General
-
Target
samples (2) (2).zip
-
Size
11.5MB
-
Sample
240101-sladjafeg6
-
MD5
3103452bf9094d6f3ec5ddee144b821a
-
SHA1
1995b4171447b7e11302682b29c34bba4c5939f9
-
SHA256
8ed183df76d08024f15e051f4f5711535dde6372ff4beafecfff07f82e846800
-
SHA512
3559e9e28f7ba881207ba01fd0c2eedf29f91d88b7c44c938fbec73e756a39ab0e072f88072bb82365e7476f6247658f8d59147e64eee6fb825003085b4edb6f
-
SSDEEP
196608:1g0w+y495NuivJ1dlbNm5IemCPIurAW58NFfApXHUxcSeVIDF/je3ZSEMIVab0gx:1g0w+F5NuivJFbN4mCz5Uip0OFVuepWn
Malware Config
Extracted
djvu
http://zexeq.com/lancer/get.php
http://acacaca.org/test1/get.php
http://zexeq.com/test1/get.php
-
extension
.qarj
-
offline_id
VrBq0iLIRHjQLgVRLsN1WK8yFkTCRDCCvPkwnHt1
-
payload_url
http://uaery.top/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zUVSNg4KRZ Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0664Iopd
Extracted
C:\odt\How_to_back_files.html
href="[email protected]
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Extracted
C:\Read_Me!_.txt
Targets
-
-
Target
samples (2) (2).zip
-
Size
11.5MB
-
MD5
3103452bf9094d6f3ec5ddee144b821a
-
SHA1
1995b4171447b7e11302682b29c34bba4c5939f9
-
SHA256
8ed183df76d08024f15e051f4f5711535dde6372ff4beafecfff07f82e846800
-
SHA512
3559e9e28f7ba881207ba01fd0c2eedf29f91d88b7c44c938fbec73e756a39ab0e072f88072bb82365e7476f6247658f8d59147e64eee6fb825003085b4edb6f
-
SSDEEP
196608:1g0w+y495NuivJ1dlbNm5IemCPIurAW58NFfApXHUxcSeVIDF/je3ZSEMIVab0gx:1g0w+F5NuivJFbN4mCz5Uip0OFVuepWn
Score1/10 -
-
-
Target
083e147374de04930caa882acaeda6df4821b75f869edb7386281f684e573c08
-
Size
1.2MB
-
MD5
26d35ecbbd980c6d2863a61914c4a1bb
-
SHA1
ce2da4baff59602905fd75d10f3ac6ac2e235337
-
SHA256
083e147374de04930caa882acaeda6df4821b75f869edb7386281f684e573c08
-
SHA512
b192b0ee326dbb690c850832e76cd31257a47f819abaa0700647be022cb340297ad4a7496b352596715425a60aa60e7f001313ee08639d748c2c453ab79e8107
-
SSDEEP
24576:h6FBigtov3pjeA+07ASgSl+YYxJuWMvV36/K+VLebSKLvBTyPj+dyqGgM0b1:2Bi53w3eqi+mfJujkyqGgHx
Score8/10-
Modifies Windows Firewall
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
12437a49d298941af8d087a1ff478a68ab4c312654153e17d598ff1c87be6b3d
-
Size
426KB
-
MD5
11db0fc2064d7c858067b99b413e357b
-
SHA1
dbfe691315009c224e3b826dfb89ac7d910a7f08
-
SHA256
12437a49d298941af8d087a1ff478a68ab4c312654153e17d598ff1c87be6b3d
-
SHA512
120153a24b079eda7a55f97b31a7827f34ee8e6a69593180f0588ebc38efcee6c7a90131af366f9c0ce55288247bf4b6ab5fd9541ed365370f1f42c279ab93d8
-
SSDEEP
12288:qntVoEco+qy0h6/id8Mq560WjLM7Ti/L6tdEyvIG9ij8e:mVdcvr0hCoV8OjvUdEyvItjd
Score7/10-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
-
-
Target
1945c44901e7aa9dd5b6e7e6e07a777d57f7e76120a3ca5a46a0f983d30ce37e
-
Size
640KB
-
MD5
fb702537f0c25b34cc2b3dfb69025a85
-
SHA1
eb8cae72ffd5361a977e186cb78fc64055748f00
-
SHA256
1945c44901e7aa9dd5b6e7e6e07a777d57f7e76120a3ca5a46a0f983d30ce37e
-
SHA512
94d2a4d9a5c689c13934bd9d2f236a421a63e90fcf6d3dd7362cbe7c64e1faacb68412b92ce743ee49e4e8adf4f91a495ccd8d0d3605e464bfccb26f31d1b843
-
SSDEEP
12288:Z2X8+SnYa6TF42coyaLlGSDVmcUjErioq8iHiB6k:cM+SnAF4Uyycj24Hs6k
Score10/10-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (495) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
-
-
Target
2040fa2a3c5b16d74442d41d224a6ab16e0290a30f0535b18cb50de6a59686d4
-
Size
400KB
-
MD5
f9665d07df05a0a7c2c6f4019d1bba20
-
SHA1
778f8bb7ba91ddf0ac9b12052d046d7f975e671a
-
SHA256
2040fa2a3c5b16d74442d41d224a6ab16e0290a30f0535b18cb50de6a59686d4
-
SHA512
cab4dae8b8534af781357df20e3f2d9522247d9b37c1afe72831b551cc218eb060fb1a7cceb158406d4d512879d06da5c9144a348a0bff077fe4f1ab20762cf8
-
SSDEEP
6144:GCpNiYHtZHYdNsToSRBoptYASydR1wWhz:THiYwvUxRBn4dHz
Score1/10 -
-
-
Target
2b5109e9a249a795a412a3961aae3e5b576a233d9681f5ec0b4d88ce009b6ed9
-
Size
701KB
-
MD5
6741d5aef031c6b1e51f386fefc1225e
-
SHA1
95ea397aed18143bc18da02c21e693c44e373f90
-
SHA256
2b5109e9a249a795a412a3961aae3e5b576a233d9681f5ec0b4d88ce009b6ed9
-
SHA512
90034da6a496dfcf2b7227b2aa585983cbe80f9a69586743eb219035c1bdab59eaa912139de0e576db2194383f1c70e16042736c1a593fd7e7a4ea93d515df5d
-
SSDEEP
12288:ZohXTLkKkP0rRl6CRHCwWshS7JUc9ouDCwI/d9V5qyBmPjCkuYDaFB:ZYTLG2U/wWRVUYoUCwCVdmr7uma
Score10/10-
Detected Djvu ransomware
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f
-
Size
332KB
-
MD5
7286267a7eeaf2c3122635c5edb71e84
-
SHA1
d342d986442a20453d3c9a438766758301d88d4e
-
SHA256
3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f
-
SHA512
8567661bc656edbacd0ca59f1d1b38cad7c3101d8d06772ae1eba9828792327cbc6b4254e5e61d2b190f4f4350c6288ac2e5c811f7a4ed0c38bc4be8ccf636f0
-
SSDEEP
6144:0LI9sGqBET+/evZ9zgDU/JSrJyhSdDXR0sVWorEriYtkD:d9JL+/eh90DU/JYUh01YtkD
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (4395) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes System State backups
Uses wbadmin.exe to inhibit system recovery.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
5d96952d473d386285f01726073d8f1ec46c983fe4c9d657babe9272330d655f
-
Size
732KB
-
MD5
9346199aa06d8fa74051e98b06cd3d26
-
SHA1
9020c5dbcb80340517916272f2479001b2bfdff3
-
SHA256
5d96952d473d386285f01726073d8f1ec46c983fe4c9d657babe9272330d655f
-
SHA512
a7e4b195c6eefa011b729deb32ffe533ef61bb2126e68272cba26ec8b2fc49b3e75327abb9f916530db911a1b7854020234300a02c87c65d6cd89b661ce18f58
-
SSDEEP
12288:FEIJVxZIpeKXqWdXoeSPEWOSNXCdepyeEPbObcy9BwoWNffeKuIhQ+0F:F3VxZIprXqWdXoDPEWO8XCdebcONXwoy
Score10/10-
Detected Djvu ransomware
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
63fb410fc5267c61c5099927af714a8f5f4ba6dcdeeb1f297b022879767c7222
-
Size
924KB
-
MD5
ec9c3efe831aaa203058927df7de6138
-
SHA1
b77581e047551a70aaba0db7a57349136bd9e411
-
SHA256
63fb410fc5267c61c5099927af714a8f5f4ba6dcdeeb1f297b022879767c7222
-
SHA512
0d5aedcebaa660f345c549b9ae07b4d18fc01b563907b378c1cd905029bb0c6f6849e0f03c7c4a724c3448eb9c693138265a0b0129a298af3aada9bb0f447d6a
-
SSDEEP
12288:tZqu3sRwqpxGCMF3dera2ybCPWy5SqZWj+6GJZy82VS1ToBgdoByOHGae0r2ivr:B3yEoro2PEpUA
Score7/10-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
-
-
Target
67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08
-
Size
416KB
-
MD5
bd4ea1c3cb843597d5b3a560f95840bb
-
SHA1
f81c504435d27e6a502acee3d1834121517ea194
-
SHA256
67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08
-
SHA512
7ac8ef4f1f6f9aab30ea183e5377b6bdd617f7c18af86cdde4da8f2e8528835faf659b9fad8b8bffc22b98b4659967f013155c257feedddfaf9b332dd77c565a
-
SSDEEP
3072:1VAz+HYRuV4ek4gX/am6/iQ0ET1fY/Tnib6qICONXvm0JZxkW5QGmwFp+1mSZoNJ:7c+HY0n/p0VTJq+9wm0sfi4J
Score3/10 -
-
-
Target
6e5678ebd457353b7c095af806f92b5f54341bbfa2c8d3f5ab03b84483013271
-
Size
578KB
-
MD5
e7818e26919dc4f84c6ac683f78eba88
-
SHA1
47456d3f78c33e67b6d366bbff5c3896e5925527
-
SHA256
6e5678ebd457353b7c095af806f92b5f54341bbfa2c8d3f5ab03b84483013271
-
SHA512
95fff6c2e9428aa088f3c5565fbc52af14e53c2b58e402983947af0be3334618082775e78fd7901c8ec7b7556bda5bc9551a339ceaf2ecd651b160e3edc3b8f7
-
SSDEEP
6144:ZVKpftK2A7ey6z20IJH4tsqtHJWj7pLoNam7nxDrMQW3dLG5wCNcKR4ce4NLfHxH:9R7eVI4tscJWC5Bq3d65wC8TO
Score3/10 -
-
-
Target
71506a3322b0e0bc6fc2c1a1f0ac844a82a8c3fbbfeb4e6452013b4ade7610fb
-
Size
597KB
-
MD5
ee754ea777505e2fd2870afb325f50e8
-
SHA1
be8724e9bd48665ae0c6eedbaf8de23e5987dc45
-
SHA256
71506a3322b0e0bc6fc2c1a1f0ac844a82a8c3fbbfeb4e6452013b4ade7610fb
-
SHA512
a6b4acf8c94f1284458a950582ef18adfeac1496e26f537ea21c22f3574b3cffa48e547ea1b9804c45633e12b53c3f1ac1e2d536e150c84ddcbfc9223f525d85
-
SSDEEP
12288:td5UKfiOLkxMAgyJ/4zBSqGuKCYminksnkyr2OMnVVs4OgcwdPsc:X5LAHPDuKC8n/dCD9Zsc
Score10/10-
Detect ZGRat V2
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (312) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
734b9974ec7f673460deb7ae17af4eed0ad6fae862f0765068430050fc44d66d
-
Size
804KB
-
MD5
3bf9acee0ccca5d14b24d3d148e9e77d
-
SHA1
e8f53145aad88480e9a055a4549aa5eaa631a51c
-
SHA256
734b9974ec7f673460deb7ae17af4eed0ad6fae862f0765068430050fc44d66d
-
SHA512
0a5bdab9e3c2aaf835d2263f4658a5c0e5021eed402e976d0e7e89dab41416ba3cd5767980396d769d0f6a993d5f0ff3294dcdfc7189c45480ef7a366961a63e
-
SSDEEP
12288:miDzq+QQi5v6xH8HeYkqBeJEk3QgO92TWQunZxpFremjq8txlr:Hzq+Q3F6xHAJkEkAd9cuZfTO8Rr
Score10/10-
Detected Djvu ransomware
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740
-
Size
1.1MB
-
MD5
7d1c7ce6a2f202bb5df3f45c7f62bac3
-
SHA1
50a9f5b3130b14d5a18b418e9c355586eaecf4fb
-
SHA256
81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740
-
SHA512
48b20444b0d72a37ecbed0969e2a9d9be3efc51d75e1283bc755cad10068fb40055430dc1fc4b295aae3d31d71de86d84b4f1c29da8636a3ef0baf014eaf82cd
-
SSDEEP
24576:RsBH9jqVwCwh/RICu4upRwIzAKXRYVN2uaj7MM1By+hm:uH9jJ9RspRwIDRiJak2By+hm
Score10/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Windows Firewall
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
-
-
Target
a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
-
Size
740KB
-
MD5
b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d
-
SHA1
18845f37a2ffa83d62eed48f608019b1200f5ee2
-
SHA256
a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
-
SHA512
6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47
-
SSDEEP
12288:aSVJ90fbghORSIZgVf4wYDfpCwmx1jGHL+gQqGjcj366YEwrJUDHeW9:aSVGbghTVf5FXqIqGjcj36gYnW9
Score10/10-
Detected Djvu ransomware
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
a465bc08714bc760130a3f150a704df2f08af083b2aaf0c931e714019f3769e3
-
Size
408KB
-
MD5
39b1a5e9d1c343a1a2a29247f9ec5699
-
SHA1
5e6f9e075d196de2613f8023a672f1e72fce331e
-
SHA256
a465bc08714bc760130a3f150a704df2f08af083b2aaf0c931e714019f3769e3
-
SHA512
b4611ded931f492d28d6da42062d891483656e6b5983e349e54b3dfb200f43c29bef3f5b53b13c3e18d449f1b0ab0c2859235411b9287b37439b83be2aa91688
-
SSDEEP
12288:jueNLldLN97ji4pSc9B/CfvgLMfedSaPLaz7hyViDK:juqldL/3da9fqhaz74V
Score6/10-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Indicator Removal
3File Deletion
3Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1