fantom

Sharing

Copy URL

Twitter E-mail

General

Target

samples (2) (4).zip
Size

178KB
Sample

240101-slctnafeg8
MD5

127074b5c874dc8036bc064035fd65bd
SHA1

42402b16f49fbba92d618ffdf297ec7162a59f94
SHA256

336be3a20ae8a36962ffd26b1ec7fb0ec2274a860dd9423b16ff817d29f1908a
SHA512

d5f3713f2e722dae24b5cffdbbd8a9d2b6f37846563fabe817819f49ab4fe1434888d80b595d07b1c6593261521272e1eb9e4ca5b462404c6a22b1de58d73bb8
SSDEEP

3072:ExDKUccaIpianzKvhPXdryP+BMHnQpkyPbxiqKSycupeLNLur07by9+DmTpH:EozIpiaMptrynHQpdzfKaA6yimZ

Score

10^/10

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DECRYPT_YOUR_FILES.HTML

Ransom Note

<div style="text-align: center;"> </div> <div style="text-align: center;"> </div> <div> <div style="text-align: center;"><strong><img src="http://img07.deviantart.net/b958/i/2012/173/1/5/fuck_society_by_florinbrl-d54eqhq.jpg" alt="" width="500" height="250" /></strong></div> <div style="text-align: center;"> </div> <div style="text-align: center;"><strong>All your files have been encrypted with Fuck Society Ransomware</strong></div> <div style="text-align: center;"> </div> <div style="text-align: center;"><strong>YOU HAVE 5 DAY TO MAKE PAYMENT OR ALL YOUR FILES HAVE BEEN DELETED!</strong></div> <div style="text-align: center;"><strong>For each file unique ,strong key. Algorithm RSA4096 look at https://en.wikipedia.org/wiki/RSA_(cryptosystem) </strong></div> <div style="text-align: center;"> </div> <div style="text-align: center;">-All your attempts to restore files on their own, lead to the loss of the possibility of recovery and we are not going to help you.</div> <div style="text-align: center;"> </div> <div> <div style="text-align: center;"><strong>Your unique ID for decrypt:</strong>       <strong>505064e8-1f21-48a5-9c26-f3a774f4319e</strong></div> <div style="text-align: center;"> </div> <div style="text-align: center;"><strong>FOR DECRYPT YOUR FILES , BUY YOUR UNIQUE DECRYPTION CONFIG:</strong></div> <div style="text-align: center;"><a href="https://satoshibox.com/r557zcj83k6gppy5rxbj3yqj/buy">https://satoshibox.com/r557zcj83k6gppy5rxbj3yqj/buy</a></div> <div> </div> <div>                                                   <strong>  In file you find link to decryptor , and link to decryption config file</strong></div> <div style="text-align: center;"> </div> <div style="text-align: center;"> </div> <div style="text-align: center;"><strong>Make your Bitcoin Wallet on:</strong></div> <div style="text-align: center;"> </div> <div style="text-align: center;"><img src="http://bittrust.s3.amazonaws.com/1437541807.png" alt="" width="300" height="100" /></div> <div style="text-align: center;"> </div> <div style="text-align: center;"><strong><a href="https://www.coinbase.com/" target="_parent"><img src="https://forum.bits.media/uploads/monthly_08_2014/post-9579-0-08769900-1409248426.png" alt="" width="400" height="93" /></a></strong></div> <div style="text-align: center;"><strong><a href="https://blockchain.info" target="_parent"><img src="http://www.obzorbtc.com/wp-content/uploads/2015/12/Blockchain-Logo-Blue6.png" alt="" width="400" height="117" /></a></strong></div> <div style="text-align: center;"> </div> <div style="text-align: center;"> </div> <div style="text-align: center;"> </div> <div style="text-align: center;"> </div> <div style="text-align: center;"> </div> <div style="text-align: center;"> </div> <div style="text-align: center;"><strong>YOU CAN BUY BITCOINS ON:</strong></div> <div style="text-align: center;"> </div> <div style="text-align: center;"> </div> <div style="text-align: center;"> </div> <a href="btc-e.nz"><img style="display: block; margin-left: auto; margin-right: auto;" src="https://change-wm.com/wp-content/uploads/btc-e-bitcoin-exchange.png" alt="" width="400" height="139" /></a></div> <div> <div style="text-align: center;"> </div> <div style="text-align: center;"> </div> <div style="text-align: center;"> </div> <div style="text-align: center;"> <a href="https://localbitcoins.com"><img src="http://cryptoboom.info/002img/2014/btc/btc-038.png" alt="" width="400" height="136" /></a></div> <div style="text-align: center;"> </div> <div style="text-align: center;"><strong>AND OTHER EXCHANGE SITES.</strong></div> <div style="text-align: center;"><strong>  </strong></div> </div> </div> <p> </p>

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://188.241.58.24/zae/br.css

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
123456aA@

Targets

- Target
  
  samples (2) (4).zip
- Size
  
  178KB
- MD5
  
  127074b5c874dc8036bc064035fd65bd
- SHA1
  
  42402b16f49fbba92d618ffdf297ec7162a59f94
- SHA256
  
  336be3a20ae8a36962ffd26b1ec7fb0ec2274a860dd9423b16ff817d29f1908a
- SHA512
  
  d5f3713f2e722dae24b5cffdbbd8a9d2b6f37846563fabe817819f49ab4fe1434888d80b595d07b1c6593261521272e1eb9e4ca5b462404c6a22b1de58d73bb8
- SSDEEP
  
  3072:ExDKUccaIpianzKvhPXdryP+BMHnQpkyPbxiqKSycupeLNLur07by9+DmTpH:EozIpiaMptrynHQpdzfKaA6yimZ
Score

1^/10
behavioral1 behavioral2
- Target
  
  10d1a82f3c458f2a84c28d6b01cab731904f62a1f0a07c3797aadaad05cf4a61
- Size
  
  13KB
- MD5
  
  7afa1f01d6379816b3804eaf5e6c947e
- SHA1
  
  d09884ffaecb897424befd1cc5c4fc2d917e7897
- SHA256
  
  10d1a82f3c458f2a84c28d6b01cab731904f62a1f0a07c3797aadaad05cf4a61
- SHA512
  
  50a0c21f033e187a5a0196b2bfc6408b0eaf060c4d7a95caf1cf586ba3ee272f732472a64909ad2dc2dbb1042e6a4d87587e7ab2b85fb297ba53689555f70cae
- SSDEEP
  
  192:P7XiWb0V1OY8bsDWb93zk6QYGzewBdIAEiG8eArADCfq4t+zJSm2T3rciu:P7NbiO3bsDWh31Q7ewBdBEQVECwYD
Score

1^/10
behavioral3 behavioral4
- Target
  
  133dd26c0a6bfbbbe309a845d6f0f382345bdb31595474eb57138ea34c4ddbf0
- Size
  
  32KB
- MD5
  
  02669bb4920f01b688d66a13b0c89ff8
- SHA1
  
  61cb7e7bfd29dda1b430a7efd2c911774eb21ec6
- SHA256
  
  133dd26c0a6bfbbbe309a845d6f0f382345bdb31595474eb57138ea34c4ddbf0
- SHA512
  
  ee3b6b340005ae3c4449fa42082a2a6ca10df3ca5402971023c773ce0e50023fd54acd5ee60ab8587988812269efde26a9b66aab000fbb8df50e9105e80a43a6
- SSDEEP
  
  384:mlI2Fg+LNTrepswOk+k6b/tNPyzlZcmnvyl5Zc8gED+dPHaYxzEPh9rTxyJW/pZW:mdrL6T+nb1nhYNwyc
Score

10^/10
behavioral5 behavioral6
- Target
  
  1ab3aad04e0eb2c5a15d3e5a576cd3d3e6b1546852ea653cd4369da19a940e7d
- Size
  
  20KB
- MD5
  
  ea5036a0250a959218154f90a3a461f5
- SHA1
  
  ee0141f5cf1201ed80122523e3032a5c3162bea0
- SHA256
  
  1ab3aad04e0eb2c5a15d3e5a576cd3d3e6b1546852ea653cd4369da19a940e7d
- SHA512
  
  1a36a3650833c087b901e6ff81c143107c95c5016e74d68ce4e1f2cf98bbe5c3cbb3d709c62ad305a784366eed719da124de6899046cd93ef08529c0d607072f
- SSDEEP
  
  384:+MoKzlGLrP6n1hljg4NiXb9EA4Nf3BqIrOgA8PAV8waFbrY0BxTC/:+cUrCn1njg4mR4h3BlxPO8RF1nM
Score

6^/10
- Legitimate hosting services abused for malware hosting/C2
behavioral7 behavioral8
- Target
  
  1ad4c9e3d0e04e7f1e32e196ea1e87ed64237485baab4cfa4b07eed44d4b347d
- Size
  
  39KB
- MD5
  
  73a4cf1512fc097fc28b6b75915b34bf
- SHA1
  
  c206a0752390094748034531abf149aeef83ce24
- SHA256
  
  1ad4c9e3d0e04e7f1e32e196ea1e87ed64237485baab4cfa4b07eed44d4b347d
- SHA512
  
  17061c2f7df3ef9e0a95fd439969ddfd47159f6d1f42a4e501f7185c31dfc965ff4b41496430f44cbad6439896b0b567ffe8e5e5f37097ac9fc22b1d1902f1d7
- SSDEEP
  
  768:PX/SjOoWkgdlU6fuC1Z3HRMizOcS9JT0jxsOpbDT82St6dh7yenMn:WOoWFfH11xMl9JgjxVb/+IxMn
Score

1^/10
behavioral10 behavioral9
- Target
  
  27cc1f6adc3a24ab7dc29c38082e69b0e3993e8a88d91804f88282c240fcac35
- Size
  
  618B
- MD5
  
  a26d073649e0beadc89e3693b5828d4e
- SHA1
  
  8ef2c96d6a48f1a4731c9b752ec37c925f9c5e3b
- SHA256
  
  27cc1f6adc3a24ab7dc29c38082e69b0e3993e8a88d91804f88282c240fcac35
- SHA512
  
  001ab2d3d02df410ed41b7fce30cd51ffbddad4a7523546b8515ca125846b25fa06986a42419f272750f76245cd892fb1a96b4a0a3675aa9f3157f330a32a400
Score

8^/10
- Blocklisted process makes network request
behavioral11 behavioral12
- Target
  
  35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31
- Size
  
  27KB
- MD5
  
  c07f470b64e08cbd00007511018aae5d
- SHA1
  
  8cc03df9554f3f2b88f9a416908aa2e35c0ef386
- SHA256
  
  35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31
- SHA512
  
  21472125818d699a7da51cb765f3364a1f8b696a4fdbb4f8c6d9572f49e3858fac84fe76d796d1488b64ecb590ad74b9db950071420815879408c6ca5e3a10f5
- SSDEEP
  
  768:lYIyiTHKDpYIvJbEoc59Rdh7dQV6kzZt5txJc49WQ:UimJbEj59JpQV6kzZ3Jc49Z
Score

10^/10

ransomware fantom spyware stealer
- Fantom
  Ransomware which hides encryption process behind fake Windows Update screen.
  ransomware fantom
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (994) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral13 behavioral14
- Target
  
  3716dc17e97ffefeeec3508acb79e19beda5d030220c070f62309cafc7a3fac6
- Size
  
  5KB
- MD5
  
  67296356788ec603951d71c89d48808d
- SHA1
  
  2eff5724d585bf8721dadb2c32113351e839608c
- SHA256
  
  3716dc17e97ffefeeec3508acb79e19beda5d030220c070f62309cafc7a3fac6
- SHA512
  
  a98a6dd43781986d8067d04e2f7b5954e32fabb66e63656ec409f84dd1378b4d3876433cfc9810e5b45381cd4808c1040e2bb8d1f7a5d2f6fae44c57cc25c5ce
- SSDEEP
  
  96:wpMd5wb6QG3OIyfoOWzmx6VbUt5KRpbegtsWs:wyvOG3OIMLWzI4E4ZZts
Score

3^/10
behavioral15 behavioral16
- Target
  
  5e94c0f064264dffaee5d98e03eaf558c5945475d38162aefc022abc1c4b682e
- Size
  
  7KB
- MD5
  
  0094f931121b4047ee8c22a04f005d7f
- SHA1
  
  36c641e9803593af2d05e1e147c13b1219a7146d
- SHA256
  
  5e94c0f064264dffaee5d98e03eaf558c5945475d38162aefc022abc1c4b682e
- SHA512
  
  2bf4774e48019a466b2e88c98f4e7863e208d456dd3a547bcc4f82b22f01d29f38aa736e48c378ee0ab66465fc6bdda4f95220136f7fe847a6e48afba8b36eb5
- SSDEEP
  
  96:fk+1m1B538+8xvpLXppvYExBrwbfLbnstTDhv0dWAwCzNt:ckmvCHpLXDvYExBrworKWfk
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops desktop.ini file(s)
behavioral17 behavioral18
- Target
  
  70f166f51e58ef7651a6e567404c71e499d9c2b6e01fc6ae176fd290e91f3aad
- Size
  
  31KB
- MD5
  
  87c3f1f322b6ca9f96ef6fd5737ec0ce
- SHA1
  
  621e5aa579a1fbcc8f81cd5ff0390608fde82057
- SHA256
  
  70f166f51e58ef7651a6e567404c71e499d9c2b6e01fc6ae176fd290e91f3aad
- SHA512
  
  3db7047fdf8b5e1aed619cca544e35ae128e47afef2786c91e4ea3a9a259e17d058a4b9a839caf83305725b1d9bfe522c0550e1642cb4e849285317a7a290d27
- SSDEEP
  
  768:9Ta1JHCQtOG/UbNjCVXdgbcoC+qDd32DOT:9Ta11t4JKXdgbcoC+w1T
Score

1^/10
behavioral19 behavioral20
- Target
  
  93dc1dee6b92da2fe38858162e039eb54ce5e109286432cb3a55c06818eff61a
- Size
  
  20KB
- MD5
  
  d0f8b99970cbe34b5fe6492d66340edf
- SHA1
  
  05953d775679f3effed1cbeb429218797899a62d
- SHA256
  
  93dc1dee6b92da2fe38858162e039eb54ce5e109286432cb3a55c06818eff61a
- SHA512
  
  718b8dd293806ee92f43f560dac3ebc48d27f7483b97aacd13f17b83e13e251d7e2d10b5f98f1ec61b3536d9de49e7ab09050d75d227429bcaaffbed1bdc8121
- SSDEEP
  
  384:gpabv3H87wzhdfl5COJNnZf1l4StghfeTqKrLWj:gpytzhdflQOJ3fwSasp2
Score

10^/10
- Blocklisted process makes network request
behavioral21 behavioral22
- Target
  
  a37f77fafa3df072332dcf2b15d5d91182b3a1a430912e13320cd6148ca8f458
- Size
  
  4KB
- MD5
  
  7b236baaa638ff8cf34ea407e8a059c2
- SHA1
  
  701e269027a1e96755d8378094f69dae3a6bf6fa
- SHA256
  
  a37f77fafa3df072332dcf2b15d5d91182b3a1a430912e13320cd6148ca8f458
- SHA512
  
  9b4fde2613426d425d63a4e928d5161dd4c2e808344261cdf6e9d158f81e160c483000b07645599c9d808e54676f4f8ff5db391fd462c0d9f1ccccd4342f3102
- SSDEEP
  
  96:1S9yJDHqLYLMU07qeoEiJDv8nYASXQgJ8w8ExCRboCXCkCXyCqQdVj0CL:g9/LYLi8/FASXQgJ8vEcRzyrXytQdVl
Score

1^/10
behavioral23 behavioral24
- Target
  
  b875cc39a6933b5a96ec292403ea2fa59788658f825b7fd0b66bffc1a6b09395
- Size
  
  8KB
- MD5
  
  1f374431d5cc7f30b6e582b29990c3ca
- SHA1
  
  756136a15a244fa8a845b1d2888a6b51e22109a1
- SHA256
  
  b875cc39a6933b5a96ec292403ea2fa59788658f825b7fd0b66bffc1a6b09395
- SHA512
  
  6bc179b9743a66a648b9427d365104ccd667306b59068acfcc4284f3b0b3679f21eb664e5f1f5ba87e2f8156854fcfb1ef78d0fe52cb9a11a82d1193ba8eed9b
- SSDEEP
  
  192:oqLDmKxwjg1AO19yjn93UTW5lY8epXy6HN7RbrQ/6/2swA/vQ:aCwj3O10z9ETt8epXHnQhswAXQ
Score

8^/10

spyware stealer
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral25 behavioral26
- Target
  
  b906da71fe22e6e987afe2a70b14aa64cbff3b1049e7779db392b542856452be
- Size
  
  40KB
- MD5
  
  dbac4f4e6c9ef15ccda593ced4408b17
- SHA1
  
  07a57ee0e25006a1bb0f3bab9fc4876ae9127fdc
- SHA256
  
  b906da71fe22e6e987afe2a70b14aa64cbff3b1049e7779db392b542856452be
- SHA512
  
  729ff89e5793c53b1e5b89e3cc5fb76b6eaad5b5ae9566eb4b5492adec00b1dfd5ead5c026467ce7cf3f9cf80388ca12f12c95a2a92e0f43a187f1c138c5368b
- SSDEEP
  
  768:pH1srzPR5PYyvUE6zX0pxxxxxxxxxxxxxCUglsZQ2XPtxUIdrbzYcHeIm:p1yzRpYyvUE6zXL/2ftxUWqI
Score

1^/10
behavioral27 behavioral28
- Target
  
  bae7ee765f1ec70ca4a9a734abecca822860c67ed6b42f8bab49ab2b34808eac
- Size
  
  21KB
- MD5
  
  0a09b1ddda6cf6c1d2e52566986cc379
- SHA1
  
  2c779063e1393af486c0e81431bbb4e682afd586
- SHA256
  
  bae7ee765f1ec70ca4a9a734abecca822860c67ed6b42f8bab49ab2b34808eac
- SHA512
  
  35ad11c57050d707d5d46ee6dbd119f9c44993b0c014c9efc5f85bc69fc5251e7d4585cb5acac434e1cdf63b99f57dcbc00c43b671c2b68a41b987ccee36b606
- SSDEEP
  
  384:CTeEJwk57y4uCo4wB2Z1xG7tlBcxXw6besz2h:3Ohy7UZbKlBcxA6beszG
Score

1^/10
behavioral29 behavioral30
- Target
  
  c3fdcec878ac032f4bb4c73a8ba9b08dd546e931d6f0f24bf905207501ba0b07
- Size
  
  29KB
- MD5
  
  77cbd091343b10c2be75931a0ce4f1ab
- SHA1
  
  45ec8ff2ff454638e75796575e2468b0ea2fb182
- SHA256
  
  c3fdcec878ac032f4bb4c73a8ba9b08dd546e931d6f0f24bf905207501ba0b07
- SHA512
  
  f3355d91d5ff74e46e0fd68abbd8b8c126e0b3391a4916b41c9c2005008ae6104c01c12b1512d2ee729ab379c2e61be755424f27da90a2b2964a8758f4b0b2dd
- SSDEEP
  
  768:Mef5bWAYY9njfp7pq7nD3kFkNXwrSBh0pPSEON9g74Y:h5x9u7nD0FkNArSBCvOe4
Score

4^/10
behavioral31 behavioral32