magniber | 8ab78bc8884b9de573a3dc19e7fc206e925f643aee3f152d19e8d1caa90b6312

General

Target

a3e7152abd213f303c1561aa20ed9cea
Size

38KB
Sample

231227-fc7apacbcp
MD5

a3e7152abd213f303c1561aa20ed9cea
SHA1

0cfb6ac5f567c4dd3e9ebe741c2b8b0e19cb243e
SHA256

8ab78bc8884b9de573a3dc19e7fc206e925f643aee3f152d19e8d1caa90b6312
SHA512

854dad9d639cb4c9860c7dcd2d1bb7204ce3efe0a5bc0521d37a61e7ef3787a8334620d718ec2abdbbd077122c008273ce29cf1382af45d8411c431f5cf2e777
SSDEEP

768:bL2WWrr4WdC5pqndJgr8q39GGL3RqL9Q1VW028JQyt3uh11yCg:GdC5pqndJIHtGCE9Q1rRxIM

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://e00810f81c0094e05asabwrkkob.grv4f55lyxu36y26o4orfzy7vmwiljcruko6r7q4tatxvjugg4j66lid.onion/sabwrkkob Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://e00810f81c0094e05asabwrkkob.hesmust.top/sabwrkkob http://e00810f81c0094e05asabwrkkob.salecup.club/sabwrkkob http://e00810f81c0094e05asabwrkkob.tietill.space/sabwrkkob http://e00810f81c0094e05asabwrkkob.hegame.xyz/sabwrkkob Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://e00810f81c0094e05asabwrkkob.grv4f55lyxu36y26o4orfzy7vmwiljcruko6r7q4tatxvjugg4j66lid.onion/sabwrkkob

http://e00810f81c0094e05asabwrkkob.hesmust.top/sabwrkkob

http://e00810f81c0094e05asabwrkkob.salecup.club/sabwrkkob

http://e00810f81c0094e05asabwrkkob.tietill.space/sabwrkkob

http://e00810f81c0094e05asabwrkkob.hegame.xyz/sabwrkkob

Targets

- Target
  
  a3e7152abd213f303c1561aa20ed9cea
- Size
  
  38KB
- MD5
  
  a3e7152abd213f303c1561aa20ed9cea
- SHA1
  
  0cfb6ac5f567c4dd3e9ebe741c2b8b0e19cb243e
- SHA256
  
  8ab78bc8884b9de573a3dc19e7fc206e925f643aee3f152d19e8d1caa90b6312
- SHA512
  
  854dad9d639cb4c9860c7dcd2d1bb7204ce3efe0a5bc0521d37a61e7ef3787a8334620d718ec2abdbbd077122c008273ce29cf1382af45d8411c431f5cf2e777
- SSDEEP
  
  768:bL2WWrr4WdC5pqndJgr8q39GGL3RqL9Q1VW028JQyt3uh11yCg:GdC5pqndJIHtGCE9Q1rRxIM
Score

10^/10

magniber ransomware
- Detect magniber ransomware
- Magniber Ransomware
  Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
  ransomware magniber
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (89) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2