dharma

Sharing

Copy URL

Twitter E-mail

General

Target

samples (2) (3).zip
Size

2.1MB
Sample

240101-sk786sfeg4
MD5

ef77a8926ba8419c886a9862e064eb7f
SHA1

a12d66fca51f2ceb0a0d631f84924678b6481e48
SHA256

ef99a1844cbf354868a70cdcc2584ec94ffceafc4ffcd3a6b5563fa1d632844e
SHA512

a7f86c90e2734d1033eb5afd814b554c92bbd30128b02183d5cba689e7ac0b2c065eed9534cfac689e7bc6a405718fec8b567cbaf8e8711a791f707d2cc4f315
SSDEEP

49152:bGKM2Bb45hv8YJbPp38tBHjgq6/IyKU7UIk0EaQLeM+AZHDQl:bGKM2BU5hvbJbhOEq6MU7UIkxaQqMvy

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message C2E90A1A In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Targets

- Target
  
  samples (2) (3).zip
- Size
  
  2.1MB
- MD5
  
  ef77a8926ba8419c886a9862e064eb7f
- SHA1
  
  a12d66fca51f2ceb0a0d631f84924678b6481e48
- SHA256
  
  ef99a1844cbf354868a70cdcc2584ec94ffceafc4ffcd3a6b5563fa1d632844e
- SHA512
  
  a7f86c90e2734d1033eb5afd814b554c92bbd30128b02183d5cba689e7ac0b2c065eed9534cfac689e7bc6a405718fec8b567cbaf8e8711a791f707d2cc4f315
- SSDEEP
  
  49152:bGKM2Bb45hv8YJbPp38tBHjgq6/IyKU7UIk0EaQLeM+AZHDQl:bGKM2BU5hvbJbhOEq6MU7UIkxaQqMvy
Score

1^/10
behavioral1 behavioral2
- Target
  
  100b8bfff550fb74c98a2ef9a71d4bb53553d2d7ba509bb451fe32814ec57e48
- Size
  
  308KB
- MD5
  
  e2982778434438cce87e6f43493d63ce
- SHA1
  
  1927c6f73714a3d06d379d2bc4693e7a970d5cea
- SHA256
  
  100b8bfff550fb74c98a2ef9a71d4bb53553d2d7ba509bb451fe32814ec57e48
- SHA512
  
  47e51150b308109e218949cfe80160706bca06f2ba9b2ffac27e36db35a2ead729766afc09936d020cde20e0678a7c912d1ed59a6295fe9bcceb17f2b12b2248
- SSDEEP
  
  6144:j09jZMz/y1rekkCkVg+AW93YVfhZR3MM+SYRQlsQc0EJroJ:AXC/FkdkVg9WlufR3MM+PRQvcZ
Score

1^/10
behavioral3 behavioral4
- Target
  
  16b51224239d3671b1af3e8f2656a2ad1e7f5fb9acb09111a95461338a841b49
- Size
  
  207KB
- MD5
  
  8d0a312773a8475e499b7f879cfe8ece
- SHA1
  
  7aa2568f464780f85dafd385a6ff82d79ea6379f
- SHA256
  
  16b51224239d3671b1af3e8f2656a2ad1e7f5fb9acb09111a95461338a841b49
- SHA512
  
  a7cbd19806e8832ef687ccf01debf3db4c0afb9e631379e2200c7da5144fd40146508b2c9685bddadf620491bff5f30f910ab0d6c900fc34bfb0893dcd78d953
- SSDEEP
  
  3072:5M+lmsolAIrRuw+mqv9j1MWLQBexM+lmsolAIrRuw+mqv9j1MWLQ:S+lDAAYx+lDAA
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral5 behavioral6
- Target
  
  2727dde7418284bd2b16a032346a9c6921cbfb5e950ad21c9468792b71ee3898
- Size
  
  77KB
- MD5
  
  e076f267e066671604177ee2f4f406f9
- SHA1
  
  ca09b5cdbb6c4f12f8b1486ed282f64e6c0d64b9
- SHA256
  
  2727dde7418284bd2b16a032346a9c6921cbfb5e950ad21c9468792b71ee3898
- SHA512
  
  f4d65ba7a7afee6335c10a178a5536f6f1a2255a9eeddbb34b6f6b4b87fe6f91354a883bdba1657311f240b88ba1496e51e04999681bcd2543da5ca8016408d8
- SSDEEP
  
  1536:7ClodSIRar0dQMLPRNqC3P0btbqJYl6i9Fp9glI792Li/yuUBQs:2aQIYQOYPtY6pi9we2sd
Score

9^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (2120) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Adds Run key to start application
  persistence
behavioral7 behavioral8
- Target
  
  29dd920ac1453b5be12fcef5af45690dbbe625e985f6692e237a057e832937e5
- Size
  
  67KB
- MD5
  
  26838a257e64a6c6dfeb1d49f3fe114f
- SHA1
  
  105c02e87551ccdb00b27eb939dae094a418fa29
- SHA256
  
  29dd920ac1453b5be12fcef5af45690dbbe625e985f6692e237a057e832937e5
- SHA512
  
  6e71bc97e0d1d9d64f85e30d0c6a0cd8f8e9f503496962cda8a694fdd90930ccae289132aba2fbd61eefc782298399deacc20a49476a8775811191423c639174
- SSDEEP
  
  1536:diEmjO9wAM2Cq6Av4YHLV1zbYnGJ0+FonVZ4iD5aJxuNRj6W8Q:6UwAMQTv7p1zEG6+sVBKWR
Score

1^/10
behavioral10 behavioral9
- Target
  
  2001.exe
- Size
  
  138KB
- MD5
  
  b9272a777740d1b5796cc6eaf7eff252
- SHA1
  
  43526f39d742bb421ebe2514fa1e7bee2ec0f86d
- SHA256
  
  df93154c63aeea6a56d0f2b4c89d424f38897c2a43d756495efa4cfa69f87aa4
- SHA512
  
  2e19dd25e46400878b6fcecceb8a7f650a996e47f8b785f3a63e640710951a4a8fe6991842879d1959b65f59f25ccefc76b39bd9d46fa62e3acb5d5a481544bc
- SSDEEP
  
  3072:1ZO75plD368W/5SeiLHpV3IhzfW+3g70XdlqgDuYUB/vemeeCLdJLVd:1C5px3HW/3iLHpV4hzu+jd7uYU5JexTd
Score

9^/10

ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (266) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral11 behavioral12
- Target
  
  3c5ffe21fd24c4daf62f5190d96e65bf7a25232ef9ec956a77db910e90750017
- Size
  
  64KB
- MD5
  
  460a2e4418cadbbb91513e4908ab765c
- SHA1
  
  4bf64187179ba81f7ed6295d30079c8bd56d9148
- SHA256
  
  3c5ffe21fd24c4daf62f5190d96e65bf7a25232ef9ec956a77db910e90750017
- SHA512
  
  59e730bf6bd6a18fd287da1d205f197b46620415ad228953333b6a98b3e64dccb4b52a4c86b0f4f335678418a64757ea4425d70ec54f2deefb1db4ab5edc759a
- SSDEEP
  
  768:y6xnBtviPDs6zWgjU7p6iViakLi05kToZ0uoKKJKr9jlQJZVLfUlAvHm:1tvn6zxuZkLpP6uoW9azVfUee
Score

1^/10
behavioral13 behavioral14
- Target
  
  48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420
- Size
  
  53KB
- MD5
  
  13bfc9705ee633aec38f4ccffdca471c
- SHA1
  
  bfa8395e872262b95bb218b9834edd90ab2cff5e
- SHA256
  
  48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420
- SHA512
  
  c900e5dd21c35c2ff875b3d209bff0da0d52468d48dc17324401f5646bf7bdcbeec460085e8abad222dfb30bd85e2c3d214dce80e2de567cb6ddee217999be6e
- SSDEEP
  
  768:1xPUSvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5NID:1lHeytM3alnawrRIwxVSHMweio3jI
Score

10^/10

globeimposter persistence ransomware spyware stealer
- GlobeImposter
  GlobeImposter is a ransomware first seen in 2017.
  ransomware globeimposter
- Renames multiple (8113) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral15 behavioral16
- Target
  
  568a79ce585dac32af237cb187b663cb6d2e4f594d66860c7ea1b3c66e4b7919
- Size
  
  78KB
- MD5
  
  0163a114f3cd11d4a2d3c1374bf4878d
- SHA1
  
  96b9b8510641a18f7920f48078087001a16db568
- SHA256
  
  568a79ce585dac32af237cb187b663cb6d2e4f594d66860c7ea1b3c66e4b7919
- SHA512
  
  0104fedf9a6cc994a267f743c8fa3324af388e2191dec5aff1eedf7345a1d0bbb4829db2b846dd6f7e63e2e4c04aaa0d315ed8b7361c8fbbd8b9f0096e90cba0
- SSDEEP
  
  1536:freiQwer+Gu3gzQ6qOAI2PneemZcsABvYPpXUJqnwBWH9R1X3Jq5:yiPGu34Q6pAgeJsOOYByXHJ
Score

9^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (482) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral17 behavioral18
- Target
  
  57de0d2d5945db11d6c845459419a1b48a5cf415a7a0866c40b03afaec6fb4fe
- Size
  
  108KB
- MD5
  
  04bd0a129ac331d598a08c88f3b99089
- SHA1
  
  e2b18d04541e93c7e2c871849061dcea5a77dc95
- SHA256
  
  57de0d2d5945db11d6c845459419a1b48a5cf415a7a0866c40b03afaec6fb4fe
- SHA512
  
  82495d4d2d1319d52e66308bfbbd812334e1cf1cd5b4f84763380556fdeb7790a25f38839c6eb2189f55eedcb48ba08fa74baec25d7b74fd1403660c75f33aa1
- SSDEEP
  
  3072:IFLXTOKX8HIBxac8SKfbzxcwg7es6/Vsb8VKTuv:IOfoBdUhcX7elbKTu
Score

9^/10

ransomware spyware stealer
- Renames multiple (59) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral19 behavioral20
- Target
  
  5e34ceeaf60a7cdfaeee0443a87edb92115727130323314628503dfe755b9505
- Size
  
  49KB
- MD5
  
  51b8687135b216cf4c3cdb8a545540b8
- SHA1
  
  e5cba03649cd490b93d70a01595e18e934532bef
- SHA256
  
  5e34ceeaf60a7cdfaeee0443a87edb92115727130323314628503dfe755b9505
- SHA512
  
  c401e208b9d48ad46e4d9451ba6f8ab4e5efe99917a20774f668288830b0b8b008005af2f3a9131864c5741f1cad1c5efa677a0a8d1b6409ca75add86d98e5a2
- SSDEEP
  
  768:3V6573iVm2/6pG5gm8jnEU6t7+9jJJzYcHe+Z:l+yUpGa1ELt7ijJY+
Score

1^/10
behavioral21 behavioral22
- Target
  
  6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac
- Size
  
  74KB
- MD5
  
  85110da3605b25aaaa7533e2bdbdc6fb
- SHA1
  
  8eb6f6e0e50d1d6e496e1c3498d500e00c47b8ae
- SHA256
  
  6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac
- SHA512
  
  f49ddeb9c0ad79f5979b299fbb231f225c0e6c149633c1d1cdfe0f4d94ce2cf28ee65e17c020624dadb036c20270d343f5f869da3d01b535181e7e7aafae0312
- SSDEEP
  
  1536:naDpA+SIN1RWDmGN7NuoH4T+p9yF+KUFP4VuBs7hu7HU0QU9v:1lHNZuoHnyQKrVhWHLQU
Score

9^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (2758) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral23 behavioral24
- Target
  
  75342ada938ea71dc863ee603a075a3ff7cbd759a091879f065a849650097a76
- Size
  
  167KB
- MD5
  
  11442c43bbe7810c91a58af6d92ac810
- SHA1
  
  027d4ef6a11a59ca7588a6a3eed0b4ee368206a5
- SHA256
  
  75342ada938ea71dc863ee603a075a3ff7cbd759a091879f065a849650097a76
- SHA512
  
  9fef88249f11afa4bc057bbe095114273e68e962ab015b89648b0708d1dee6e822a0e0e209512ad6d9fadc57cfe1d6fbfa54a13c4e1bcb59a8881cf1fd7a64f2
- SSDEEP
  
  1536:XWF0Tz+2x+/m2x+kDgJF+2x+/m2x+kDgWGekNsGekNFuJGekNsGekNRl:VTz1+l+kcJF1+l+kctphp1
Score

8^/10

persistence
- Modifies Installed Components in the registry
  persistence
- Drops desktop.ini file(s)
behavioral25 behavioral26
- Target
  
  7e623dca8a26a45440c331e383ac6ce3783d5c1bd60b91ee91ce0cc5841633e2
- Size
  
  219KB
- MD5
  
  419ac67a37befc87317f2263e43bbccb
- SHA1
  
  9a85595a04ac9f2c2b3dbf2a3ec171fc4486e3dd
- SHA256
  
  7e623dca8a26a45440c331e383ac6ce3783d5c1bd60b91ee91ce0cc5841633e2
- SHA512
  
  5a1fcacd280ba94f5178db1934b1122cf8e4359372e09812a57ae5601060e78f38f402a24a2b04dfe2fb7f6052cecce68df0aa9f41b48db34513cade81cd1969
- SSDEEP
  
  3072:W5LZvmXjUjS/oewQhcyibDoO1iPN2HuzNUYi821BNL5kQdL:yLmQu/tJcToO1mNSuWYWIQN
Score

10^/10

dharma persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (159) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral27 behavioral28
- Target
  
  87f2db714eac44b77889c850b8b6b55e2b117c88ac8f8923b47ac89fecadab7e
- Size
  
  168KB
- MD5
  
  858f74b2c777c086eaa36d9cfd4f38d2
- SHA1
  
  ccc4e31495008464118c71b55e27ace1fe35736f
- SHA256
  
  87f2db714eac44b77889c850b8b6b55e2b117c88ac8f8923b47ac89fecadab7e
- SHA512
  
  c30e692885aab0bc30dba82a1ee6037b25de56027fb06564062991713e9f062c2b5d9fbcdd802aa0f7503b1ea8942bd9641b7b2299b4e341aa5f41b4739af0c5
- SSDEEP
  
  1536:R9vtiz8f+2x+/m2x+kDgJF+2x+/m2x+kDgWGekNsGekNFuJGekNsGekNcl:+8f1+l+kcJF1+l+kctphpS
Score

8^/10

persistence
- Modifies Installed Components in the registry
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral29 behavioral30
- Target
  
  8dcb1af1e7886834252394e9710ee72b9bfa910779c4ea041831d0622efa85b0
- Size
  
  188KB
- MD5
  
  09b2ee5a8b7f20eba946d962e4408ecd
- SHA1
  
  855524a5905ef2d56ebc3f9ff2025802fc21b856
- SHA256
  
  8dcb1af1e7886834252394e9710ee72b9bfa910779c4ea041831d0622efa85b0
- SHA512
  
  62e5db2b05cc632595774e3d46e2fcc2682302104b92b2a608607e4067006cf457a3396a985fbe0e02b54914185f3368e72bce11e583d6aea101682b2a98d694
- SSDEEP
  
  3072:Y08i6o0xsBlbLCzJjgYFAzgwXiI2OMotklIXAiv9F26UoaEX:Y0IkmdMRz/in3aB
Score

7^/10
- Drops startup file
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Sharing

General

Malware Config

Extracted

Targets

Checks computer location settings

Executes dropped EXE

Deletes shadow copies

Renames multiple (2120) files with added filename extension

Drops startup file

Adds Run key to start application

Deletes shadow copies

Renames multiple (266) files with added filename extension

Enumerates connected drives

GlobeImposter

Renames multiple (8113) files with added filename extension

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Deletes shadow copies

Renames multiple (482) files with added filename extension

Drops startup file

Loads dropped DLL

Adds Run key to start application

Renames multiple (59) files with added filename extension

Reads user/profile data of web browsers

Deletes shadow copies

Renames multiple (2758) files with added filename extension

Drops startup file

Loads dropped DLL

Adds Run key to start application

Modifies Installed Components in the registry

Drops desktop.ini file(s)

Deletes shadow copies

Renames multiple (159) files with added filename extension

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in System32 directory

Modifies Installed Components in the registry

Drops desktop.ini file(s)

Enumerates connected drives

Drops startup file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32