snatch | 28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c

General

Target

28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c
Size

5.4MB
Sample

231011-x6x3jsae49
MD5

c95c81ca4e6b8153b458d29186e696bc
SHA1

f97f8f78abb205dda329d89143aae34ba04d13df
SHA256

28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c
SHA512

b16b34d9865286bad27128bc9cff81ab76c438c891d208015d7f957067a7e5dce228c2cccb9c15fb587f60c30dcda98684b5f7b011ba19793849323a239b2ae5
SSDEEP

49152:lQg2p4oH77z/vVYyuI2LxaafnQqrfHdYmGD2u24ccQ9B1AzA7NUkZ+no6pzUiFR+:9oRG2kZ+nxxEGBRHYFzupjUqvbdwj

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT

Ransom Note

We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 250 GB of your and your customers data, including: Marketing data Accounting Confidentional documents Personal data Copy of some mailboxes Databases backups Important! Do not try to decrypt the files yourself or using third-party utilities. The only program that can decrypt them is our decryptor, which you can request from the contacts below. Any other program will only damage files in such a way that it will be impossible to restore them. You can get all the necessary evidence, discuss with us possible solutions to this problem and request a decryptor by using the contacts below. Please be advised that if we don't receive a response from you within 3 days, we reserve the right to publish files to the public. Contact me: [email protected] or [email protected] Additional ways to communicate in tox chat tox id: A2DCDE8AAC5AB15F552621CF24A44A708EDFD0C89E22AE77087FA1E2F4FA057ABDD292BA6259 =========================================================== Customer service TOX ID: 0FF26770BFAEAD95194506E6970CC1C395B04159038D785DE316F05CE6DE67324C6038727A58 Only emergency! Use if support is not responding

Emails

[email protected]

Targets

- Target
  
  28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c
- Size
  
  5.4MB
- MD5
  
  c95c81ca4e6b8153b458d29186e696bc
- SHA1
  
  f97f8f78abb205dda329d89143aae34ba04d13df
- SHA256
  
  28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c
- SHA512
  
  b16b34d9865286bad27128bc9cff81ab76c438c891d208015d7f957067a7e5dce228c2cccb9c15fb587f60c30dcda98684b5f7b011ba19793849323a239b2ae5
- SSDEEP
  
  49152:lQg2p4oH77z/vVYyuI2LxaafnQqrfHdYmGD2u24ccQ9B1AzA7NUkZ+no6pzUiFR+:9oRG2kZ+nxxEGBRHYFzupjUqvbdwj
Score

10^/10

snatch ransomware spyware stealer
- Detecting the common Go functions and variables names used by Snatch ransomware
- Snatch Ransomware
  Ransomware family generally distributed through RDP bruteforce attacks.
  ransomware snatch
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (2744) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (9391) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2