General

  • Target

    28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c

  • Size

    5.4MB

  • Sample

    230925-sj5fwshd36

  • MD5

    c95c81ca4e6b8153b458d29186e696bc

  • SHA1

    f97f8f78abb205dda329d89143aae34ba04d13df

  • SHA256

    28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c

  • SHA512

    b16b34d9865286bad27128bc9cff81ab76c438c891d208015d7f957067a7e5dce228c2cccb9c15fb587f60c30dcda98684b5f7b011ba19793849323a239b2ae5

  • SSDEEP

    49152:lQg2p4oH77z/vVYyuI2LxaafnQqrfHdYmGD2u24ccQ9B1AzA7NUkZ+no6pzUiFR+:9oRG2kZ+nxxEGBRHYFzupjUqvbdwj

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 250 GB of your and your customers data, including: Marketing data Accounting Confidentional documents Personal data Copy of some mailboxes Databases backups Important! Do not try to decrypt the files yourself or using third-party utilities. The only program that can decrypt them is our decryptor, which you can request from the contacts below. Any other program will only damage files in such a way that it will be impossible to restore them. You can get all the necessary evidence, discuss with us possible solutions to this problem and request a decryptor by using the contacts below. Please be advised that if we don't receive a response from you within 3 days, we reserve the right to publish files to the public. Contact me: [email protected] or [email protected] Additional ways to communicate in tox chat tox id: A2DCDE8AAC5AB15F552621CF24A44A708EDFD0C89E22AE77087FA1E2F4FA057ABDD292BA6259 =========================================================== Customer service TOX ID: 0FF26770BFAEAD95194506E6970CC1C395B04159038D785DE316F05CE6DE67324C6038727A58 Only emergency! Use if support is not responding

Targets

    • Target

      28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c

    • Size

      5.4MB

    • MD5

      c95c81ca4e6b8153b458d29186e696bc

    • SHA1

      f97f8f78abb205dda329d89143aae34ba04d13df

    • SHA256

      28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c

    • SHA512

      b16b34d9865286bad27128bc9cff81ab76c438c891d208015d7f957067a7e5dce228c2cccb9c15fb587f60c30dcda98684b5f7b011ba19793849323a239b2ae5

    • SSDEEP

      49152:lQg2p4oH77z/vVYyuI2LxaafnQqrfHdYmGD2u24ccQ9B1AzA7NUkZ+no6pzUiFR+:9oRG2kZ+nxxEGBRHYFzupjUqvbdwj

    • Detecting the common Go functions and variables names used by Snatch ransomware

    • Snatch Ransomware

      Ransomware family generally distributed through RDP bruteforce attacks.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (4055) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (7791) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks