General
-
Target
forigpatch.exe
-
Size
3.9MB
-
Sample
231121-f5ca1sdd3v
-
MD5
bf45eb9cb4aefcff77e9db878f9c5fb1
-
SHA1
8e7a95e87cb40c10d019e695bea1ee3612cef247
-
SHA256
27f7a332ba10bae9dbc527ea25c787cb1850f0b34295cd49118f040f08f4fe56
-
SHA512
bb0a154ba120c64693f874ed2d670bf1c230bbd2229d2aa461fbbae12756c3d52f7e3825665b68c97067cbe384d8c5728543c941643d5b3908579ff8f2e7feda
-
SSDEEP
49152:r4XomcoDCd9Vv8+n6/7aWBRogspm541YzoI1DK+GCzJ573cj/ja8Rhe901MxZOp8:rAodd9VE+n6/73BegsSOI1DKFCvLib7
Static task
static1
Behavioral task
behavioral1
Sample
forigpatch.exe
Resource
win10-20231023-en
Malware Config
Extracted
agenda
-
company_id
QTduEqZI6Q
-
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: QTduEqZI6Q Domain: p3q5g2qsq4tglsbyhlghzutwr75uyz47ozasrserev7kann5h7qedxid.onion login: BYxo9FGIiH58sNWWzh967d5fQexHPomf password:
Targets
-
-
Target
forigpatch.exe
-
Size
3.9MB
-
MD5
bf45eb9cb4aefcff77e9db878f9c5fb1
-
SHA1
8e7a95e87cb40c10d019e695bea1ee3612cef247
-
SHA256
27f7a332ba10bae9dbc527ea25c787cb1850f0b34295cd49118f040f08f4fe56
-
SHA512
bb0a154ba120c64693f874ed2d670bf1c230bbd2229d2aa461fbbae12756c3d52f7e3825665b68c97067cbe384d8c5728543c941643d5b3908579ff8f2e7feda
-
SSDEEP
49152:r4XomcoDCd9Vv8+n6/7aWBRogspm541YzoI1DK+GCzJ573cj/ja8Rhe901MxZOp8:rAodd9VE+n6/73BegsSOI1DKFCvLib7
Score10/10-
Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
-
Renames multiple (171) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-