Overview

overview

10

Static

static

10

cf235bd2c4...73.exe

windows7-x64

10

cf235bd2c4...73.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    13004603302.zip

  • Size

    404KB

  • Sample

    231124-mmfztahg82

  • MD5

    7bc5d2a874da702195d4e5a5ba9bf0a5

  • SHA1

    8a27cfd6e6c9ea6026d24aec08aa68891ca7709f

  • SHA256

    eaf141097e6e50d51a2ce28f152f6ce9956260454e28ab215824459cbd9b7dea

  • SHA512

    d4f53ab2d67847c62d2a21865e0041cc816dfe42c65ae2d4cac12d58ad5adebb8e7fcb462b538af27eec35891a6b4b830d8aa874cd0e2c41724c6ea943fb3bcf

  • SSDEEP

    12288:tEVpNtJh1J2YbDlUx6Z+pij1KTvUGRDEdW:mN/h1JREpiZCjgE

Score
10/10
stormkittyevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\!!!WARNING!!!.txt

Ransom Note
/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\ ŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊ Hello All your files are encrypted by Blackoutware. For decryption Send 5000€ LTC or BTC to The Wallet Mentioned At the Bottom of the Text And Email us with the Transaction ID And ID We Will Give u the Decryptor BTC Address: bc1q265exqnphfd99a2v00yzd87mz6kjpqkylk2cv3 LTC Address: Lh9PRuQsnwJcvAJCvJ9e7iNh6nueFCnXvf Where to Buy Crypto and Where to Store it? ANSWER: Download exodus at https://www.exodus.com/ And buy Crypto at https://www.moonpay.com/ If U Dont Pay! We Will Leak all ur Sensitive Information Such as Passwords,Credit Cards,Files Our Email: [email protected] Our Telegram: https://t.me/BlackoutRansom Your ID:MFJKVLBU3V [+] This File is Stored in C:\Users\Admin\!!!WARNING!!!.txt [+] Do not delete This Text File [+] Do not rename encrypted files. [+] Do not try to decrypt your data using third party software, it may cause permanent data loss. [+] You have 72 hours to get the key.
URLs

https://www.exodus.com/

https://www.moonpay.com/

https://t.me/BlackoutRansom

Extracted

Path

C:\Users\Admin\!!!WARNING!!!.txt

Ransom Note
/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\/^\ ŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊŊ Hello All your files are encrypted by Blackoutware. For decryption Send 5000€ LTC or BTC to The Wallet Mentioned At the Bottom of the Text And Email us with the Transaction ID And ID We Will Give u the Decryptor BTC Address: bc1q265exqnphfd99a2v00yzd87mz6kjpqkylk2cv3 LTC Address: Lh9PRuQsnwJcvAJCvJ9e7iNh6nueFCnXvf Where to Buy Crypto and Where to Store it? ANSWER: Download exodus at https://www.exodus.com/ And buy Crypto at https://www.moonpay.com/ If U Dont Pay! We Will Leak all ur Sensitive Information Such as Passwords,Credit Cards,Files Our Email: [email protected] Our Telegram: https://t.me/BlackoutRansom Your ID:GJMI74DG9I [+] This File is Stored in C:\Users\Admin\!!!WARNING!!!.txt [+] Do not delete This Text File [+] Do not rename encrypted files. [+] Do not try to decrypt your data using third party software, it may cause permanent data loss. [+] You have 72 hours to get the key.
URLs

https://www.exodus.com/

https://www.moonpay.com/

https://t.me/BlackoutRansom

Targets

    • Target

      cf235bd2c46ce62bcffa21733ada4a8e13a6f2f8d4a88b3f3d3346c5949b5373

    • Size

      1.4MB

    • MD5

      f127b55a763f0b5838378eb8f4b05bab

    • SHA1

      c5ef971fc7aa5fc171c8e390d0b5e81af3db87d8

    • SHA256

      cf235bd2c46ce62bcffa21733ada4a8e13a6f2f8d4a88b3f3d3346c5949b5373

    • SHA512

      5007f845f6516f24091e41cc2c34ab573e071b462629a38fb25fe6e2728177246492b47dacf44958167f522f49ab605299e845513a223a9843c72d2e8a1e8820

    • SSDEEP

      6144:45kyU77IKUHOtznzxeClHkxejI3xyMFjVaxNgwCZuHuZx4F6vLcG8TJiOfUGZGkY:FNHtxUcG8VGcggaRDevszNThj

    Score
    10/10
    stormkittyevasionpersistenceransomwarespywarestealer

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (126) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Renames multiple (97) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks