General
-
Target
gn.rar
-
Size
4.7MB
-
Sample
230907-rky5tsad71
-
MD5
39369bf2534886dbf0fde66f1d2ae921
-
SHA1
51e2995afb1ccb04974d1866c50abb4e2d9e080d
-
SHA256
b76aed181fc4d9590a9d4aefb7a00a5a13abadf2dfc7a3953985b9cc039a7378
-
SHA512
1ee059b9295c873770f3966c23cf660e83830906f05d1a8e1987083242913500be5c5c22da3bc610b24209169cedac0f471b68181e6b698a18aa89dc6aa1d009
-
SSDEEP
98304:+aaGjBCWFWbHAKAGliOLT8e8P4g1sbL4MBoqaBA03YUCb2tlW8:+0DFYABGliOXQ1sXfZaB13+bMlj
Malware Config
Extracted
sodinokibi
66
2948
iwelt.de
kidbucketlist.com.au
jandaonline.com
solinegraphic.com
ftf.or.at
skiltogprint.no
ateliergamila.com
liikelataamo.fi
craigvalentineacademy.com
rota-installations.co.uk
bordercollie-nim.nl
interactcenter.org
strandcampingdoonbeg.com
spd-ehningen.de
almosthomedogrescue.dog
tstaffing.nl
adoptioperheet.fi
bargningavesta.se
tennisclubetten.nl
baumkuchenexpo.jp
-
net
true
-
pid
66
-
prc
visio
outlook
oracle
agntsvc
thunderbird
ocomm
tbirdconfig
dbsnmp
mydesktopqos
mspub
onenote
msaccess
thebat
excel
steam
encsvc
isqlplussvc
synctime
sqbcoreservice
sql
wordpad
ocssd
powerpnt
mydesktopservice
firefox
xfssvccon
dbeng50
ocautoupds
infopath
winword
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
2948
-
svc
veeam
backup
mepocs
sophos
sql
memtas
vss
svc$
Extracted
emotet
Epoch1
187.162.62.135:80
181.231.72.200:80
45.55.83.204:8080
104.236.217.164:8080
128.199.78.227:8080
46.101.123.139:8080
185.94.252.27:443
181.171.118.19:80
46.21.105.59:8080
105.224.171.102:80
86.6.188.121:80
190.246.146.101:80
200.80.198.34:80
200.58.171.51:80
109.104.79.48:8080
89.134.144.41:8080
159.65.241.220:8080
186.23.146.42:80
203.25.159.3:8080
190.1.37.125:443
Targets
-
-
Target
58760750029ed58aaede88892b1c5d81a525adb2bbb5aee7e48f927d43df44b6
-
Size
400KB
-
MD5
e03911d81d043d0abb551d5b6f997666
-
SHA1
f1f89035b985806f44005c9cb3a8f97b5579543a
-
SHA256
58760750029ed58aaede88892b1c5d81a525adb2bbb5aee7e48f927d43df44b6
-
SHA512
8e18e01642fda3338d41abc4122829a8e1d81d51efed3ac3cc4e3ac9b64c8b60434d6f35432ce3150fb67f63e3b4b417da3937b5d5fb788576b29899bd68091f
-
SSDEEP
6144:+UafnsLSh2qI5YTVqurEnIR1/oa3Ve3PC9xcXZzcfEquN7qgjOfjfmT36swDTe:0fnsLAI5iVqXmG+xcFeEMgjyjOT3m
Score6/10-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
704759c7903cc2f0962bac0f7e7318dbbce0323b561c87d0d4bfc4cf2fd5dc5c
-
Size
795KB
-
MD5
eea9a94a45f63b8d37b396c0fa227174
-
SHA1
1f7d62e4ae84df3f2c23c3d2333df807eb6db461
-
SHA256
704759c7903cc2f0962bac0f7e7318dbbce0323b561c87d0d4bfc4cf2fd5dc5c
-
SHA512
60d157336d4b9761248825ce70f4284212ec3e347504afd0c73ed36eb54d511785e3b8af2990aafd0f2efe183e179a06326fd2fe8b2535d4e5e1d91d5c6cc5c8
-
SSDEEP
12288:EEfjoIC3LDkt6s2eGep4jVGBXMLj7rLx7ur6FaxFQ:EooIsvds2Y4huMLrLx7CxO
Score1/10 -
-
-
Target
970037fcb645a7e538ac06f1e0bc9b8c273930187ab919b7810ae7b2bc034f3c
-
Size
364KB
-
MD5
12c032b7a14410470c10caf9304c380c
-
SHA1
9e7495abb06738cfc5ed2fae1b6250108f43302f
-
SHA256
970037fcb645a7e538ac06f1e0bc9b8c273930187ab919b7810ae7b2bc034f3c
-
SHA512
2396803a207e3a940d659ff96d75e11c547f63726ebfdc72bc1c9e7acdc5d8d5ae69e706c407af46308dd80dea1d96818b1ac0a7568c27b69e6f974985ab9d32
-
SSDEEP
6144:3Lovqx5guJbwtCes4gIZOlUVKVn+u2eqQB6z3Jvcd4woCshVX1+fhEUy+n:32Ugebw8es4gRUVKYuF3C5q4wonhT+uq
Score1/10 -
-
-
Target
a8105a507cda24d05f6a7488e72ac7f8169ef1b1626fdd479630ecfe5141a375
-
Size
1.0MB
-
MD5
75760081efb68f1b0f8202c623a11c79
-
SHA1
6bc07faddb7bbb521561fdcaf67a9e3af8314781
-
SHA256
a8105a507cda24d05f6a7488e72ac7f8169ef1b1626fdd479630ecfe5141a375
-
SHA512
c897c1abccf2eea1907a266fb73c09cbb7cd0806c31d187b096aafe99127644a90ac1d9ec3d6446bd61133a42436e6d726eb8ab8045e65b33d98da55fcbacb41
-
SSDEEP
12288:uot6vIJx7HFbaUxUmDZ2MFp8nWAZgmmaj0OmBXyXvN1klel8VzqPRs2h2lmQKX9:uY6gHtaHuX5AZWaGBXy/LeVzMH2AJX9
Score10/10-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
a8d0b4e9ce9177ba96fb45bc49e70d31e73fec8d52a3460369563b872dd40bd5
-
Size
63KB
-
MD5
8ac4a71608c4d72bfb82a59d4f689a2b
-
SHA1
dff5968ea65a7415489df550d049934a956617cd
-
SHA256
a8d0b4e9ce9177ba96fb45bc49e70d31e73fec8d52a3460369563b872dd40bd5
-
SHA512
40af4de322d95fe3d90a443f11bd1e1f7a4f349b4bc41fe454e60f91ee177a7b2987b9943f3a74f3b231b0ef440d7b00e8164f1200eb5ca4050e03a431aaf4ee
-
SSDEEP
768:RO9lvI5QKedEGn9qeNXalsFHp1fDaAL7X07dsYmTCknHq4OXxAiTqF6:RO9ijynylifDaAX07dsYcnnon
Score3/10 -
-
-
Target
a9d3c169fa67ac9e0c8165d67d6baf44419b48fc420b655147f58d3aa6afd3c4
-
Size
63KB
-
MD5
59ee96defc7a5f4f88d02ea3b467c01a
-
SHA1
d1ba688e1c9f58cdd865429522f6c137db42fcdd
-
SHA256
a9d3c169fa67ac9e0c8165d67d6baf44419b48fc420b655147f58d3aa6afd3c4
-
SHA512
c6ceba6fb92ad0b51c3b1d99aecf49cb6f5ea01b4a7251409e4cd0fedc5d04dfb283db4a38c725f2984f5cf8a595a6883d93092735e89078e2f772e9f823745c
-
SSDEEP
768:RODlvI5QKedEGn9qeNXalsFHp1fDaAL7X07dsYmTCknHq4OXxAiTqF6:RODijynylifDaAX07dsYcnnon
Score3/10 -
-
-
Target
ae05c8420119e05563a9dbc02cd1d3d854e6cbddbbb8d90b1fc4469f2975a982
-
Size
1.4MB
-
MD5
452df4ff1d75559e05a185f1242a5c25
-
SHA1
b63633f8cdc7da1904a8dd1fefe0b9e6e580a6f3
-
SHA256
ae05c8420119e05563a9dbc02cd1d3d854e6cbddbbb8d90b1fc4469f2975a982
-
SHA512
0b6d1088e54f6b9531e36d3b0746a9399042801f3296a869f7fe44ed69efcd42fba08224a9aaa6bc12feced1b586661c800f606f3578d994444199cca14cada5
-
SSDEEP
24576:OR0tO+HI56kPhZTgOO041rGwKnQLKnkmNitATcHjth/Hzt0x:OR5/JZTgOO04lyibm8i
Score5/10-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
b1b63696c4a99f6dbb1eaaa751d635ad5cdbfa792981c40365b77399f3632662
-
Size
284KB
-
MD5
85cd885014547939553f8b502a30ec78
-
SHA1
f912319e5f5f0d02c1c12a2401a6fceef1455372
-
SHA256
b1b63696c4a99f6dbb1eaaa751d635ad5cdbfa792981c40365b77399f3632662
-
SHA512
a37a3c2cc70336920278d4e69dc60cbac8f165ff611de5a162e76e5d66dbcf90a69020b70ccd4819b3eee71709f4b122b266ec3829eaa400ac87ee3c44a2469c
-
SSDEEP
6144:SQXwLN5UtmCqK4jl9BJkyq2tW2whDWMBLNDhmMGTI6W6WP:ZX6N5Rj9ByMwhDWMrDhmTTdW6WP
Score3/10 -
-
-
Target
b59f8014e92f8236b4045a1d002de6cd22402262d031609b69b2a9b2b9055807
-
Size
469KB
-
MD5
777131d4de48c8d59891e3e74bf6068f
-
SHA1
1ce682191ae1261802fca1940f8d3c2f3ff998ba
-
SHA256
b59f8014e92f8236b4045a1d002de6cd22402262d031609b69b2a9b2b9055807
-
SHA512
45bc9b0b154b256eda0d643983d64cbd30f2c1205313fca91fd14f45cbc39ed5016516254525372036c559ad7e0f83271c9697cedc784a0902d0222979a21783
-
SSDEEP
12288:0b9A8rW1XrhJW8GjWcesrnJ19ZZx+T+/:U9hrW7JWH0qZZx+T
Score8/10-
Sets DLL path for service in the registry
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
b99c904be547228d5a2db0522243a158a3bc0c6cfc901012944457daada602ce
-
Size
63KB
-
MD5
5c2bde97438d98edb3dd2a755aa12339
-
SHA1
6cd4a3bab1d639d43cb687c5f3a31da96ed6a981
-
SHA256
b99c904be547228d5a2db0522243a158a3bc0c6cfc901012944457daada602ce
-
SHA512
05b09f329c5262884ffb1c26881548cb0c054786c8ae71728e5642ae1b1eb4ef09dbc197ae67f7f5a4ba16b331a12ae5c0ee5c74fcc6b3ae0f38c067742ea7e6
-
SSDEEP
768:ROwlvI5QKedEGn9qeNXalsFHp1fDaAL7X07dsYmTCknHq4OXxAiTqF6:ROwijynylifDaAX07dsYcnnon
Score3/10 -
-
-
Target
bd5d3ebe6150f53c1535e1667a18bbd4831751a414e7518dc8e1d15a19db95b3
-
Size
165KB
-
MD5
119fc3356fd91b84ce3195f4914ce53e
-
SHA1
e71024b789e25f79b50b9d79409ba0c85597cf35
-
SHA256
bd5d3ebe6150f53c1535e1667a18bbd4831751a414e7518dc8e1d15a19db95b3
-
SHA512
44495f89eb6f8942dc63b1d70c8202b7ca3bcec0e7f35be4e10b13f28de01deee254435549c85c13a468bb713f558c0efab6c702ca69ea8ebe1cc9360aeb132f
-
SSDEEP
3072:Xi+77RrDGdRTSHL/FnVxi7AnWpL5geHRiZ4qjKbknx/:XioIqFVxsqWpmeHouk
Score7/10-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
c25b0b627ea052c67ef549e1040e5a33779f8661172c2df6420de1d2b228f7b7
-
Size
164KB
-
MD5
19e7e57a7622586a96b10cc489303d0e
-
SHA1
09e751d3f6078b21a534a319af248e03d82decdd
-
SHA256
c25b0b627ea052c67ef549e1040e5a33779f8661172c2df6420de1d2b228f7b7
-
SHA512
d059f5ba4cf37389a6d12701d7d37e4ec1815367a7c9822ff22a287ec3dcb99a669d8b48bea0948948d4235f86c0808ce8d0a01bbd9bc1914056c5e9874f7554
-
SSDEEP
3072:v0XoUeZ/DVS8L73ea4MoCLfqQvFfp/TIdPVBf:veoUeZR2TRCWQFfhTId
Score6/10-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
c84a02a0b3cfe2af4c0c04c7ca69351a41501034bde0bb682ecb884b4e8aa36c
-
Size
13KB
-
MD5
ac725ee8d14e2097d46cd9f95f01e15f
-
SHA1
65f52ec104aa323088ae77e1813c913beae12454
-
SHA256
c84a02a0b3cfe2af4c0c04c7ca69351a41501034bde0bb682ecb884b4e8aa36c
-
SHA512
56af23b9fc14e4748eed1d8ec3d08b770e224c0c0476fd793c77b5b5a3625b504f112f04e3e1830481307ba42389ca36b5a291f34a7df31aa337e50e4336ffda
-
SSDEEP
192:d9PTogppHg6o9yh5RpIif04JuZoNrLOLEmpVmbkqkbZH6AHZNirucJs:HPsg3Hb5h5RrfX4oxCpfqy/2u6
Score7/10-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
-
-
Target
eb135d0764932501b0122620e2b7a7ca5b56786d1a937871372ae989609cc3f8
-
Size
261KB
-
MD5
191da1ffda4d4e2bde32fa94544208bd
-
SHA1
8cf473701b6bb545e506296a5b0d1d6b42dfb60a
-
SHA256
eb135d0764932501b0122620e2b7a7ca5b56786d1a937871372ae989609cc3f8
-
SHA512
0dc48399a37afc3e620cb9f118b37fbd635efbd4d125dc44e5db79f7c822a230347a0e4a89b62fea4e9d3499fcde5dc5be5291d9a27c3ffb05405eade08a2622
-
SSDEEP
6144:bnT7UyrQBENt8VXcW0YQqLwhHrWGOP+5VTFg:jT7UCjyXn0YQqLWtVTm
Score10/10-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Drops file in System32 directory
-
-
-
Target
f10e957b92fbb2bb57e0a51eeda99dedb1b0720a1be0422b53404d3252bef741
-
Size
96KB
-
MD5
1b18993f4b7b5b9500b0dfd055b60f5b
-
SHA1
9f70e8d99492fc252d1e408b1bf8baa92c78b056
-
SHA256
f10e957b92fbb2bb57e0a51eeda99dedb1b0720a1be0422b53404d3252bef741
-
SHA512
c41bb308251b27372ee8770c004d8d31b87c109ea168a746635b556829f87df6d6fbf92f941b3441122409b063018c18900b325b6caa32af23a5cf3b22c3e332
-
SSDEEP
3072:lCunH3YQ4TgvMvPQDeqgKJ+BCn0Y6Q5cp:lCAX3vMvPQNgKL0Y6Q5E
Score8/10-
Downloads MZ/PE file
-
Loads dropped DLL
-
-
-
Target
f56dff55960cfb47416bebe71dca6effff8fc1a7066b0e0a965b94c3253e1943
-
Size
412KB
-
MD5
17a937e1f5bf0bda743aedf7f58e08c7
-
SHA1
1bc73716082ffa37f119d98bd6a22338172039cb
-
SHA256
f56dff55960cfb47416bebe71dca6effff8fc1a7066b0e0a965b94c3253e1943
-
SHA512
391d7a6a63487cea1f0bec85c1c191f52baea2a322aef2fa2bd9b9d8768ed291dbf683a6efb6ed4119d19ed22b6bbaa1fd8c03f863b1959f8984917e9400f2a1
-
SSDEEP
12288:iDj8inujY1U3crW5B1EYTGi7rYNsp0HFxkWbLAHmO:W1nvU3l5XTGioNO0HFzLAH
Score1/10 -
-
-
Target
fa4e1cb3e41e49004906adc5e9a22c484d18439fd84611d72f5c4fcac445f1c0
-
Size
1012KB
-
MD5
11a218065f8a3fdc547ec25b79e56177
-
SHA1
31dcbef73197d04a99bf1358e09c6c809ab4c298
-
SHA256
fa4e1cb3e41e49004906adc5e9a22c484d18439fd84611d72f5c4fcac445f1c0
-
SHA512
6ef2ed805a138c84b3d51c7f79f7c8d867c4813ddd6e2a799f8644cd786a24cef045b4220de28ab8474386e4ca38434a084dafc8be27425e1abb2fbe107f78de
-
SSDEEP
12288:Yf6o/b4/YhdWBHGep4jVGBXMWCOp+9l2fG0b46vJQ7:jockdWt4huMfOtM
Score3/10 -
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Pre-OS Boot
1Bootkit
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Pre-OS Boot
1Bootkit
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1