General

  • Target

    forigpatch.exe

  • Size

    3.9MB

  • Sample

    231121-f5ca1sdd3v

  • MD5

    bf45eb9cb4aefcff77e9db878f9c5fb1

  • SHA1

    8e7a95e87cb40c10d019e695bea1ee3612cef247

  • SHA256

    27f7a332ba10bae9dbc527ea25c787cb1850f0b34295cd49118f040f08f4fe56

  • SHA512

    bb0a154ba120c64693f874ed2d670bf1c230bbd2229d2aa461fbbae12756c3d52f7e3825665b68c97067cbe384d8c5728543c941643d5b3908579ff8f2e7feda

  • SSDEEP

    49152:r4XomcoDCd9Vv8+n6/7aWBRogspm541YzoI1DK+GCzJ573cj/ja8Rhe901MxZOp8:rAodd9VE+n6/73BegsSOI1DKFCvLib7

Score
10/10

Malware Config

Extracted

Family

agenda

Attributes
  • company_id

    QTduEqZI6Q

  • note

    -- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: QTduEqZI6Q Domain: p3q5g2qsq4tglsbyhlghzutwr75uyz47ozasrserev7kann5h7qedxid.onion login: BYxo9FGIiH58sNWWzh967d5fQexHPomf password:

rsa_pubkey.plain

Targets

    • Target

      forigpatch.exe

    • Size

      3.9MB

    • MD5

      bf45eb9cb4aefcff77e9db878f9c5fb1

    • SHA1

      8e7a95e87cb40c10d019e695bea1ee3612cef247

    • SHA256

      27f7a332ba10bae9dbc527ea25c787cb1850f0b34295cd49118f040f08f4fe56

    • SHA512

      bb0a154ba120c64693f874ed2d670bf1c230bbd2229d2aa461fbbae12756c3d52f7e3825665b68c97067cbe384d8c5728543c941643d5b3908579ff8f2e7feda

    • SSDEEP

      49152:r4XomcoDCd9Vv8+n6/7aWBRogspm541YzoI1DK+GCzJ573cj/ja8Rhe901MxZOp8:rAodd9VE+n6/73BegsSOI1DKFCvLib7

    Score
    10/10
    • Agenda Ransomware

      A ransomware with multiple variants written in Golang and Rust first seen in August 2022.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (171) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks