da3436517cd5221cf123622458c80f45e08a8ead94381b9d37d5b0e341b7c529

General

Target

6a207be6807f1ea51f0bdeeb89e3ea4f0560f48f9b7ed3ed4ea68a212e2714ca.zip
Size

100KB
Sample

231105-mtvfsagc78
MD5

a8b4cf41e7d26b90955aec0b3581d21c
SHA1

6a10e2f8fb5a15921b84edce3605cae4e27f862d
SHA256

da3436517cd5221cf123622458c80f45e08a8ead94381b9d37d5b0e341b7c529
SHA512

065582b2f4871eded66d192346f50460ca548e3da0a823c4f6e6d24adae15a512fd848305884ac51745be532956f918c4eec83c046dbc2308c42644ae5b017da
SSDEEP

1536:9DxL91183mgW+DuWMOq0nRjcsi9vcZR79LSKmGBh6bqrRcGE/tBR7s3yQPvDkawr:9T82V+6WdRjcz9vgEmh62tZnXvK

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\HOW TO BACK FILES.txt

Ransom Note

Hello Your files are encrypted and can not be used We have downloaded your confidential data and are ready to publish it on our blog To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 2D5BE574C1825864555AA29E 5) You will see payment information and we can make free test decryption here 6)After payment, you will receive a tool for decrypting files, and we will delete the data that was taken from you Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�

Emails

[email protected]

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Targets

- Target
  
  6a207be6807f1ea51f0bdeeb89e3ea4f0560f48f9b7ed3ed4ea68a212e2714ca.exe
- Size
  
  192KB
- MD5
  
  4e271ba5498e7511c0b01f3ef1b99114
- SHA1
  
  616e025ee6935b1453f552cb50ced3cd3faee5bb
- SHA256
  
  6a207be6807f1ea51f0bdeeb89e3ea4f0560f48f9b7ed3ed4ea68a212e2714ca
- SHA512
  
  7241fcb0249772affd0d40598428cdcf45eb224f37860703b71e1dd36608d0c9bc7e745448dd90d4e079505cecab57c09e91e2969cee3e018ae6d555aa1aaea4
- SSDEEP
  
  3072:6TzI7wjFPJkvsn2oYK9c1PQ2xQgGdHpbSAo8qW1EntxdvyyqbWI6lTNfWhDsO4sO:SuwZPuvs2oYOcRQ24H0Wy3dv3OhlNn50
Score

10^/10

evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (642) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (860) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2