dharma

Resubmissions

18-04-2024 18:50

240418-xha8wabh29 10

01-01-2024 15:12

240101-slnwxsfeh4 10

Sharing

Copy URL

Twitter E-mail

General

Target

samples (2).zip
Size

120.4MB
Sample

240101-slnwxsfeh4
MD5

aec75f441aa8bee97dde00cf38aa20b7
SHA1

df50a2ff2d2f0892bd9212ca6ebec02c8753c265
SHA256

44ee695b532eb984e46de29569ce35854b37d409efaabb6bcf9f5316e2b0546d
SHA512

e6fc8544f3840cc9bc5778baf9294f2df086ed793acd014a354300615fb82effa27bc3c77320d44e9a67404fd1ac7d06bd029829b40936fc9a38deaa46c6ca44
SSDEEP

3145728:VLfH9HbbMDj02Cdpnge0LREc1Z4sJCwZ3lehMSA/nSMBTlrdG:xP9HbbM0P0LLb0wxchfA/nSMBhg

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\Google\Chrome\Application\#NOBAD_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par empty\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 4AB2BE8D9F607C9C\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b empty\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 4AB2BE8D9F607C9C\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 wvpUDSrb\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\#NOBAD_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par empty\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 443401BB5C40F14B\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b empty\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 443401BB5C40F14B\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 gLwiiyNW\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR HGJZITLXE FILES.TXT

Ransom Note

THE ENTIRE NETWORK IS ENCRYPTED YOUR BUSINESS IS LOSING MONEY! Dear Management! We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 100GB of your data Personal data Marketing data Confidentional documents Accounting SQL Databases Copy of some mailboxes Important! Do not try to decrypt the files yourself or using third-party utilities. The only program that can decrypt them is our decryptor, which you can request from the contacts below. Any other program will only damage files in such a way that it will be impossible to restore them. Write to us directly, without resorting to intermediaries, they will deceive you. You can get all the necessary evidence, discuss with us possible solutions to this problem and request a decryptor by using the contacts below. Please be advised that if we don't receive a response from you within 3 days, we reserve the right to publish files to the public. Contact us: [email protected] or [email protected] Additional ways to communicate in tox chat tox id: 83E6E3CFEC0E4C8E7F7B6E01F6E86CF70AE8D4E75A59126A2C52FE9F568B4072CA78EF2B3C97

Emails

[email protected]

Extracted

Path

C:\Users\Admin\3D Objects\read_it.txt

Ransom Note

YOUR PERSONAL INFORMATION IS NOW ENCRYPTED WITH MILITARY GRADE ENCRYPTION by BAAL RANSOMWARE All files on all affected machines and network have been encrypted with Baal Ransomware Encryption. What guarantees do we give to you? You can send 2 of any encrypted files to us to decrypt then send them back. Who is responsible for the Ransom Fee? The SARB & SA Mint Organization not its employees or assosiates will need to pay the fee to obtain the unique decryption code & tool that contains the private key linked to this specific ecryption. NOTE: All data is ecrypted (locked) not overitten hence can be decrypted with assossiated key only. You have only 6 (six) days to meet the Ransom fee in Bitcoin. Instructions: 1. Send 121 BTC (Bitcoins) to the following receiving address: bc1qvrqgycul7svc33hs0ejqn5p2ewewynjkea90h7gcednhdj2745tslla7z9 Note: All Bitcoin transactions need six confirmations in the blockchain from miners before being processed. In general sending Bitcoin can take anywhere from seconds to over 60 minutes. Typically, however, it will take 10 to 20 minutes In most cases, Bitcoin transactions need 1 to 1.5 hours to complete. 2. Send blockchain transaction id screenshot not link via to the email address: [email protected] 3. Once the transaction is be confirmed. We will email back the one-click decryption tool to fully decrypt and recover all your files and remove the randsomware on all your machines and network permantly. (No I.T. background required). 4. The decryption usually takes about a few minutes to an hour depending on the scale and size of the files and additional drives the Ransomware has spread onto the network. What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt then send them back. You have 6 days until the decryption keys are terminated and all data on affected machines and networks will never be recovered. We make use of Military Grade AES Encryptions. Without the linked decryption key you can just forgot about ever recovering encrypted data. ------------------------------------------------------------------------------------------------ 'Blessed are the strong for they shall inherit the Earth' - Codex Saerus

Emails

[email protected]

Targets

- Target
  
  samples (2).zip
- Size
  
  120.4MB
- MD5
  
  aec75f441aa8bee97dde00cf38aa20b7
- SHA1
  
  df50a2ff2d2f0892bd9212ca6ebec02c8753c265
- SHA256
  
  44ee695b532eb984e46de29569ce35854b37d409efaabb6bcf9f5316e2b0546d
- SHA512
  
  e6fc8544f3840cc9bc5778baf9294f2df086ed793acd014a354300615fb82effa27bc3c77320d44e9a67404fd1ac7d06bd029829b40936fc9a38deaa46c6ca44
- SSDEEP
  
  3145728:VLfH9HbbMDj02Cdpnge0LREc1Z4sJCwZ3lehMSA/nSMBTlrdG:xP9HbbM0P0LLb0wxchfA/nSMBhg
Score

1^/10
behavioral1 behavioral2
- Target
  
  04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9
- Size
  
  2.1MB
- MD5
  
  e4bf35b81bfaa0e789ad9461dbacb542
- SHA1
  
  dcf7b855b2c3516a6b88a410ef5b44a2c650f62d
- SHA256
  
  04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9
- SHA512
  
  6635342515a01acde48792cb362dc9e5bd7ffc4fe6a9b8b2fdb0d6c8758d79db847daf28e2fe700a898425214d95d2707337c900c695a47cfd9dada946adf64d
- SSDEEP
  
  49152:Iw80cTsjkWanAlfiebWlHcA+G6HYaqK3hUQrObmyPYjR+:Z8sjkrgWezG6lh73jR+
Score

9^/10

persistence ransomware upx
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral3 behavioral4
- Target
  
  0ed3c87ce3ae58f3dcbf46fa022acd3cbbe0b96af2e9f7a47eee0dd50af88507
- Size
  
  2.9MB
- MD5
  
  ec2a8d8f7853397f86a4c96fdbe01b19
- SHA1
  
  daaeb314219acb7f10268512c8358a6941d53da3
- SHA256
  
  0ed3c87ce3ae58f3dcbf46fa022acd3cbbe0b96af2e9f7a47eee0dd50af88507
- SHA512
  
  f75ee827b41ff1783208f3116130b8c29c958059f589b8df4d423896bafa24f4aae5a19a990271a2caf98880772b23ad719c7c141b8e1ea6f0e1eda58f0a4e68
- SSDEEP
  
  49152:yKRy/NLHsvdoewagi6rndXTrKdRRzsdydWLToel51txKRy/N:yKRshsdo/PrndXTrKdRRwZLJl3KRs
Score

4^/10
behavioral5 behavioral6
- Target
  
  1ce291b079977e7a3f81c44b644fe1f63ae34a0a1a5c264e9f6085c184f7a1c9
- Size
  
  5.3MB
- MD5
  
  393247c068ff136a28c6ef99a0e004ad
- SHA1
  
  d1acbc1d3f796745de7fdb65fe290f2876bf38cd
- SHA256
  
  1ce291b079977e7a3f81c44b644fe1f63ae34a0a1a5c264e9f6085c184f7a1c9
- SHA512
  
  6bd2bf2f9c1e89e77d4365c73cb9e13782b2055dd7e5b6d54bc45265349e8d569fe7036c99f582ee47d9d6b8a41bc8eb02524baba8ed9c7d69975c27169b5afe
- SSDEEP
  
  98304:Puzw2CTViOip5X+MHsMgBXN2/H4QJP6u822wpXJun9TLrynQnI1:PuzITVb0OysM49vgPCMJwHy/
Score

7^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral7 behavioral8
- Target
  
  30e66f95b46c8162c921648e31f8c4146ba3f0580f4e5aa3b4c4de18687f6a49
- Size
  
  1.2MB
- MD5
  
  9d43722941309d477e25b7d48b085d00
- SHA1
  
  79793205208d8679b1d1dfe06475a4e52c8b1846
- SHA256
  
  30e66f95b46c8162c921648e31f8c4146ba3f0580f4e5aa3b4c4de18687f6a49
- SHA512
  
  7f2e8a7c38776c1b3c2898b9c7367f51060b4a6ca1385314fd2da417cfe2d18a84f6891dfe18ef28e477037ed84eb2fbbecbeef294751cff0de52ea6c9566efd
- SSDEEP
  
  24576:K6FBigVov3pjeA+07ASgSl+YYxJuWMvV36/K+VLebSKLvBTyPj+dyqG2W0b1:7Bi53w3eqi+mfJujkyqG29x
Score

8^/10

evasion
- Modifies Windows Firewall
  evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral10 behavioral9
- Target
  
  335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf
- Size
  
  3.7MB
- MD5
  
  9c7e90d7637277bb4f4985405eb0ace9
- SHA1
  
  5b0899d790eb4a37260e5d9b8a2ad3f2ada55b1d
- SHA256
  
  335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf
- SHA512
  
  7b57021edfa1108558c2d02df0600de55fd9338dfebc044c03dc677072975acc216a0374cff270d9d75f20e5b92b252f75b2ad3b94f603e7a09f69c14ca888d9
- SSDEEP
  
  98304:Pvqlou/EtfzJS+1S6+T9aLcNvvj5Pudln7QktFJLRyC2hVW13:w/Q7I+T8aLcNvvjQn7QkjFkDVW
Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx
- Matrix Ransomware
  Targeted ransomware with information collection and encryption functionality.
  ransomware matrix
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral11 behavioral12
- Target
  
  3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567
- Size
  
  3.1MB
- MD5
  
  3e24d064025ec20d6a8e8bae1d19ecdb
- SHA1
  
  aaf26fd22d5cab24dda2923b7ba6b131772b3a68
- SHA256
  
  3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567
- SHA512
  
  02eeddcb6d33dada9214503ab460d409ba429dfb00c756722188e2b7b9a65dd054a0bdacf45613ef3d6aa9524f256da155e33daf94eade384dc94f7716724896
- SSDEEP
  
  49152:yAqPm6R8fkBn5GSOsnvjXo2KzB931XYPy:0O6R8fklXo2KzBHX
Score

7^/10

spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral13 behavioral14
- Target
  
  42dcc46f9d6e6e8efe3f95bc09dbdfb6206a52a4347dbb652f315cec483a2046
- Size
  
  1.2MB
- MD5
  
  85f7df557b52cfb4850dbdd5040417f6
- SHA1
  
  4773ecc3311a02f7a9851ef8721c2ab6e903ea78
- SHA256
  
  42dcc46f9d6e6e8efe3f95bc09dbdfb6206a52a4347dbb652f315cec483a2046
- SHA512
  
  ff2dc51db02259df61c70985140ae8f65690fc910ecc6161f65f71208a0ee0bacc7bd6df5dbc7802fa4cb4ce03968f52e3bf949c21b24a0fc543c6e473d686f1
- SSDEEP
  
  24576:f6FBigwov3pjeA+07ASgSl+YYxJuWMvV36/K+VLebSKLvBTyPj+dyqGYV0b1:YBiI3w3eqi+mfJujkyqGY2x
Score

9^/10

evasion ransomware
- Renames multiple (167) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Modifies Windows Firewall
  evasion
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral15 behavioral16
- Target
  
  4fcaca23e9cfb7e5448f41bb520c9c35c68fd795ac6b3707d0c64cf92738acf2
- Size
  
  4.7MB
- MD5
  
  e86893b92eca6e8dfbcfb9bbc08ee973
- SHA1
  
  acaf1392ea344a074cd4dd47faa6a7e1530747f3
- SHA256
  
  4fcaca23e9cfb7e5448f41bb520c9c35c68fd795ac6b3707d0c64cf92738acf2
- SHA512
  
  24f258fb7f088b9c139ef83dd90c63248eee3e85b871841406765386dad20e48d2b8cdd19a0e165e10ff5eeb4494bafd3c84989f3f73112c1273399f7b23f635
- SSDEEP
  
  98304:0s7ZE5JsxXe8NpqBjkZxHJMAM0hsEfIOC34SSPl0V1Eo7N3grvl0iqN+XW0FUlK0:0srXe8NEMMAZhsXOCYe3P7NuI4WHlK8
Score

10^/10

dharma persistence ransomware spyware stealer vmprotect
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (201) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral17 behavioral18
- Target
  
  5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7
- Size
  
  4.8MB
- MD5
  
  5a3c5576c359ce4f40b3274209db2e76
- SHA1
  
  8d38f1c0953013d623bea6d6f6f47d5a0c7027f9
- SHA256
  
  5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7
- SHA512
  
  a9780e15702531d22a7088bb1de49c083499244819732f07c7a1c22bea00aa3592231766adae42ea8f980896a659a46a51a58e4e366a35e327f9d788ff88e5eb
- SSDEEP
  
  49152:Dc2Ee3ScTnrb/T5vO90dL3BmAFd4A64nsfJG0CJZGSUeU/o/ZsPfNW7Ew5EzUgr0:73l8ZSUOyaEUVHB72INLu6SZJZ
Score

10^/10

ransomware evasion
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Stops running service(s)
  evasion
behavioral19 behavioral20
- Target
  
  627a5569d47d6c66be6888e4f68f0a50e491404a08da1a7d9242c2d29e3e8ee3
- Size
  
  31.9MB
- MD5
  
  446fb9d942879e16c30b4cdd4cfca25f
- SHA1
  
  15db57519b54475ca7961a558806c6c49df85d5a
- SHA256
  
  627a5569d47d6c66be6888e4f68f0a50e491404a08da1a7d9242c2d29e3e8ee3
- SHA512
  
  14ec30f91f678fe0ae4b3d681389f4f5a5a01ea2b0cfaf7835025206bde8589f78e3a3a1308089c3331d650ee539ed9dbe723ca7edc72cb3b1996ef7b1d0ad6f
- SSDEEP
  
  786432:k+yF8WWxUdUd1LRphkc3FphBWGlso5EYW8GUCUEDDu4Kucccd8:WF8WWxUUddRzFphBZd5E7UCpDfm
Score

10^/10

evasion ransomware spyware stealer trojan
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (2426) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Disables cmd.exe use via registry modification
  evasion
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral21 behavioral22
- Target
  
  kf12.pyc
- Size
  
  21KB
- MD5
  
  fec35c2b1a1da26cff18b89c0a687b4d
- SHA1
  
  32444072a2558f1e11964ad40974dbb9d0369d69
- SHA256
  
  7d8be3ab49fc7b8eb2c762a702d1b0c4702f02d62f534631c5e4258f64f88130
- SHA512
  
  f4d812ab23b285ff17686cc03e15bdb348b1eefe89848a1b24dc5d63715fbe82f9f8f2cf83037baa113b94526f97161644484ef4a68cbd43010b016b440aade8
- SSDEEP
  
  384:KXGa/jX2Fu1fC1t8jUG3keIkfkRkBk6k6k6keke4kzkNkZk6k6k6kekrkzkNklkQ:K2a/jX1fWeTMueFFFJeDAKmFFFJIAKSQ
Score

3^/10
behavioral23 behavioral24
- Target
  
  63fa775052a5c7258d44a00d9f2b4a9263f96fb7c61778cbb1ba9102fed2082f
- Size
  
  7.2MB
- MD5
  
  14d4bc13a12f8243383756de92529d6d
- SHA1
  
  54b8fc5de74856d90cad60da8cc41b98940e6a15
- SHA256
  
  63fa775052a5c7258d44a00d9f2b4a9263f96fb7c61778cbb1ba9102fed2082f
- SHA512
  
  bbf499f3c3c20d5fe4310995edff3955365398923e6131cb318ee3cd762e034cd798e826bae00a680053846ef2a50c5f153bdb4d2d8cbc93688b9f8a8cf5b55a
- SSDEEP
  
  98304:1VRCs/IYJ5dqZqbKW9oNV8xOerpA8sNqdKe+GCsJ+JjhLeA6dw3:1Vt/TqcbKLpea8s3XsJ+Jjd
Score

1^/10
behavioral25 behavioral26
- Target
  
  645b8dfe73255d9e5be6e778292f3dde84ff8c5918a044ae42bcace0fe9ca279
- Size
  
  2.4MB
- MD5
  
  38529ecca6f8857442331c40e1bd5f9d
- SHA1
  
  37fe11751277dd8cc889e0c05d7fde88b98aa67c
- SHA256
  
  645b8dfe73255d9e5be6e778292f3dde84ff8c5918a044ae42bcace0fe9ca279
- SHA512
  
  a837e6f5452c939f7a7dcf16613fab486bb584c20aeb3121748d1dae731c4161a19ea2f9863bf621dc8c61101860b3ebfb3c4a780c8f1c07bd1ad59c90540d4a
- SSDEEP
  
  49152:hxFNFf4ZjhxNdNGa5YLuOARYNdNXc0xI5mmswos1:hxF7Q3xDAa5qARYDS0xIg
Score

1^/10
behavioral27 behavioral28
- Target
  
  64862ec69991a7d454c3ea3a0c3a8f1cc9c80192078740b9c753abbf1b7bef1b
- Size
  
  1.7MB
- MD5
  
  2b34badcdfb0921ee43548475c0ec5bb
- SHA1
  
  2cfe28584ae7649e3fe0ae150bfe49f7eabc6cf9
- SHA256
  
  64862ec69991a7d454c3ea3a0c3a8f1cc9c80192078740b9c753abbf1b7bef1b
- SHA512
  
  c31ac862ac9211821332aa8fd03110ca3ef89304fead4a900d2190c4a3950d2d6e5704b06ab3edf2ea6c6d3b9c225e5220e62496dc42948ec6125618924f880c
- SSDEEP
  
  24576:++H1KCVkwjVSjdao2bwzUaSze1AeHm/gcgX+7waf7gm7yZADfBFdOgSeiseIK1S3:399byqze1I3o+rH+MFdOsZvShn9T
Score

10^/10

evasion persistence ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral29 behavioral30
- Target
  
  741d75a02d0c4974968f0738a8b67104e1c24a58143b73b5ed1c25ac023b695e
- Size
  
  2.4MB
- MD5
  
  675716e76d329c21fd1c8584c4bbf4e0
- SHA1
  
  3f31361a356346980a458f72639b167f8557d997
- SHA256
  
  741d75a02d0c4974968f0738a8b67104e1c24a58143b73b5ed1c25ac023b695e
- SHA512
  
  33990b75e05409956567e2c417c4af3cefed346d18b1c990651ba9ae55f4c41e448f48e708ebb3f0a47dd2f95a648d99fa49b1f53bd68275754a98662451b75e
- SSDEEP
  
  49152:T1qnoAYJ+dAyibulZllnhELJPA2GINhptUhwRVmif4lqKw1UWHgCw8SbdkYMy:pMoAYJlyi8WBAypSQVf4l21xw80ke
Score

10^/10

xorist evasion persistence ransomware spyware stealer themida trojan
- Detected Xorist Ransomware
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Renames multiple (2144) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
behavioral31 behavioral32