88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a

General

Target

88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a
Size

1.7MB
Sample

231228-tygh2sheh8
MD5

5f1977ff2e710323036df5bf5fd7df2b
SHA1

cf856ca9dfee5a3935d5e7ad192044438ab6c500
SHA256

88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a
SHA512

8cc6808e0285a73ca90f4247982e1ee635f492a54929bad49c55ebe45f3ba45eba80777043085b811e91ceb72fab744af6e9bc93185b7450a44323886efa743a
SSDEEP

49152:2svcOp7uaMh54agPw0Ic02gRotHcBWJz9FNFU:2s0KCHDdg40I9LsFQ

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\FILE RECOVERY_ID_180870197840.txt

Ransom Note

Hello Your file has been encrypted and cannot be used When you see this letter, your privacy data has been backed up by us. If you do not handle it, we will publish your privacy data after the 7th. Don't try to change or restore the file yourself, which will destroy them If necessary, you can decrypt a test file for free. Free test decryption is only available for files less than 3MB in size. To restore files, you need a decryption tool. Please contact us by email. Please add the file name of this document to the email and send it to me. ��FILE RECOVERY_ID xxxxxx�� I will tell you the amount you need to pay. After the payment is completed, we will make the decryption tool and send it to you. Customer service mailbox: locked@onionmail.org Spare mailbox: (use this mailbox after no reply in 24 hours) liveteam@onionmail.org You can also contact us through intermediary agencies (such as data recovery companies) If you refuse to pay, you will be attacked constantly. Your privacy -sensitive data will also be announced on Internet. !! We are a team that pays attention to credibility, so you can pay safely and restore data. LIVE TEAM

Emails

locked@onionmail.org

liveteam@onionmail.org

Targets

- Target
  
  88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a
- Size
  
  1.7MB
- MD5
  
  5f1977ff2e710323036df5bf5fd7df2b
- SHA1
  
  cf856ca9dfee5a3935d5e7ad192044438ab6c500
- SHA256
  
  88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a
- SHA512
  
  8cc6808e0285a73ca90f4247982e1ee635f492a54929bad49c55ebe45f3ba45eba80777043085b811e91ceb72fab744af6e9bc93185b7450a44323886efa743a
- SSDEEP
  
  49152:2svcOp7uaMh54agPw0Ic02gRotHcBWJz9FNFU:2s0KCHDdg40I9LsFQ
Score

10^/10

evasion ransomware spyware stealer
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (837) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes system backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2