdeaba91e0140b581fd397e5db94c106d
- SHA256
  
  17ffd90d20cbd49c4e0d65a484eeae65a107d5bad9582afc51c4ead8bbc147e1
- SHA512
  
  eebc06bc7c6f79be5c1fe0020e17b808e17c259fe99ac4d8455849c6ae383258ed637fa067ae5e203152d271494f1b2ff735973f4d2e09797ec787426418327a
- SSDEEP
  
  1536:Gls0QszjGz02ZPO9nEpXiMpi28p7Pbi4eTMluxtXDCntTnICS4Ay4bbaTIL5CMdS:8RwOWpXiIgLbi4eTMlwDCnuo47pd+
Score

1^/10
behavioral1
- Target
  
  1caf5105988781e29d93e58abcbf3bf4c973eca1a207803629bd5cf901ef5be1
- Size
  
  1.1MB
- MD5
  
  40b111fdffe33c4c776d87ce7ff02431
- SHA1
  
  dd6eee81a397d0b94c3532d62c613070501d0048
- SHA256
  
  1caf5105988781e29d93e58abcbf3bf4c973eca1a207803629bd5cf901ef5be1
- SHA512
  
  07ef4139a40d8f08acb489c4c1ced0ffe787f536d59d185ef43aaa0f17e391ca000b8c1c10813feb573241314000b7a91d52fcfcaaa4311f73432cdaaa0f921b
- SSDEEP
  
  24576:LzWuYg/8kz9ncHy/B5uwMp1p4pGj3m91dscI/P:LCuYA8kZnpB5uw+1p44S91gP
Score

10^/10

troldesh discovery persistence ransomware spyware stealer trojan upx
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral2
- Target
  
  1d88c47417c082378c735c9e8180ea63627d5efff35852f1bb06fe6705581267
- Size
  
  97KB
- MD5
  
  e24c6b66b4e5ad59853678feed836f8d
- SHA1
  
  db8a87d1c47004aadb871b0f1a03dc59ec0dffe7
- SHA256
  
  1d88c47417c082378c735c9e8180ea63627d5efff35852f1bb06fe6705581267
- SHA512
  
  c10a18e6252c05380c49f9c5c96470d091d6ebf3d51841c566f5700d10fd569f45200af0681909547eebcbd4503a71856fc8b7c87d1ae21f76cd782065104ab3
- SSDEEP
  
  1536:JYd7Q+s7EIEne/UO6Ki1wO33sGINt/PogTXF5MJeVG7MpmPy4MPlT1SISS:JYdsihneniS+3akgTXYigMAy5PN1f
Score

1^/10
behavioral3
- Target
  
  1ecb59774182d0d0a04b418249428b621159838bd2bcdc1a3a7b871a65dd90af
- Size
  
  611KB
- MD5
  
  93c5f1cb9b83533edf1dee9cc40628e2
- SHA1
  
  788731b2715d1d1f2405bd6169cede470445fdbc
- SHA256
  
  1ecb59774182d0d0a04b418249428b621159838bd2bcdc1a3a7b871a65dd90af
- SHA512
  
  f6fafb62d752083f97b54cfd72937e4d5483df812fe2d3425b90b98776356ab7bd049ea735db0ba93d1f424a8d7d8bc627b23a5244080917ef2c9b2400c9c526
- SSDEEP
  
  12288:ffHVNgJDiUk6UICjj5Lx/q3RqmRNnw8ZnCeMN0pGoMLTcI1dJH8MSsn3dMVziVH:X1yJDdhlyxCIm3nwQCeMNqGjLYcteAdf
Score

10^/10

persistence upx
- Modifies WinLogon for persistence
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral4
- Target
  
  2a5fe7d49fcf65525cfbefaca92a12a0d2917d15f348a48fc7a4de7ae50776b5
- Size
  
  24KB
- MD5
  
  ce0e55a50737e81695b675cc13692322
- SHA1
  
  6936cf5411534d80e2765bac129bda7472b5713f
- SHA256
  
  2a5fe7d49fcf65525cfbefaca92a12a0d2917d15f348a48fc7a4de7ae50776b5
- SHA512
  
  5d43b82290b91042343958d1f6485e602a29935e2bcc720d4698060941129a294cb89a81d6dc34ab60722dbff2c34f8b31591f4c60b4cc4a930535814dcb6e1e
- SSDEEP
  
  384:SIa8CfT5HO7Jbh1BcNsiLv2in+HigbmIAjy/xsNXKW:ZaXfTJ4Jbh1Asib2inCuAsxKW
Score

1^/10
behavioral5
- Target
  
  2c1aa4fa14d7055f2239dbb29ab15089cb2752e9f94ec7a360d275dd607314dc
- Size
  
  620KB
- MD5
  
  5376a226b33db36b51bf85b910071031
- SHA1
  
  ee89a2daf45bda00154a181b0713d351a19b6e00
- SHA256
  
  2c1aa4fa14d7055f2239dbb29ab15089cb2752e9f94ec7a360d275dd607314dc
- SHA512
  
  38fae7a2ef4ba9d8633dd6898f525a6d4ef91813700eb5b95a4e13dfe6caea8d291eedfd092916a50b401cb9bef24adb2a2878b327a4f00c0590d09948483083
- SSDEEP
  
  12288:wUA9qXSileJnwNoFp1ayIfKIemXyYL1LyV/G/0HCO3ZaqEmhENt:wVoXcw2FpZ+9egiU0iofEmG/
Score

8^/10
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral6
- Target
  
  34d62f47e1fe45dd6309326ef696012f2473b0157e1278eea3826a95829da36e
- Size
  
  432KB
- MD5
  
  95d298e38d0ffa1d4bed5bcd98739195
- SHA1
  
  f17fbf42b73628a694079801b0680559ee01328b
- SHA256
  
  34d62f47e1fe45dd6309326ef696012f2473b0157e1278eea3826a95829da36e
- SHA512
  
  f5e96cb68a1ed9f7b66b7bdecc1abe0f4cb1c80b196ef85445a150acbb9fe4fc649e6cf557c6f84d19d2da8de06f19d3fe6e686802684f9b23043e37d5d48578
- SSDEEP
  
  6144:+CPCz2/aWNJ+bpHE7u5ZBFCn7Qf7oqQ1I+4M5GmOBVkc4PksaX2XA87cegDj8+j:Xaz2ivtk7q0i7oDhnGHimw7cHDj8+
Score

3^/10
behavioral7
- Target
  
  38f1b8c86870354a31878d55c6897d7eb9e83f9418aafbfe9f6ff897dd3c2f05
- Size
  
  1.1MB
- MD5
  
  38d1e069b9e9b3e0c255e49115295b7e
- SHA1
  
  151b38a5fc8271cfdd03c72367b55242f7891f78
- SHA256
  
  38f1b8c86870354a31878d55c6897d7eb9e83f9418aafbfe9f6ff897dd3c2f05
- SHA512
  
  a8334a202415641ca9706de45df45dc9304643b141ba4651bbe80c1c524b72ad56ab4cda01f45f08c3727991ed7789f9bf238d9304a5b8d8a41140fbd7c53610
- SSDEEP
  
  24576:PtO+RduDZwmzMo5sD5AgT4CoCTisqywkPOsxwZms3Qhg:PtOAuWmIOe2ZCoC+sWzZms3Qa
Score

10^/10

troldesh discovery persistence ransomware spyware stealer trojan upx
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral8
- Target
  
  40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04
- Size
  
  164KB
- MD5
  
  5117dc6337d71e68262ddc6124ff1b33
- SHA1
  
  41890b9a7043d3d6300ed2a128425f321c69ea0c
- SHA256
  
  40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04
- SHA512
  
  71534faf779387a35e28f64d26a8d032c93f4273a30d0102ac8265399f198c9dbd119ae1e186d902ebd5b19e0c57094ec171bc101d5c073a75346f62d17fbc8c
- SSDEEP
  
  3072:9fg0NBlu9CNTed7/kBazzFbULRU0pNa+eGfiN82R:9Y0NvuUN6F/M4qtXpNHE82R
Score

10^/10

sodinokibi ransomware spyware stealer
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral9
- Target
  
  410ee08c8a84fbb947d5f4635c95c6c8d244a51855afd4f6aa0e82dba1c38a59
- Size
  
  370KB
- MD5
  
  d607888bc583a5712928c7c02555930a
- SHA1
  
  76963321489e6ac40ed10b54cc233e6e3a031235
- SHA256
  
  410ee08c8a84fbb947d5f4635c95c6c8d244a51855afd4f6aa0e82dba1c38a59
- SHA512
  
  3ff95cbaa21d56b51946a88f7034a812b6941f0f18c67694d7c2a53605a7475a04c2641c524c6dabc529a00b8b46e7e091b600b902973aa68410f1132b3f7f6d
- SSDEEP
  
  6144:Us/n1Xe/+6AZbw0aeBQMZb+zpnBvkgr4YXNgyt5lcFT7GeLhLZYl:z/n1O/+6AZFaem8O4YRliTqe9Zu
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral10
- Target
  
  423b7b37b1925762c4417d81bd0f434f9760c1ed844b4b47ee7f25c8d0740242
- Size
  
  20KB
- MD5
  
  e480106d096f6a5ed69ecbf74f0a1007
- SHA1
  
  48c612190f9aca3dc4b5af70a760b17597edc402
- SHA256
  
  423b7b37b1925762c4417d81bd0f434f9760c1ed844b4b47ee7f25c8d0740242
- SHA512
  
  6962a66118fd13335bbeddad901c3db91e43f6549d576b69e50e2e00816862517003d50965ad22bc87bcb59eb2e435d0b449d33cadacc989a4a6691ee7cbffef
- SSDEEP
  
  384:2fkfodG6s/04vMLk24jXPl8a3XEW5/5YiEB8:rfyQ/vg2XPrY
Score

1^/10
behavioral11
- Target
  
  4315b6e87c88972648fac6610116046b7af4aca6bd445839ecc8f21515591a0b
- Size
  
  3.9MB
- MD5
  
  05e136c5e18d962fc7cc490a48bf43c5
- SHA1
  
  db3a52fb85741df954508410d864a3b8d8a7bb36
- SHA256
  
  4315b6e87c88972648fac6610116046b7af4aca6bd445839ecc8f21515591a0b
- SHA512
  
  e5770d49869f22761d6984298dfb34292719e743a018d48ebcef1c0430067eab83436b846a98b7e7439ead01d80ad0078d132e1333f404b0d0a14edc92f7c487
- SSDEEP
  
  98304:wuv7TVLSNplylkdcHc6H5aE1LQx84rK5aKYea:XLSNpl2hya0x84rKcKYea
Score

7^/10
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral12
- Target
  
  453c6fe9e176af08b176430630a4eec6f1de09f7f147248dc905dc9823af1b91
- Size
  
  9.2MB
- MD5
  
  b9a3cc40fd0e73538c2500455572fc44
- SHA1
  
  dfd804af79f2438bcbb01f6560b51cc6f9efed9f
- SHA256
  
  453c6fe9e176af08b176430630a4eec6f1de09f7f147248dc905dc9823af1b91
- SHA512
  
  b2591fcfd97c156cf056319373516c87f76fe865cf92805fe823fe2580edb29e51fb1fc91329a5bc906dd335791087777b9b425eef5b5de807f8afbece038695
- SSDEEP
  
  384:uNqsjDr0sG2Sah6EzHCkbvllAoQS1qcL2QxrNbSyskR+f6scNTFmfOu:HsjDy2Sahjv31Vt++NTgOu
Score

1^/10
behavioral13
- Target
  
  4a841216cbbd4a587cc579434a043c17f54e3eb0e7ff615b3985411587dfa837
- Size
  
  14KB
- MD5
  
  898b24cd1105ff108bbe18d9b2b39b22
- SHA1
  
  2cc018123c389c5c8c741cb4ed4085674f417fc3
- SHA256
  
  4a841216cbbd4a587cc579434a043c17f54e3eb0e7ff615b3985411587dfa837
- SHA512
  
  ae2bc3e82bc4e36d4d756151d223b12a54f4097733b7cf4eabb9561bb3bf074ba40f40fcbc43aac4c6cb0267961ca4aa57ac3a6f8abba4bc0c0368b40f3d866c
- SSDEEP
  
  192:OJLd5quhzqEQVRMI+cM3xbeaV19ZKcxBRkWM2X48xQI+9y5n0kfz7:OJJ5quqTRNuXvgW48x09y50kf
Score

1^/10
behavioral14
- Target
  
  4e180437ef807b6ded234ad54f506d0cff518c980a055013871529b5905a46a9
- Size
  
  71KB
- MD5
  
  7d09bbc0aee91d29b3e62aa7889d75ac
- SHA1
  
  dcc48feec76915615fca1db6e2e726543fba9566
- SHA256
  
  4e180437ef807b6ded234ad54f506d0cff518c980a055013871529b5905a46a9
- SHA512
  
  3f476f40f9a17919946df05bca46d0169531fd32982cc7c62ec685aef680c2fe064361da928fb174274c88f25b64db75f9c996e271e5b3a0836aa4101649a275
- SSDEEP
  
  192:YKA9x8uHsLXl0Hjo7WLom8YHwOrDU0U4cbHaF55n3nN7a:YKA9WuwXl0YZm8eDr40/cuF73Za
Score

1^/10
behavioral15
- Target
  
  4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00
- Size
  
  349KB
- MD5
  
  eb7138741adc746f8953a3db50d9e235
- SHA1
  
  c0adbd63648052edacdf65f74ce1ce9701125570
- SHA256
  
  4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00
- SHA512
  
  41d4a0aadbe055f6b22ead1bcc407a53e02075218e48aae18d2df5bf23f87fad0c8609725fa60e89de6fc67041acd41303c0505d1b88ddc06b7ed916a5981f8a
- SSDEEP
  
  6144:YPNS/+PNS/t7VggtOXOICLcF8t+JKrllVtqfLJC:YPPPiHcXOIFyqwjtqfLQ
Score

10^/10

gandcrab backdoor ransomware spyware stealer
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (343) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral16
- Target
  
  55bdc39b0b7686a57916d2fee2c0f9559e5b947d115bfcb6b5b255706a412670
- Size
  
  164KB
- MD5
  
  5e2627aa0eda8c0f55f2b8f075c91e42
- SHA1
  
  5628a78e002734c6885a0ab6ec97aa6425bcc882
- SHA256
  
  55bdc39b0b7686a57916d2fee2c0f9559e5b947d115bfcb6b5b255706a412670
- SHA512
  
  af01edf7497f19212f855f1717353227a2f35435c9adc4ca82fd4e2d31081a2d1ac1270c2330ceb20afc6c5be6f97782d8a3388f834bd9a3ecc2f7c78b6c087f
- SSDEEP
  
  3072:xdHwJK3BMoFiWjmfb+HP+rnRfUMfm0Sl0/1:xNwE3q4jmfCHWtUWI6
Score

10^/10

sodinokibi ransomware
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral17
- Target
  
  5a1b6ba55fde56e57509d2efea734d91e38a64cadaf9cda4aa31a85a592763c3
- Size
  
  15KB
- MD5
  
  5656ddfcd3d5c5ce7ea71b4243471215
- SHA1
  
  a17d320ef685892af10d492b490e3706878800f2
- SHA256
  
  5a1b6ba55fde56e57509d2efea734d91e38a64cadaf9cda4aa31a85a592763c3
- SHA512
  
  e6d00d00b7fc80dac0dc451720612684297fd45fdfb7e108b2605d252e03a6864a406777f4f064cd874299aac3a47ffb9cac41302c31e68431da66a83cb4d6b9
- SSDEEP
  
  192:ftWsDwsLwZxQVtEbR+Usmaw1Q2M3nBRG2Lbcx90uHb18FtQIDT+DC9sVVA:fYsMEwZiVtE+q19kvFGW88FttTtsVO
Score

1^/10
behavioral18
- Target
  
  5f056a4a7aff1927cad99e70eae7fa7ed149b5b7f51c6ddd3cdc61993836be4c
- Size
  
  376KB
- MD5
  
  30450a05140f74e375532c40fba88a12
- SHA1
  
  ff8290ece209901e37749f988958a1e4a1aa492d
- SHA256
  
  5f056a4a7aff1927cad99e70eae7fa7ed149b5b7f51c6ddd3cdc61993836be4c
- SHA512
  
  386ee0646b8c37a4eae67a017b668a60fac263350469f08934dcbf5c828079940aa8fdc36b99b43026e35b3383e103d8b1c043f9351700759ffe7754e3f3a990
- SSDEEP
  
  6144:WhGEyczjmpEI4izRHjmtGlMksGiT3/YnPef20YNw8fxLtIC68o7IpRZ1sXetj4+j:WhIcepEI4izRHjmtGlBsn7APef2P+8f3
Score

7^/10
- Loads dropped DLL
behavioral19
- Target
  
  6709db0a92e59e6662708358c0197d6b72b86ff9edb798aca32e34cad1623e53
- Size
  
  899KB
- MD5
  
  196c58f6fb541bce1082b908d77d19c4
- SHA1
  
  6c004c1d4a70ec9c0655a6288f5d97297583d8aa
- SHA256
  
  6709db0a92e59e6662708358c0197d6b72b86ff9edb798aca32e34cad1623e53
- SHA512
  
  e6bc0efa08a28737b2f8acca641a69276cafdf77bcc36d600c46f28a822c7fc021f0a19df6e958f5626caa848a309c29554bb98dbd4df1d2b26efc819b13b65c
- SSDEEP
  
  24576:RlQKriZKMRb54kwQppldcLrLmF0RhwF4T1sS:JEKMR94vQvlMrC21xs
Score

9^/10

evasion upx
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Enumerates VirtualBox registry keys
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Suspicious use of SetThreadContext
behavioral20
- Target
  
  69add888bcdeed2c14f525f23fa52a141f1afbd420b0fdd38202e5031b3635df
- Size
  
  186KB
- MD5
  
  f37378f81c6f7271531f91ed5c198056
- SHA1
  
  9d00fda560b1cc4c40c398ffc5b688127248114a
- SHA256
  
  69add888bcdeed2c14f525f23fa52a141f1afbd420b0fdd38202e5031b3635df
- SHA512
  
  43c9777149db017ad063120167dcee73c81e8cad82ad4579ff9451153d47adff796d7f298fe9999584db66610916caba00b553a65a94c5d7b344cb412f2a919c
- SSDEEP
  
  3072:JntBFPxJUNKYU1Ga/BU2Emo8BBMdjsEJwuY1MdOKgEjyniUrUMQaUe7hGlY1cS:htHLUNyar845sEJwjMdOK3yi345
Score

7^/10

persistence spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral21
- Target
  
  6af766a07ccc641da303ab30936ed32ad32bb4d7c983f3df45c4c52c036e9d20
- Size
  
  165KB
- MD5
  
  1701c19d9610ee4be543815bff908281
- SHA1
  
  44821ddb87e0260ee8ba368e08c75b0ad3232923
- SHA256
  
  6af766a07ccc641da303ab30936ed32ad32bb4d7c983f3df45c4c52c036e9d20
- SHA512
  
  6794cb5b710b5165dfb59a6dcecff7776dce69b452b82e51dd9d35ec951e15febe9d71ceedc7ea91845b0d6e8c4214e7c07935dd2c8dd6f5c372e35971eed5ae
- SSDEEP
  
  3072:eCEq0R0nZ5ys5n4Y9doh7O79siUs/NabPos:lw02sJPi7O93N9s
Score

10^/10

sodinokibi persistence ransomware
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral22
- Target
  
  719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244
- Size
  
  192KB
- MD5
  
  06dfde68d9e07bc1191626855a321801
- SHA1
  
  a17859092783b09986512203119bbfaf4f5e13b0
- SHA256
  
  719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244
- SHA512
  
  9d4f64e297e694d49ff4eee734afaf48945cf1b0d991dff707253266a10603994edaa6a68ad614118d50925e25a9f9f405ca60b15c4c0d4464175e80c0cfc2df
- SSDEEP
  
  6144:fB+pgUn26IdSI1dwCi6PgHGcUHTaF+MW1D:fgPCdp1dJkHFUHT7M
Score

7^/10
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral23
- Target
  
  71a20e270052665d18bc0fe4d1f9608e51f4fd427442e7abc3e5d43c4e987bdb
- Size
  
  2.7MB
- MD5
  
  83cb5b87a786fb135a11bc133fb4d4d6
- SHA1
  
  f0fced87788092368e1360dfaf830e6ea1f1ef1f
- SHA256
  
  71a20e270052665d18bc0fe4d1f9608e51f4fd427442e7abc3e5d43c4e987bdb
- SHA512
  
  dac2ae2129d2dd477cbd84e2464055cb298407a06fd7fd24c54cb38f692914e9f9cdb8320e23861f25642316b05de411d840021bb7b0a15ab21a035f0d68fe12
- SSDEEP
  
  3072:BttFWSfQySeFOHcjyPHkxrahs1nP2omHDj7X2SrhL4:BLXfQySDHcwkEhs0jjKWhL
Score

1^/10
behavioral24
- Target
  
  7acc03a3573061f3856c27ce5b90dc7f5cc684840862a619edd78ad849b742fd
- Size
  
  888KB
- MD5
  
  9f96c1e23e596f31eb221bce90071b3e
- SHA1
  
  05fda21953f6f369bbe0400e5cf1234e379f9cdf
- SHA256
  
  7acc03a3573061f3856c27ce5b90dc7f5cc684840862a619edd78ad849b742fd
- SHA512
  
  5239a9a8a94d6836ed19f501918d132cfb28f0465dc7e53ccdeacda0f68e5e6e0e1e115fab39766e02e85bc1e17ecea678131c151ff4499b2ab1321d66761b3e
- SSDEEP
  
  24576:pxA70a8L6o/NETvW6howTKkt6+1zbOFWy7/DbnLMy:z+l8GoVP6VdmWy7/DMy
Score

7^/10
- Loads dropped DLL
behavioral25
- Target
  
  7bd3e8a10838e95fcb3ab06457404f03e09bd8d3881c2521be3b71fad533445f
- Size
  
  1.5MB
- MD5
  
  3666648ac448bfb0bdd37032f60600dc
- SHA1
  
  e591ae742dd3f597f8bcac9455d184913051daf1
- SHA256
  
  7bd3e8a10838e95fcb3ab06457404f03e09bd8d3881c2521be3b71fad533445f
- SHA512
  
  3fe4427da3bb01e7e004e2c29b899d36b462155aa59aca130913281f16c2d3743e6f1dac16cd5f0920d707cb5e33240f45b868e84377a88ebeb51617dab681b5
- SSDEEP
  
  24576:aFlxmF2j7Xd49AX96bvkPHL+T702v71P9T5Cjpz63g3XeB8Zps9:aFlxMm7Xd4uX9quSv02elcOX9ps9
Score

1^/10
behavioral26
- Target
  
  8034ef305be188bce8cdd98336f7cd2795c5dc74b19fdebf7cf5161f9000fb74
- Size
  
  2.3MB
- MD5
  
  012e2a46b9d4d49fbc3263d8b14ebeda
- SHA1
  
  a6dfb1c0cf42e266df9c3e3234e32fdc6f49fb37
- SHA256
  
  8034ef305be188bce8cdd98336f7cd2795c5dc74b19fdebf7cf5161f9000fb74
- SHA512
  
  be2f9d22f95d5b5672cfd4d4b634ceff7638abf62de006a61cb1422b8201bafac936eb7d2821da01001b34de8364b997b583d6ca4304dc01dcb09a9156e59b76
- SSDEEP
  
  49152:v0eT6L7AZHRxSY6VC2kBKn7x6JkNi46uyI2+aTOGE/QM:P+LRrkBKn71YuyI2LRbM
Score

1^/10
behavioral27
- Target
  
  88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb
- Size
  
  614KB
- MD5
  
  c7d23cb33b0db8303d7cc43fb4d7fdcd
- SHA1
  
  b456525f89a5fc70d3022fc41dec753a8a84ab16
- SHA256
  
  88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb
- SHA512
  
  688b6efb0e2af25b6d8695171ce2bf9ccadc147beab555bcf836b38de884e8c854ea4b7cf4e951b1451caefa741c5c6a03cca1e824a1549ef374e8092f7b3da9
- SSDEEP
  
  12288:aiXf2YxXtNvqOt093nvo8eb+s5KaadA6r7/Z77u5V4nutiXhb+:xvtxdNvq98+CjadAY7E5VRtkZ+
Score

10^/10

persistence upx
- Modifies WinLogon for persistence
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral28
- Target
  
  8e6c6b616e846b280572edd2beb96b4c22426963b565553609b4e2fc4b19b019
- Size
  
  477KB
- MD5
  
  097a4830290984d9c36081b4b8d1f615
- SHA1
  
  13794fd6134b4f934fffcbaf2adefbbcc1f01c76
- SHA256
  
  8e6c6b616e846b280572edd2beb96b4c22426963b565553609b4e2fc4b19b019
- SHA512
  
  1d58ab5dae755ccdf6ede4181524752d151d0d3e84f625132b5e7e9731803911e88b0c76e95cf8918ef7085c2953c6b22a9d70c3422a3cc147e99a6757d59acb
- SSDEEP
  
  12288:WYDunOLRQ3sBPBLfeZQ5NO1sPOLfez8olmviTh5J:WxnjsFZi1uHDmKjJ
Score

7^/10

upx
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral29
- Target
  
  907c21dd04dae2f48b048778f36b402c06096220b8c4462d54bd1246f0aec8b0
- Size
  
  2.3MB
- MD5
  
  026c5d37e261bf90f56293046ec26af8
- SHA1
  
  38f6b87904c9192bd3f4073815c4db3c12dba7b0
- SHA256
  
  907c21dd04dae2f48b048778f36b402c06096220b8c4462d54bd1246f0aec8b0
- SHA512
  
  53a3e02eae2068b16bbd50add46981237842c5428752695db91a7ecf9e93146bccd1b609b0d96e19e20eca030eef94ac8832ae2b15668e59d5f254439b5b3c77
- SSDEEP
  
  49152:Q8atUUeTExFEUWf7UrhjUI/IeFHR8c7iSAgx4nNBzG5KeIKvOnr:SUEhiUhUIwSx8c7iSAakzcKepg
Score

7^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral30
- Target
  
  9b1d7a498b1050d27f515245add3690ee79d41f64fa9a95242525c964fdd9221
- Size
  
  5.6MB
- MD5
  
  d070b8fbecec7498f26708eaa6bd212e
- SHA1
  
  b23891129d167fa34a95f23bdd79e258624f6898
- SHA256
  
  9b1d7a498b1050d27f515245add3690ee79d41f64fa9a95242525c964fdd9221
- SHA512
  
  822c0d7490e038af0ae150dec85521397965c4fbcd2d8e7e2d9978ff4dcef01aedc6edf4b13157276a43f200e7baf5b0a10c08b9fb374087f89a32e37ccef332
- SSDEEP
  
  98304:3+e8BYplED9piatxNa4DrdR9B0//Dw7NfY4srGYToe/wnWO3HpcMkbvNoCKD76WM:3+e8BYpqD9pF1a4D56zw7NfcVwW6HKMO
Score

7^/10
- Loads dropped DLL
behavioral31
- Target
  
  9b7e5d2fdc7192256d81ce9e4d339dcdbfd453ad1059d3efd4a7d829f5d2608b
- Size
  
  696KB
- MD5
  
  6c4afbb266c4c09ca6ec58a0d7716bf1
- SHA1
  
  9309c83062a2cd154776f1a2d4720be008404760
- SHA256
  
  9b7e5d2fdc7192256d81ce9e4d339dcdbfd453ad1059d3efd4a7d829f5d2608b
- SHA512
  
  5117bcca2a9b98bb9863d98b0a037cb58c97a7614682735f794b7db2b0c30a122777cef5e1d577b8eaada094ba31b6c2edca0bdbf31597b4fd8704ff0be74bec
- SSDEEP
  
  12288:/Br2++HzRcCUNsvdtZhfMF6pI12KM2K/nrRlZmv9BSc:/Bz+NrU6vbE6nK+/+9BS
Score

7^/10
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Indicator Removal

T1070

File Deletion

T1070.004

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Software Discovery

T1518

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Troldesh, Shade, Encoder.858

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Checks installed software on the system

Modifies WinLogon for persistence

UPX packed file

Maps connected drives based on registry

Drops file in Drivers directory

Drops startup file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Troldesh, Shade, Encoder.858

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Checks installed software on the system

Sodin,Sodinokibi,REvil

Deletes shadow copies

Reads user/profile data of web browsers

Enumerates connected drives

Drops file in System32 directory

Sets desktop wallpaper using registry

Adds Run key to start application

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Gandcrab

Deletes shadow copies

Renames multiple (343) files with added filename extension

Reads user/profile data of web browsers

Enumerates connected drives

Sets desktop wallpaper using registry

Suspicious use of SetThreadContext

Sodin,Sodinokibi,REvil

Enumerates connected drives

Drops file in System32 directory

Sets desktop wallpaper using registry

Loads dropped DLL

Checks for common network interception software

Enumerates VirtualBox registry keys

UPX packed file

Suspicious use of SetThreadContext

Reads local data of messenger clients

Reads user/profile data of web browsers

Adds Run key to start application

Sodin,Sodinokibi,REvil

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Sets desktop wallpaper using registry

Loads dropped DLL

Suspicious use of SetThreadContext

Loads dropped DLL

Modifies WinLogon for persistence

UPX packed file

Adds Run key to start application

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Loads dropped DLL

UPX packed file

Executes dropped EXE

Loads dropped DLL

Loads dropped DLL