General

  • Target

    gn.rar

  • Size

    4MB

  • Sample

    230907-rky5tsad71

  • MD5

    39369bf2534886dbf0fde66f1d2ae921

  • SHA1

    51e2995afb1ccb04974d1866c50abb4e2d9e080d

  • SHA256

    b76aed181fc4d9590a9d4aefb7a00a5a13abadf2dfc7a3953985b9cc039a7378

  • SHA512

    1ee059b9295c873770f3966c23cf660e83830906f05d1a8e1987083242913500be5c5c22da3bc610b24209169cedac0f471b68181e6b698a18aa89dc6aa1d009

  • SSDEEP

    98304:+aaGjBCWFWbHAKAGliOLT8e8P4g1sbL4MBoqaBA03YUCb2tlW8:+0DFYABGliOXQ1sXfZaB13+bMlj

Malware Config

Extracted

Family

sodinokibi

Botnet

66

Campaign

2948

Decoy

iwelt.de

kidbucketlist.com.au

jandaonline.com

solinegraphic.com

ftf.or.at

skiltogprint.no

ateliergamila.com

liikelataamo.fi

craigvalentineacademy.com

rota-installations.co.uk

bordercollie-nim.nl

interactcenter.org

strandcampingdoonbeg.com

spd-ehningen.de

almosthomedogrescue.dog

tstaffing.nl

adoptioperheet.fi

bargningavesta.se

tennisclubetten.nl

baumkuchenexpo.jp

Attributes
  • net

    true

  • pid

    66

  • prc

    visio

    outlook

    oracle

    agntsvc

    thunderbird

    ocomm

    tbirdconfig

    dbsnmp

    mydesktopqos

    mspub

    onenote

    msaccess

    thebat

    excel

    steam

    encsvc

    isqlplussvc

    synctime

    sqbcoreservice

    sql

    wordpad

    ocssd

    powerpnt

    mydesktopservice

    firefox

    xfssvccon

    dbeng50

    ocautoupds

    infopath

    winword

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    2948

  • svc

    veeam

    backup

    mepocs

    sophos

    sql

    memtas

    vss

    svc$

Extracted

Family

emotet

Botnet

Epoch1

C2

187.162.62.135:80

181.231.72.200:80

45.55.83.204:8080

104.236.217.164:8080

128.199.78.227:8080

46.101.123.139:8080

185.94.252.27:443

181.171.118.19:80

46.21.105.59:8080

105.224.171.102:80

86.6.188.121:80

190.246.146.101:80

200.80.198.34:80

200.58.171.51:80

109.104.79.48:8080

89.134.144.41:8080

159.65.241.220:8080

186.23.146.42:80

203.25.159.3:8080

190.1.37.125:443

rsa_pubkey.plain

Targets

    • Target

      58760750029ed58aaede88892b1c5d81a525adb2bbb5aee7e48f927d43df44b6

    • Size

      400KB

    • MD5

      e03911d81d043d0abb551d5b6f997666

    • SHA1

      f1f89035b985806f44005c9cb3a8f97b5579543a

    • SHA256

      58760750029ed58aaede88892b1c5d81a525adb2bbb5aee7e48f927d43df44b6

    • SHA512

      8e18e01642fda3338d41abc4122829a8e1d81d51efed3ac3cc4e3ac9b64c8b60434d6f35432ce3150fb67f63e3b4b417da3937b5d5fb788576b29899bd68091f

    • SSDEEP

      6144:+UafnsLSh2qI5YTVqurEnIR1/oa3Ve3PC9xcXZzcfEquN7qgjOfjfmT36swDTe:0fnsLAI5iVqXmG+xcFeEMgjyjOT3m

    Score
    6/10
    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      704759c7903cc2f0962bac0f7e7318dbbce0323b561c87d0d4bfc4cf2fd5dc5c

    • Size

      795KB

    • MD5

      eea9a94a45f63b8d37b396c0fa227174

    • SHA1

      1f7d62e4ae84df3f2c23c3d2333df807eb6db461

    • SHA256

      704759c7903cc2f0962bac0f7e7318dbbce0323b561c87d0d4bfc4cf2fd5dc5c

    • SHA512

      60d157336d4b9761248825ce70f4284212ec3e347504afd0c73ed36eb54d511785e3b8af2990aafd0f2efe183e179a06326fd2fe8b2535d4e5e1d91d5c6cc5c8

    • SSDEEP

      12288:EEfjoIC3LDkt6s2eGep4jVGBXMLj7rLx7ur6FaxFQ:EooIsvds2Y4huMLrLx7CxO

    Score
    1/10
    • Target

      970037fcb645a7e538ac06f1e0bc9b8c273930187ab919b7810ae7b2bc034f3c

    • Size

      364KB

    • MD5

      12c032b7a14410470c10caf9304c380c

    • SHA1

      9e7495abb06738cfc5ed2fae1b6250108f43302f

    • SHA256

      970037fcb645a7e538ac06f1e0bc9b8c273930187ab919b7810ae7b2bc034f3c

    • SHA512

      2396803a207e3a940d659ff96d75e11c547f63726ebfdc72bc1c9e7acdc5d8d5ae69e706c407af46308dd80dea1d96818b1ac0a7568c27b69e6f974985ab9d32

    • SSDEEP

      6144:3Lovqx5guJbwtCes4gIZOlUVKVn+u2eqQB6z3Jvcd4woCshVX1+fhEUy+n:32Ugebw8es4gRUVKYuF3C5q4wonhT+uq

    Score
    1/10
    • Target

      a8105a507cda24d05f6a7488e72ac7f8169ef1b1626fdd479630ecfe5141a375

    • Size

      1MB

    • MD5

      75760081efb68f1b0f8202c623a11c79

    • SHA1

      6bc07faddb7bbb521561fdcaf67a9e3af8314781

    • SHA256

      a8105a507cda24d05f6a7488e72ac7f8169ef1b1626fdd479630ecfe5141a375

    • SHA512

      c897c1abccf2eea1907a266fb73c09cbb7cd0806c31d187b096aafe99127644a90ac1d9ec3d6446bd61133a42436e6d726eb8ab8045e65b33d98da55fcbacb41

    • SSDEEP

      12288:uot6vIJx7HFbaUxUmDZ2MFp8nWAZgmmaj0OmBXyXvN1klel8VzqPRs2h2lmQKX9:uY6gHtaHuX5AZWaGBXy/LeVzMH2AJX9

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      a8d0b4e9ce9177ba96fb45bc49e70d31e73fec8d52a3460369563b872dd40bd5

    • Size

      63KB

    • MD5

      8ac4a71608c4d72bfb82a59d4f689a2b

    • SHA1

      dff5968ea65a7415489df550d049934a956617cd

    • SHA256

      a8d0b4e9ce9177ba96fb45bc49e70d31e73fec8d52a3460369563b872dd40bd5

    • SHA512

      40af4de322d95fe3d90a443f11bd1e1f7a4f349b4bc41fe454e60f91ee177a7b2987b9943f3a74f3b231b0ef440d7b00e8164f1200eb5ca4050e03a431aaf4ee

    • SSDEEP

      768:RO9lvI5QKedEGn9qeNXalsFHp1fDaAL7X07dsYmTCknHq4OXxAiTqF6:RO9ijynylifDaAX07dsYcnnon

    Score
    3/10
    • Target

      a9d3c169fa67ac9e0c8165d67d6baf44419b48fc420b655147f58d3aa6afd3c4

    • Size

      63KB

    • MD5

      59ee96defc7a5f4f88d02ea3b467c01a

    • SHA1

      d1ba688e1c9f58cdd865429522f6c137db42fcdd

    • SHA256

      a9d3c169fa67ac9e0c8165d67d6baf44419b48fc420b655147f58d3aa6afd3c4

    • SHA512

      c6ceba6fb92ad0b51c3b1d99aecf49cb6f5ea01b4a7251409e4cd0fedc5d04dfb283db4a38c725f2984f5cf8a595a6883d93092735e89078e2f772e9f823745c

    • SSDEEP

      768:RODlvI5QKedEGn9qeNXalsFHp1fDaAL7X07dsYmTCknHq4OXxAiTqF6:RODijynylifDaAX07dsYcnnon

    Score
    3/10
    • Target

      ae05c8420119e05563a9dbc02cd1d3d854e6cbddbbb8d90b1fc4469f2975a982

    • Size

      1MB

    • MD5

      452df4ff1d75559e05a185f1242a5c25

    • SHA1

      b63633f8cdc7da1904a8dd1fefe0b9e6e580a6f3

    • SHA256

      ae05c8420119e05563a9dbc02cd1d3d854e6cbddbbb8d90b1fc4469f2975a982

    • SHA512

      0b6d1088e54f6b9531e36d3b0746a9399042801f3296a869f7fe44ed69efcd42fba08224a9aaa6bc12feced1b586661c800f606f3578d994444199cca14cada5

    • SSDEEP

      24576:OR0tO+HI56kPhZTgOO041rGwKnQLKnkmNitATcHjth/Hzt0x:OR5/JZTgOO04lyibm8i

    Score
    5/10
    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      b1b63696c4a99f6dbb1eaaa751d635ad5cdbfa792981c40365b77399f3632662

    • Size

      284KB

    • MD5

      85cd885014547939553f8b502a30ec78

    • SHA1

      f912319e5f5f0d02c1c12a2401a6fceef1455372

    • SHA256

      b1b63696c4a99f6dbb1eaaa751d635ad5cdbfa792981c40365b77399f3632662

    • SHA512

      a37a3c2cc70336920278d4e69dc60cbac8f165ff611de5a162e76e5d66dbcf90a69020b70ccd4819b3eee71709f4b122b266ec3829eaa400ac87ee3c44a2469c

    • SSDEEP

      6144:SQXwLN5UtmCqK4jl9BJkyq2tW2whDWMBLNDhmMGTI6W6WP:ZX6N5Rj9ByMwhDWMrDhmTTdW6WP

    Score
    3/10
    • Target

      b59f8014e92f8236b4045a1d002de6cd22402262d031609b69b2a9b2b9055807

    • Size

      469KB

    • MD5

      777131d4de48c8d59891e3e74bf6068f

    • SHA1

      1ce682191ae1261802fca1940f8d3c2f3ff998ba

    • SHA256

      b59f8014e92f8236b4045a1d002de6cd22402262d031609b69b2a9b2b9055807

    • SHA512

      45bc9b0b154b256eda0d643983d64cbd30f2c1205313fca91fd14f45cbc39ed5016516254525372036c559ad7e0f83271c9697cedc784a0902d0222979a21783

    • SSDEEP

      12288:0b9A8rW1XrhJW8GjWcesrnJ19ZZx+T+/:U9hrW7JWH0qZZx+T

    Score
    8/10
    • Sets DLL path for service in the registry

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      b99c904be547228d5a2db0522243a158a3bc0c6cfc901012944457daada602ce

    • Size

      63KB

    • MD5

      5c2bde97438d98edb3dd2a755aa12339

    • SHA1

      6cd4a3bab1d639d43cb687c5f3a31da96ed6a981

    • SHA256

      b99c904be547228d5a2db0522243a158a3bc0c6cfc901012944457daada602ce

    • SHA512

      05b09f329c5262884ffb1c26881548cb0c054786c8ae71728e5642ae1b1eb4ef09dbc197ae67f7f5a4ba16b331a12ae5c0ee5c74fcc6b3ae0f38c067742ea7e6

    • SSDEEP

      768:ROwlvI5QKedEGn9qeNXalsFHp1fDaAL7X07dsYmTCknHq4OXxAiTqF6:ROwijynylifDaAX07dsYcnnon

    Score
    3/10
    • Target

      bd5d3ebe6150f53c1535e1667a18bbd4831751a414e7518dc8e1d15a19db95b3

    • Size

      165KB

    • MD5

      119fc3356fd91b84ce3195f4914ce53e

    • SHA1

      e71024b789e25f79b50b9d79409ba0c85597cf35

    • SHA256

      bd5d3ebe6150f53c1535e1667a18bbd4831751a414e7518dc8e1d15a19db95b3

    • SHA512

      44495f89eb6f8942dc63b1d70c8202b7ca3bcec0e7f35be4e10b13f28de01deee254435549c85c13a468bb713f558c0efab6c702ca69ea8ebe1cc9360aeb132f

    • SSDEEP

      3072:Xi+77RrDGdRTSHL/FnVxi7AnWpL5geHRiZ4qjKbknx/:XioIqFVxsqWpmeHouk

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      c25b0b627ea052c67ef549e1040e5a33779f8661172c2df6420de1d2b228f7b7

    • Size

      164KB

    • MD5

      19e7e57a7622586a96b10cc489303d0e

    • SHA1

      09e751d3f6078b21a534a319af248e03d82decdd

    • SHA256

      c25b0b627ea052c67ef549e1040e5a33779f8661172c2df6420de1d2b228f7b7

    • SHA512

      d059f5ba4cf37389a6d12701d7d37e4ec1815367a7c9822ff22a287ec3dcb99a669d8b48bea0948948d4235f86c0808ce8d0a01bbd9bc1914056c5e9874f7554

    • SSDEEP

      3072:v0XoUeZ/DVS8L73ea4MoCLfqQvFfp/TIdPVBf:veoUeZR2TRCWQFfhTId

    Score
    6/10
    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      c84a02a0b3cfe2af4c0c04c7ca69351a41501034bde0bb682ecb884b4e8aa36c

    • Size

      13KB

    • MD5

      ac725ee8d14e2097d46cd9f95f01e15f

    • SHA1

      65f52ec104aa323088ae77e1813c913beae12454

    • SHA256

      c84a02a0b3cfe2af4c0c04c7ca69351a41501034bde0bb682ecb884b4e8aa36c

    • SHA512

      56af23b9fc14e4748eed1d8ec3d08b770e224c0c0476fd793c77b5b5a3625b504f112f04e3e1830481307ba42389ca36b5a291f34a7df31aa337e50e4336ffda

    • SSDEEP

      192:d9PTogppHg6o9yh5RpIif04JuZoNrLOLEmpVmbkqkbZH6AHZNirucJs:HPsg3Hb5h5RrfX4oxCpfqy/2u6

    Score
    7/10
    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      eb135d0764932501b0122620e2b7a7ca5b56786d1a937871372ae989609cc3f8

    • Size

      261KB

    • MD5

      191da1ffda4d4e2bde32fa94544208bd

    • SHA1

      8cf473701b6bb545e506296a5b0d1d6b42dfb60a

    • SHA256

      eb135d0764932501b0122620e2b7a7ca5b56786d1a937871372ae989609cc3f8

    • SHA512

      0dc48399a37afc3e620cb9f118b37fbd635efbd4d125dc44e5db79f7c822a230347a0e4a89b62fea4e9d3499fcde5dc5be5291d9a27c3ffb05405eade08a2622

    • SSDEEP

      6144:bnT7UyrQBENt8VXcW0YQqLwhHrWGOP+5VTFg:jT7UCjyXn0YQqLWtVTm

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Drops file in System32 directory

    • Target

      f10e957b92fbb2bb57e0a51eeda99dedb1b0720a1be0422b53404d3252bef741

    • Size

      96KB

    • MD5

      1b18993f4b7b5b9500b0dfd055b60f5b

    • SHA1

      9f70e8d99492fc252d1e408b1bf8baa92c78b056

    • SHA256

      f10e957b92fbb2bb57e0a51eeda99dedb1b0720a1be0422b53404d3252bef741

    • SHA512

      c41bb308251b27372ee8770c004d8d31b87c109ea168a746635b556829f87df6d6fbf92f941b3441122409b063018c18900b325b6caa32af23a5cf3b22c3e332

    • SSDEEP

      3072:lCunH3YQ4TgvMvPQDeqgKJ+BCn0Y6Q5cp:lCAX3vMvPQNgKL0Y6Q5E

    Score
    8/10
    • Downloads MZ/PE file

    • Loads dropped DLL

    • Target

      f56dff55960cfb47416bebe71dca6effff8fc1a7066b0e0a965b94c3253e1943

    • Size

      412KB

    • MD5

      17a937e1f5bf0bda743aedf7f58e08c7

    • SHA1

      1bc73716082ffa37f119d98bd6a22338172039cb

    • SHA256

      f56dff55960cfb47416bebe71dca6effff8fc1a7066b0e0a965b94c3253e1943

    • SHA512

      391d7a6a63487cea1f0bec85c1c191f52baea2a322aef2fa2bd9b9d8768ed291dbf683a6efb6ed4119d19ed22b6bbaa1fd8c03f863b1959f8984917e9400f2a1

    • SSDEEP

      12288:iDj8inujY1U3crW5B1EYTGi7rYNsp0HFxkWbLAHmO:W1nvU3l5XTGioNO0HFzLAH

    Score
    1/10
    • Target

      fa4e1cb3e41e49004906adc5e9a22c484d18439fd84611d72f5c4fcac445f1c0

    • Size

      1012KB

    • MD5

      11a218065f8a3fdc547ec25b79e56177

    • SHA1

      31dcbef73197d04a99bf1358e09c6c809ab4c298

    • SHA256

      fa4e1cb3e41e49004906adc5e9a22c484d18439fd84611d72f5c4fcac445f1c0

    • SHA512

      6ef2ed805a138c84b3d51c7f79f7c8d867c4813ddd6e2a799f8644cd786a24cef045b4220de28ab8474386e4ca38434a084dafc8be27425e1abb2fbe107f78de

    • SSDEEP

      12288:Yf6o/b4/YhdWBHGep4jVGBXMWCOp+9l2fG0b46vJQ7:jockdWt4huMfOtM

    Score
    3/10

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

2
T1005

Tasks