Overview

overview

10

Static

static

3

009aaaf3b4...9d.dll

windows7-x64

10

009aaaf3b4...9d.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    009aaaf3b4f3a34b662cb9d27fb4409d

  • Size

    39KB

  • Sample

    231224-rqf67sdhcq

  • MD5

    009aaaf3b4f3a34b662cb9d27fb4409d

  • SHA1

    ac5bfd05ec67090c4f7180519628328e29f3f39a

  • SHA256

    2b474cca6c5ff5e1d435d91694b4436876901e3be9c63c3a1d76ff3dbc432017

  • SHA512

    50973c3ac2849c8664d74d7efc07fcb0a43260d05030fa7772f135cf716357d522309e70d7ba4ee51cd44ea7a3c711b321221b33ab192ccce6ee71dceb527aea

  • SSDEEP

    768:QJvL0rvzhHm06R0Zd+01mV0kgMazfo269xnWf77/KrkVPe4kQKNNJ7kIGsp9C88K:q0rvzhV6Ra+01Y0dMio39xWDrKrkVm4i

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://2a4422984c4c6cb052sgokwyejx.yeipgu36oui5z4yvck5w6d252oo3h7ktcsxvs3m2wac6ezmti2iotzad.onion/sgokwyejx Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://2a4422984c4c6cb052sgokwyejx.actmake.site/sgokwyejx http://2a4422984c4c6cb052sgokwyejx.bearsat.space/sgokwyejx http://2a4422984c4c6cb052sgokwyejx.mixedon.xyz/sgokwyejx http://2a4422984c4c6cb052sgokwyejx.spiteor.space/sgokwyejx Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://2a4422984c4c6cb052sgokwyejx.yeipgu36oui5z4yvck5w6d252oo3h7ktcsxvs3m2wac6ezmti2iotzad.onion/sgokwyejx

http://2a4422984c4c6cb052sgokwyejx.actmake.site/sgokwyejx

http://2a4422984c4c6cb052sgokwyejx.bearsat.space/sgokwyejx

http://2a4422984c4c6cb052sgokwyejx.mixedon.xyz/sgokwyejx

http://2a4422984c4c6cb052sgokwyejx.spiteor.space/sgokwyejx

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://24e870181848369088sgokwyejx.yeipgu36oui5z4yvck5w6d252oo3h7ktcsxvs3m2wac6ezmti2iotzad.onion/sgokwyejx Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://24e870181848369088sgokwyejx.actmake.site/sgokwyejx http://24e870181848369088sgokwyejx.bearsat.space/sgokwyejx http://24e870181848369088sgokwyejx.mixedon.xyz/sgokwyejx http://24e870181848369088sgokwyejx.spiteor.space/sgokwyejx Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://24e870181848369088sgokwyejx.yeipgu36oui5z4yvck5w6d252oo3h7ktcsxvs3m2wac6ezmti2iotzad.onion/sgokwyejx

http://24e870181848369088sgokwyejx.actmake.site/sgokwyejx

http://24e870181848369088sgokwyejx.bearsat.space/sgokwyejx

http://24e870181848369088sgokwyejx.mixedon.xyz/sgokwyejx

http://24e870181848369088sgokwyejx.spiteor.space/sgokwyejx

Targets

    • Target

      009aaaf3b4f3a34b662cb9d27fb4409d

    • Size

      39KB

    • MD5

      009aaaf3b4f3a34b662cb9d27fb4409d

    • SHA1

      ac5bfd05ec67090c4f7180519628328e29f3f39a

    • SHA256

      2b474cca6c5ff5e1d435d91694b4436876901e3be9c63c3a1d76ff3dbc432017

    • SHA512

      50973c3ac2849c8664d74d7efc07fcb0a43260d05030fa7772f135cf716357d522309e70d7ba4ee51cd44ea7a3c711b321221b33ab192ccce6ee71dceb527aea

    • SSDEEP

      768:QJvL0rvzhHm06R0Zd+01mV0kgMazfo269xnWf77/KrkVPe4kQKNNJ7kIGsp9C88K:q0rvzhV6Ra+01Y0dMio39xWDrKrkVm4i

    Score
    10/10
    magniberransomware

    • Detect magniber ransomware

    • Magniber Ransomware

      Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

      ransomwaremagniber

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (95) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks