ctblocker | 7ae4167445cef80f080de5b84c6490a61c1834aa1e05fce43e611c5d054da858

Sharing

Copy URL

Twitter E-mail

General

Target

samples4.zip
Size

11.3MB
Sample

240101-s2944adcem
MD5

78d1b2d2d33dbdee8a68614849da921e
SHA1

c80d3a41878f8b776daeb5c706ecc4586f754a94
SHA256

7ae4167445cef80f080de5b84c6490a61c1834aa1e05fce43e611c5d054da858
SHA512

2bf4a6aa22954efdb5699299034a9a1bf5086634baaab14acc5e0904d3d38bab3a8e566f1f699340f99d71b128bd3d22df2b2a83d076ea0f031cd4c3b00b93c4
SSDEEP

196608:iVPPnUoLLj3r94fPEC+uCSzmmGgQvFm69unI3xefV/EgOgm53FVvrYn/ushuMMof:cPPnUiD9QmJgKFKn9fV/EgOg61VMfYMj

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail nztz@tuta.io Write this ID in the title of your message 9754C293 In case of no answer in 24 hours write us to theese e-mails: nztz@tuta.io You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

nztz@tuta.io

Extracted

Path

C:\ProgramData\lcrueog.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Extracted

Path

C:\Users\Admin\Documents\Readme.1352FF327.txt

Ransom Note

~~~ DarkRace ransomware ~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://wkrlpub5k52rjigwxfm6m7ogid55kamgc5azxlq7zjgaopv33tgx2sqd.onion >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. You can install qtox to contanct us online https://tox.chat/download.html Tox ID Contact: ************************ Mail (OnionMail) Support: darkrace@onionmail.org >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!

Emails

darkrace@onionmail.org

URLs

http://wkrlpub5k52rjigwxfm6m7ogid55kamgc5azxlq7zjgaopv33tgx2sqd.onion

https://tox.chat/download.html

Extracted

Path

\Device\HarddiskVolume1\How To Restore Your Files.txt

Ransom Note

!!! Your network is infected by the RTM Locker command!!! All your documents, photos, reports, customer and employee data, databases and other important files are encrypted and you cannot decrypt them yourself. They are also on our servers! But don't worry, we will help you recover all your files! The only way to recover your files is to buy our dedicated software. Only we can provide you with this software, and only we can recover your files! You can contact us by downloading and installing the TOR browser (https://www.torproject.org/download/languages/) We value our reputation. If we do not fulfill our work and obligations, no one will pay us. It's not in our interest. All of our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. ================================================= ============================================== Login link: http://3wugtklp46ufx7dnr6j5cd6ate7wnvnivsyvwuni7hqcqt7hm5r72nid.onion/1D85262A4B3F59090972E7EE7804FC641E9CBB6D65E5F4B376DF37D6180CD1/connect For authorization you need to enter your ID. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Warning!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! If you do not contact the support team within 48 hours, your data will be published in the public domain, and data compromising you will be sent to your competitors, as well as to the relevant regulatory authorities. ================================================================================================ You can also contact us at tox. You can download it here: https://tox.chat/download.html Our contact: A0FE105A82525ECB94DD2977B4A1F8A5A7CF82F12D720DD8C8D9CCA3F98B6F52D911126AC1DF ================================================================================================ DO NOT ATTEMPT TO RECOVER THE FILES YOURSELF! DO NOT MODIFY ENCRYPTED FILES! OTHERWISE YOU MAY LOSE ALL YOUR FILES FOREVER! ================================================================================================

URLs

http://3wugtklp46ufx7dnr6j5cd6ate7wnvnivsyvwuni7hqcqt7hm5r72nid.onion/1D85262A4B3F59090972E7EE7804FC641E9CBB6D65E5F4B376DF37D6180CD1/connect

https://tox.chat/download.html

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail nztz@tuta.io Write this ID in the title of your message CE303D24 In case of no answer in 24 hours write us to theese e-mails: nztz@tuta.io You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

nztz@tuta.io

Targets

- Target
  
  samples4.zip
- Size
  
  11.3MB
- MD5
  
  78d1b2d2d33dbdee8a68614849da921e
- SHA1
  
  c80d3a41878f8b776daeb5c706ecc4586f754a94
- SHA256
  
  7ae4167445cef80f080de5b84c6490a61c1834aa1e05fce43e611c5d054da858
- SHA512
  
  2bf4a6aa22954efdb5699299034a9a1bf5086634baaab14acc5e0904d3d38bab3a8e566f1f699340f99d71b128bd3d22df2b2a83d076ea0f031cd4c3b00b93c4
- SSDEEP
  
  196608:iVPPnUoLLj3r94fPEC+uCSzmmGgQvFm69unI3xefV/EgOgm53FVvrYn/ushuMMof:cPPnUiD9QmJgKFKn9fV/EgOg61VMfYMj
Score

1^/10
behavioral1 behavioral2
- Target
  
  0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4/0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4
- Size
  
  255KB
- MD5
  
  1933fed76a030529b141d032c0620117
- SHA1
  
  c55c60a23f5110e0b45fc02a09c4a64d3094809a
- SHA256
  
  0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4
- SHA512
  
  b153383ebd9919ff293896381d89a895c58985eef60f67803a4276026631184f4d85c19e9ea06351efb7230226b18ed9a17b533fb602e10ded518a7bd090dcfe
- SSDEEP
  
  3072:iBWxT8JtvyAuX3CGun8r8206BretpJwIiymE9xTRVhGT4z106OKclYQO565tgPYs:iBxrKA4CGu8V0tl9zVhM49OxlYQ8fD3
Score

10^/10

ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (141) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4
- Target
  
  1ce5dd21fbff44289d22647277a94f2611ee661cdcab323548caa0a7082ddc7d/1ce5dd21fbff44289d22647277a94f2611ee661cdcab323548caa0a7082ddc7d
- Size
  
  919KB
- MD5
  
  28e242e4680d33a2757aa2353cb84f8d
- SHA1
  
  6b949c3f919d530410beb7082a41e1f30bc5ea3e
- SHA256
  
  1ce5dd21fbff44289d22647277a94f2611ee661cdcab323548caa0a7082ddc7d
- SHA512
  
  c00ce7ff6bc841533f3b18b3de8e864dc34e3370912b3bfc924b31e51e505b19422c61685d606861fdd7b25e6ba7a97aa42a7dd0d4bf18bc24863ec09b3d54e2
- SSDEEP
  
  24576:PYl48Rnd+xEhyXOmBjuGh3HZDCixvP/Fg:+N5d+GhoOSVh3FCkvP/
Score

10^/10

ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral5 behavioral6
- Target
  
  3c73425d026a172779c8ffc5e338afbf6e66f1ad3020a11c2bece4658fcb28fc/3c73425d026a172779c8ffc5e338afbf6e66f1ad3020a11c2bece4658fcb28fc
- Size
  
  213KB
- MD5
  
  045ffadc2fda21d2cd8e2fc37e9557c9
- SHA1
  
  85fce2c0d66c852e9b7b326198da0cfb9f31fc54
- SHA256
  
  3c73425d026a172779c8ffc5e338afbf6e66f1ad3020a11c2bece4658fcb28fc
- SHA512
  
  7233efe7849edd61163d0656f1a732760f7b649f38b94cb7d8eef0e30450013d684a5b4241a1708d734c5a5ef6ce26d5cf1bdc3ccd6002d3edfc6a51e9698452
- SSDEEP
  
  768:ZzCQUwJLKh1hn49V/KmhP1ypZr1hn49V/KmdP1ywZc:bA1hn4HmR1hn4HP+
Score

6^/10
- Drops desktop.ini file(s)
behavioral7 behavioral8
- Target
  
  5df6314b5c6f6bd151a5fda104d32655c5bd8153be922b80069b22f1c1de9db3/5df6314b5c6f6bd151a5fda104d32655c5bd8153be922b80069b22f1c1de9db3
- Size
  
  4.5MB
- MD5
  
  407ba61bab1c10cabf0b5a7c40d43041
- SHA1
  
  82d180dc50763c6a71f8449ef44e467afbc09e74
- SHA256
  
  5df6314b5c6f6bd151a5fda104d32655c5bd8153be922b80069b22f1c1de9db3
- SHA512
  
  73bd51f5885587ec5c930d4ab0cd543b9b0479304c4a3c03d73abdd7b064a2ec4e8b01af45f7517072ce12daa2cfb679589603060438bfafa331a0b66b926f4a
- SSDEEP
  
  98304:BD9WybBsIt6XW7JD9ENTPZsz3yilw5OLEvvybN/aBDPsfut6e:BxWaBhP719CCzC2EO4vvyb5a1mu0e
Score

10^/10

dharma evasion persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Renames multiple (314) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10 behavioral9
- Target
  
  5ee5166c02636f294fb8f6da69d5c0ae893a1c4694ae1bcc3753b497598121a0/5ee5166c02636f294fb8f6da69d5c0ae893a1c4694ae1bcc3753b497598121a0
- Size
  
  2.2MB
- MD5
  
  71a4ba0fe0bc0cb450b8966cb585f757
- SHA1
  
  eccb76a942b3359d8dbf4c12e6bc3be0c8627eca
- SHA256
  
  5ee5166c02636f294fb8f6da69d5c0ae893a1c4694ae1bcc3753b497598121a0
- SHA512
  
  5748e02e83ea32118013741680be6e2eea398b05cde8c359e0db9126175ce63a4890e7ca654e5a5930970889aa2598c650395972107d41522e55207dd5460c01
- SSDEEP
  
  12288:QnQY+2XG1Inz4vM/nlBKSduzxx73zDJnaPxMrFHQJGTTqTdd1o/CMj:QbGOnbzuHT5naPxUHQATTqzi/Cu
Score

10^/10

ctblocker ransomware
- CTB-Locker
  Ransomware family which uses Tor to hide its C2 communications.
  ransomware ctblocker
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral11 behavioral12
- Target
  
  5f7cdd8c28daba74fd96c1aa9de6d920b026dcea5b596e7e145ffe11c5a4cb8e/5f7cdd8c28daba74fd96c1aa9de6d920b026dcea5b596e7e145ffe11c5a4cb8e
- Size
  
  5.8MB
- MD5
  
  bee46db93df737c15c59a6e1fd132954
- SHA1
  
  680c46e55f600933fa0b5658f27f60bc336fcc96
- SHA256
  
  5f7cdd8c28daba74fd96c1aa9de6d920b026dcea5b596e7e145ffe11c5a4cb8e
- SHA512
  
  69f253a708bbc9adbd4cd909ec1999e9bff0b2423e0b3c59eb760b73f19bdbdd77f0ead4d35afd70bc2925ef3928a76fbac7c5a504f5792e6a661081a1ef9871
- SSDEEP
  
  98304:GMe3NP8k6r0Cx2MQkxvJrUTjOaBTbRlNIyJM+DP1zgFcqtZs:+O4FMQk2jVBXRHIL+psfs
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral13 behavioral14