General
-
Target
samples (2) (3).zip
-
Size
2.1MB
-
Sample
240101-sk786sfeg4
-
MD5
ef77a8926ba8419c886a9862e064eb7f
-
SHA1
a12d66fca51f2ceb0a0d631f84924678b6481e48
-
SHA256
ef99a1844cbf354868a70cdcc2584ec94ffceafc4ffcd3a6b5563fa1d632844e
-
SHA512
a7f86c90e2734d1033eb5afd814b554c92bbd30128b02183d5cba689e7ac0b2c065eed9534cfac689e7bc6a405718fec8b567cbaf8e8711a791f707d2cc4f315
-
SSDEEP
49152:bGKM2Bb45hv8YJbPp38tBHjgq6/IyKU7UIk0EaQLeM+AZHDQl:bGKM2BU5hvbJbhOEq6MU7UIkxaQqMvy
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
decrypt@fros.cc
Targets
-
-
Target
samples (2) (3).zip
-
Size
2.1MB
-
MD5
ef77a8926ba8419c886a9862e064eb7f
-
SHA1
a12d66fca51f2ceb0a0d631f84924678b6481e48
-
SHA256
ef99a1844cbf354868a70cdcc2584ec94ffceafc4ffcd3a6b5563fa1d632844e
-
SHA512
a7f86c90e2734d1033eb5afd814b554c92bbd30128b02183d5cba689e7ac0b2c065eed9534cfac689e7bc6a405718fec8b567cbaf8e8711a791f707d2cc4f315
-
SSDEEP
49152:bGKM2Bb45hv8YJbPp38tBHjgq6/IyKU7UIk0EaQLeM+AZHDQl:bGKM2BU5hvbJbhOEq6MU7UIkxaQqMvy
Score1/10 -
-
-
Target
100b8bfff550fb74c98a2ef9a71d4bb53553d2d7ba509bb451fe32814ec57e48
-
Size
308KB
-
MD5
e2982778434438cce87e6f43493d63ce
-
SHA1
1927c6f73714a3d06d379d2bc4693e7a970d5cea
-
SHA256
100b8bfff550fb74c98a2ef9a71d4bb53553d2d7ba509bb451fe32814ec57e48
-
SHA512
47e51150b308109e218949cfe80160706bca06f2ba9b2ffac27e36db35a2ead729766afc09936d020cde20e0678a7c912d1ed59a6295fe9bcceb17f2b12b2248
-
SSDEEP
6144:j09jZMz/y1rekkCkVg+AW93YVfhZR3MM+SYRQlsQc0EJroJ:AXC/FkdkVg9WlufR3MM+PRQvcZ
Score1/10 -
-
-
Target
16b51224239d3671b1af3e8f2656a2ad1e7f5fb9acb09111a95461338a841b49
-
Size
207KB
-
MD5
8d0a312773a8475e499b7f879cfe8ece
-
SHA1
7aa2568f464780f85dafd385a6ff82d79ea6379f
-
SHA256
16b51224239d3671b1af3e8f2656a2ad1e7f5fb9acb09111a95461338a841b49
-
SHA512
a7cbd19806e8832ef687ccf01debf3db4c0afb9e631379e2200c7da5144fd40146508b2c9685bddadf620491bff5f30f910ab0d6c900fc34bfb0893dcd78d953
-
SSDEEP
3072:5M+lmsolAIrRuw+mqv9j1MWLQBexM+lmsolAIrRuw+mqv9j1MWLQ:S+lDAAYx+lDAA
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
2727dde7418284bd2b16a032346a9c6921cbfb5e950ad21c9468792b71ee3898
-
Size
77KB
-
MD5
e076f267e066671604177ee2f4f406f9
-
SHA1
ca09b5cdbb6c4f12f8b1486ed282f64e6c0d64b9
-
SHA256
2727dde7418284bd2b16a032346a9c6921cbfb5e950ad21c9468792b71ee3898
-
SHA512
f4d65ba7a7afee6335c10a178a5536f6f1a2255a9eeddbb34b6f6b4b87fe6f91354a883bdba1657311f240b88ba1496e51e04999681bcd2543da5ca8016408d8
-
SSDEEP
1536:7ClodSIRar0dQMLPRNqC3P0btbqJYl6i9Fp9glI792Li/yuUBQs:2aQIYQOYPtY6pi9we2sd
Score9/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (2120) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Adds Run key to start application
-
-
-
Target
29dd920ac1453b5be12fcef5af45690dbbe625e985f6692e237a057e832937e5
-
Size
67KB
-
MD5
26838a257e64a6c6dfeb1d49f3fe114f
-
SHA1
105c02e87551ccdb00b27eb939dae094a418fa29
-
SHA256
29dd920ac1453b5be12fcef5af45690dbbe625e985f6692e237a057e832937e5
-
SHA512
6e71bc97e0d1d9d64f85e30d0c6a0cd8f8e9f503496962cda8a694fdd90930ccae289132aba2fbd61eefc782298399deacc20a49476a8775811191423c639174
-
SSDEEP
1536:diEmjO9wAM2Cq6Av4YHLV1zbYnGJ0+FonVZ4iD5aJxuNRj6W8Q:6UwAMQTv7p1zEG6+sVBKWR
Score1/10 -
-
-
Target
2001.exe
-
Size
138KB
-
MD5
b9272a777740d1b5796cc6eaf7eff252
-
SHA1
43526f39d742bb421ebe2514fa1e7bee2ec0f86d
-
SHA256
df93154c63aeea6a56d0f2b4c89d424f38897c2a43d756495efa4cfa69f87aa4
-
SHA512
2e19dd25e46400878b6fcecceb8a7f650a996e47f8b785f3a63e640710951a4a8fe6991842879d1959b65f59f25ccefc76b39bd9d46fa62e3acb5d5a481544bc
-
SSDEEP
3072:1ZO75plD368W/5SeiLHpV3IhzfW+3g70XdlqgDuYUB/vemeeCLdJLVd:1C5px3HW/3iLHpV4hzu+jd7uYU5JexTd
Score9/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (266) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
3c5ffe21fd24c4daf62f5190d96e65bf7a25232ef9ec956a77db910e90750017
-
Size
64KB
-
MD5
460a2e4418cadbbb91513e4908ab765c
-
SHA1
4bf64187179ba81f7ed6295d30079c8bd56d9148
-
SHA256
3c5ffe21fd24c4daf62f5190d96e65bf7a25232ef9ec956a77db910e90750017
-
SHA512
59e730bf6bd6a18fd287da1d205f197b46620415ad228953333b6a98b3e64dccb4b52a4c86b0f4f335678418a64757ea4425d70ec54f2deefb1db4ab5edc759a
-
SSDEEP
768:y6xnBtviPDs6zWgjU7p6iViakLi05kToZ0uoKKJKr9jlQJZVLfUlAvHm:1tvn6zxuZkLpP6uoW9azVfUee
Score1/10 -
-
-
Target
48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420
-
Size
53KB
-
MD5
13bfc9705ee633aec38f4ccffdca471c
-
SHA1
bfa8395e872262b95bb218b9834edd90ab2cff5e
-
SHA256
48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420
-
SHA512
c900e5dd21c35c2ff875b3d209bff0da0d52468d48dc17324401f5646bf7bdcbeec460085e8abad222dfb30bd85e2c3d214dce80e2de567cb6ddee217999be6e
-
SSDEEP
768:1xPUSvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5NID:1lHeytM3alnawrRIwxVSHMweio3jI
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Renames multiple (8113) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
-
-
Target
568a79ce585dac32af237cb187b663cb6d2e4f594d66860c7ea1b3c66e4b7919
-
Size
78KB
-
MD5
0163a114f3cd11d4a2d3c1374bf4878d
-
SHA1
96b9b8510641a18f7920f48078087001a16db568
-
SHA256
568a79ce585dac32af237cb187b663cb6d2e4f594d66860c7ea1b3c66e4b7919
-
SHA512
0104fedf9a6cc994a267f743c8fa3324af388e2191dec5aff1eedf7345a1d0bbb4829db2b846dd6f7e63e2e4c04aaa0d315ed8b7361c8fbbd8b9f0096e90cba0
-
SSDEEP
1536:freiQwer+Gu3gzQ6qOAI2PneemZcsABvYPpXUJqnwBWH9R1X3Jq5:yiPGu34Q6pAgeJsOOYByXHJ
Score9/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (482) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
57de0d2d5945db11d6c845459419a1b48a5cf415a7a0866c40b03afaec6fb4fe
-
Size
108KB
-
MD5
04bd0a129ac331d598a08c88f3b99089
-
SHA1
e2b18d04541e93c7e2c871849061dcea5a77dc95
-
SHA256
57de0d2d5945db11d6c845459419a1b48a5cf415a7a0866c40b03afaec6fb4fe
-
SHA512
82495d4d2d1319d52e66308bfbbd812334e1cf1cd5b4f84763380556fdeb7790a25f38839c6eb2189f55eedcb48ba08fa74baec25d7b74fd1403660c75f33aa1
-
SSDEEP
3072:IFLXTOKX8HIBxac8SKfbzxcwg7es6/Vsb8VKTuv:IOfoBdUhcX7elbKTu
Score9/10-
Renames multiple (59) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
-
-
Target
5e34ceeaf60a7cdfaeee0443a87edb92115727130323314628503dfe755b9505
-
Size
49KB
-
MD5
51b8687135b216cf4c3cdb8a545540b8
-
SHA1
e5cba03649cd490b93d70a01595e18e934532bef
-
SHA256
5e34ceeaf60a7cdfaeee0443a87edb92115727130323314628503dfe755b9505
-
SHA512
c401e208b9d48ad46e4d9451ba6f8ab4e5efe99917a20774f668288830b0b8b008005af2f3a9131864c5741f1cad1c5efa677a0a8d1b6409ca75add86d98e5a2
-
SSDEEP
768:3V6573iVm2/6pG5gm8jnEU6t7+9jJJzYcHe+Z:l+yUpGa1ELt7ijJY+
Score1/10 -
-
-
Target
6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac
-
Size
74KB
-
MD5
85110da3605b25aaaa7533e2bdbdc6fb
-
SHA1
8eb6f6e0e50d1d6e496e1c3498d500e00c47b8ae
-
SHA256
6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac
-
SHA512
f49ddeb9c0ad79f5979b299fbb231f225c0e6c149633c1d1cdfe0f4d94ce2cf28ee65e17c020624dadb036c20270d343f5f869da3d01b535181e7e7aafae0312
-
SSDEEP
1536:naDpA+SIN1RWDmGN7NuoH4T+p9yF+KUFP4VuBs7hu7HU0QU9v:1lHNZuoHnyQKrVhWHLQU
Score9/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (2758) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
75342ada938ea71dc863ee603a075a3ff7cbd759a091879f065a849650097a76
-
Size
167KB
-
MD5
11442c43bbe7810c91a58af6d92ac810
-
SHA1
027d4ef6a11a59ca7588a6a3eed0b4ee368206a5
-
SHA256
75342ada938ea71dc863ee603a075a3ff7cbd759a091879f065a849650097a76
-
SHA512
9fef88249f11afa4bc057bbe095114273e68e962ab015b89648b0708d1dee6e822a0e0e209512ad6d9fadc57cfe1d6fbfa54a13c4e1bcb59a8881cf1fd7a64f2
-
SSDEEP
1536:XWF0Tz+2x+/m2x+kDgJF+2x+/m2x+kDgWGekNsGekNFuJGekNsGekNRl:VTz1+l+kcJF1+l+kctphp1
Score8/10-
Modifies Installed Components in the registry
-
Drops desktop.ini file(s)
-
-
-
Target
7e623dca8a26a45440c331e383ac6ce3783d5c1bd60b91ee91ce0cc5841633e2
-
Size
219KB
-
MD5
419ac67a37befc87317f2263e43bbccb
-
SHA1
9a85595a04ac9f2c2b3dbf2a3ec171fc4486e3dd
-
SHA256
7e623dca8a26a45440c331e383ac6ce3783d5c1bd60b91ee91ce0cc5841633e2
-
SHA512
5a1fcacd280ba94f5178db1934b1122cf8e4359372e09812a57ae5601060e78f38f402a24a2b04dfe2fb7f6052cecce68df0aa9f41b48db34513cade81cd1969
-
SSDEEP
3072:W5LZvmXjUjS/oewQhcyibDoO1iPN2HuzNUYi821BNL5kQdL:yLmQu/tJcToO1mNSuWYWIQN
Score10/10-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (159) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
-
-
Target
87f2db714eac44b77889c850b8b6b55e2b117c88ac8f8923b47ac89fecadab7e
-
Size
168KB
-
MD5
858f74b2c777c086eaa36d9cfd4f38d2
-
SHA1
ccc4e31495008464118c71b55e27ace1fe35736f
-
SHA256
87f2db714eac44b77889c850b8b6b55e2b117c88ac8f8923b47ac89fecadab7e
-
SHA512
c30e692885aab0bc30dba82a1ee6037b25de56027fb06564062991713e9f062c2b5d9fbcdd802aa0f7503b1ea8942bd9641b7b2299b4e341aa5f41b4739af0c5
-
SSDEEP
1536:R9vtiz8f+2x+/m2x+kDgJF+2x+/m2x+kDgWGekNsGekNFuJGekNsGekNcl:+8f1+l+kcJF1+l+kctphpS
Score8/10-
Modifies Installed Components in the registry
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
8dcb1af1e7886834252394e9710ee72b9bfa910779c4ea041831d0622efa85b0
-
Size
188KB
-
MD5
09b2ee5a8b7f20eba946d962e4408ecd
-
SHA1
855524a5905ef2d56ebc3f9ff2025802fc21b856
-
SHA256
8dcb1af1e7886834252394e9710ee72b9bfa910779c4ea041831d0622efa85b0
-
SHA512
62e5db2b05cc632595774e3d46e2fcc2682302104b92b2a608607e4067006cf457a3396a985fbe0e02b54914185f3368e72bce11e583d6aea101682b2a98d694
-
SSDEEP
3072:Y08i6o0xsBlbLCzJjgYFAzgwXiI2OMotklIXAiv9F26UoaEX:Y0IkmdMRz/in3aB
Score7/10-
Drops startup file
-