6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8

General

Target

6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8
Size

54KB
Sample

230922-fe3qaafa85
MD5

922b792af0973f66295ac008a4bf8ba5
SHA1

ee192b0baabf0400d539fdfdfa29dbf77e510651
SHA256

6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8
SHA512

9056f1f0b24a412280630a5c853ff42b7e6859de721c4ec44dff68440047df236375d7b62c7e29360bcb3a1dd6472396c41efc9c13ac6e7ed4d4e47fcb42f611
SSDEEP

768:Rtw7IhDZJ6hewrODscKPuI0oA9qytCFIa02ZlT7lSH6QywpLPCGgj4aRFElcn7gD:PLohTPcKEo6aFEQtvpa

Score

10^/10

Malware Config

Extracted

Path

F:\HOW TO BACK FILES.txt

Ransom Note

Hello Your files are encrypted and can not be used We have downloaded your confidential data and are ready to publish it on our blog To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 86C115F74384E550BB6448A1 5) You will see payment information and we can make free test decryption here 6)After payment, you will receive a tool for decrypting files, and we will delete the data that was taken from you Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�

Emails

[email protected]

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Targets

- Target
  
  6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8
- Size
  
  54KB
- MD5
  
  922b792af0973f66295ac008a4bf8ba5
- SHA1
  
  ee192b0baabf0400d539fdfdfa29dbf77e510651
- SHA256
  
  6f13a8378f21522f89f8933ea240d2f78ff052ea1c21243d78af2364680f00d8
- SHA512
  
  9056f1f0b24a412280630a5c853ff42b7e6859de721c4ec44dff68440047df236375d7b62c7e29360bcb3a1dd6472396c41efc9c13ac6e7ed4d4e47fcb42f611
- SSDEEP
  
  768:Rtw7IhDZJ6hewrODscKPuI0oA9qytCFIa02ZlT7lSH6QywpLPCGgj4aRFElcn7gD:PLohTPcKEo6aFEQtvpa
Score

10^/10

discovery evasion persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (3598) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2