Overview

overview

10

Static

static

10

samples (2).zip

windows7-x64

1

samples (2).zip

windows10-2004-x64

1

04035f6fdd...f9.exe

windows7-x64

9

04035f6fdd...f9.exe

windows10-2004-x64

7

0ed3c87ce3...07.exe

windows7-x64

4

0ed3c87ce3...07.exe

windows10-2004-x64

1

1ce291b079...c9.exe

windows7-x64

7

1ce291b079...c9.exe

windows10-2004-x64

1

30e66f95b4...49.exe

windows7-x64

8

30e66f95b4...49.exe

windows10-2004-x64

8

335160bee7...cf.exe

windows7-x64

10

335160bee7...cf.exe

windows10-2004-x64

10

3d7dd597a4...67.exe

windows7-x64

1

3d7dd597a4...67.exe

windows10-2004-x64

7

42dcc46f9d...46.exe

windows7-x64

9

42dcc46f9d...46.exe

windows10-2004-x64

8

4fcaca23e9...f2.exe

windows7-x64

10

4fcaca23e9...f2.exe

windows10-2004-x64

10

5994300c1c...a7.exe

windows7-x64

10

5994300c1c...a7.exe

windows10-2004-x64

9

627a5569d4...e3.exe

windows7-x64

7

627a5569d4...e3.exe

windows10-2004-x64

10

kf12.pyc

windows7-x64

3

kf12.pyc

windows10-2004-x64

1

63fa775052...2f.exe

windows7-x64

1

63fa775052...2f.exe

windows10-2004-x64

1

645b8dfe73...79.exe

windows7-x64

1

645b8dfe73...79.exe

windows10-2004-x64

1

64862ec699...1b.exe

windows7-x64

9

64862ec699...1b.exe

windows10-2004-x64

10

741d75a02d...5e.exe

windows7-x64

10

741d75a02d...5e.exe

windows10-2004-x64

10

Resubmissions

18-04-2024 18:50

240418-xha8wabh29 10

01-01-2024 15:12

240101-slnwxsfeh4 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    samples (2).zip

  • Size

    120.4MB

  • Sample

    240101-slnwxsfeh4

  • MD5

    aec75f441aa8bee97dde00cf38aa20b7

  • SHA1

    df50a2ff2d2f0892bd9212ca6ebec02c8753c265

  • SHA256

    44ee695b532eb984e46de29569ce35854b37d409efaabb6bcf9f5316e2b0546d

  • SHA512

    e6fc8544f3840cc9bc5778baf9294f2df086ed793acd014a354300615fb82effa27bc3c77320d44e9a67404fd1ac7d06bd029829b40936fc9a38deaa46c6ca44

  • SSDEEP

    3145728:VLfH9HbbMDj02Cdpnge0LREc1Z4sJCwZ3lehMSA/nSMBTlrdG:xP9HbbM0P0LLb0wxchfA/nSMBhg

Score
10/10
dharmamatrixsnatchxoristdiscoveryevasionpersistencepyinstallerransomwarespywarestealerthemidatrojanupxvmprotect

Malware Config

Extracted

Path

C:\Program Files\Google\Chrome\Application\#NOBAD_README#.rtf

Ransom Note
{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 InkognitoMan@tutamail.com\par InkognitoMan@firemail.cc\par empty\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 4AB2BE8D9F607C9C\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b empty\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 4AB2BE8D9F607C9C\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 wvpUDSrb\cf0\f1\fs32\lang1049\par \par }
Emails

InkognitoMan@tutamail.com\par

InkognitoMan@firemail.cc\par
URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\#NOBAD_README#.rtf

Ransom Note
{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 InkognitoMan@tutamail.com\par InkognitoMan@firemail.cc\par empty\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 443401BB5C40F14B\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b empty\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 443401BB5C40F14B\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 gLwiiyNW\cf0\f1\fs32\lang1049\par \par }
Emails

InkognitoMan@tutamail.com\par

InkognitoMan@firemail.cc\par
URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR HGJZITLXE FILES.TXT

Ransom Note
THE ENTIRE NETWORK IS ENCRYPTED YOUR BUSINESS IS LOSING MONEY! Dear Management! We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 100GB of your data Personal data Marketing data Confidentional documents Accounting SQL Databases Copy of some mailboxes Important! Do not try to decrypt the files yourself or using third-party utilities. The only program that can decrypt them is our decryptor, which you can request from the contacts below. Any other program will only damage files in such a way that it will be impossible to restore them. Write to us directly, without resorting to intermediaries, they will deceive you. You can get all the necessary evidence, discuss with us possible solutions to this problem and request a decryptor by using the contacts below. Please be advised that if we don't receive a response from you within 3 days, we reserve the right to publish files to the public. Contact us: candice.wood@post.cz or candice.wood@swisscows.email Additional ways to communicate in tox chat tox id: 83E6E3CFEC0E4C8E7F7B6E01F6E86CF70AE8D4E75A59126A2C52FE9F568B4072CA78EF2B3C97
Emails

candice.wood@post.cz

candice.wood@swisscows.email

Extracted

Path

C:\Users\Admin\3D Objects\read_it.txt

Ransom Note
YOUR PERSONAL INFORMATION IS NOW ENCRYPTED WITH MILITARY GRADE ENCRYPTION by BAAL RANSOMWARE All files on all affected machines and network have been encrypted with Baal Ransomware Encryption. What guarantees do we give to you? You can send 2 of any encrypted files to us to decrypt then send them back. Who is responsible for the Ransom Fee? The SARB & SA Mint Organization not its employees or assosiates will need to pay the fee to obtain the unique decryption code & tool that contains the private key linked to this specific ecryption. NOTE: All data is ecrypted (locked) not overitten hence can be decrypted with assossiated key only. You have only 6 (six) days to meet the Ransom fee in Bitcoin. Instructions: 1. Send 121 BTC (Bitcoins) to the following receiving address: bc1qvrqgycul7svc33hs0ejqn5p2ewewynjkea90h7gcednhdj2745tslla7z9 Note: All Bitcoin transactions need six confirmations in the blockchain from miners before being processed. In general sending Bitcoin can take anywhere from seconds to over 60 minutes. Typically, however, it will take 10 to 20 minutes In most cases, Bitcoin transactions need 1 to 1.5 hours to complete. 2. Send blockchain transaction id screenshot not link via to the email address: blackbastabaalransomware@protonmail.com 3. Once the transaction is be confirmed. We will email back the one-click decryption tool to fully decrypt and recover all your files and remove the randsomware on all your machines and network permantly. (No I.T. background required). 4. The decryption usually takes about a few minutes to an hour depending on the scale and size of the files and additional drives the Ransomware has spread onto the network. What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt then send them back. You have 6 days until the decryption keys are terminated and all data on affected machines and networks will never be recovered. We make use of Military Grade AES Encryptions. Without the linked decryption key you can just forgot about ever recovering encrypted data. ------------------------------------------------------------------------------------------------ 'Blessed are the strong for they shall inherit the Earth' - Codex Saerus
Emails

blackbastabaalransomware@protonmail.com

Targets

    • Target

      samples (2).zip

    • Size

      120.4MB

    • MD5

      aec75f441aa8bee97dde00cf38aa20b7

    • SHA1

      df50a2ff2d2f0892bd9212ca6ebec02c8753c265

    • SHA256

      44ee695b532eb984e46de29569ce35854b37d409efaabb6bcf9f5316e2b0546d

    • SHA512

      e6fc8544f3840cc9bc5778baf9294f2df086ed793acd014a354300615fb82effa27bc3c77320d44e9a67404fd1ac7d06bd029829b40936fc9a38deaa46c6ca44

    • SSDEEP

      3145728:VLfH9HbbMDj02Cdpnge0LREc1Z4sJCwZ3lehMSA/nSMBTlrdG:xP9HbbM0P0LLb0wxchfA/nSMBhg

    Score
    1/10
    behavioral1behavioral2

    • Target

      04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9

    • Size

      2.1MB

    • MD5

      e4bf35b81bfaa0e789ad9461dbacb542

    • SHA1

      dcf7b855b2c3516a6b88a410ef5b44a2c650f62d

    • SHA256

      04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9

    • SHA512

      6635342515a01acde48792cb362dc9e5bd7ffc4fe6a9b8b2fdb0d6c8758d79db847daf28e2fe700a898425214d95d2707337c900c695a47cfd9dada946adf64d

    • SSDEEP

      49152:Iw80cTsjkWanAlfiebWlHcA+G6HYaqK3hUQrObmyPYjR+:Z8sjkrgWezG6lh73jR+

    Score
    9/10
    persistenceransomwareupx

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral3behavioral4

    • Target

      0ed3c87ce3ae58f3dcbf46fa022acd3cbbe0b96af2e9f7a47eee0dd50af88507

    • Size

      2.9MB

    • MD5

      ec2a8d8f7853397f86a4c96fdbe01b19

    • SHA1

      daaeb314219acb7f10268512c8358a6941d53da3

    • SHA256

      0ed3c87ce3ae58f3dcbf46fa022acd3cbbe0b96af2e9f7a47eee0dd50af88507

    • SHA512

      f75ee827b41ff1783208f3116130b8c29c958059f589b8df4d423896bafa24f4aae5a19a990271a2caf98880772b23ad719c7c141b8e1ea6f0e1eda58f0a4e68

    • SSDEEP

      49152:yKRy/NLHsvdoewagi6rndXTrKdRRzsdydWLToel51txKRy/N:yKRshsdo/PrndXTrKdRRwZLJl3KRs

    Score
    4/10
    behavioral5behavioral6

    • Target

      1ce291b079977e7a3f81c44b644fe1f63ae34a0a1a5c264e9f6085c184f7a1c9

    • Size

      5.3MB

    • MD5

      393247c068ff136a28c6ef99a0e004ad

    • SHA1

      d1acbc1d3f796745de7fdb65fe290f2876bf38cd

    • SHA256

      1ce291b079977e7a3f81c44b644fe1f63ae34a0a1a5c264e9f6085c184f7a1c9

    • SHA512

      6bd2bf2f9c1e89e77d4365c73cb9e13782b2055dd7e5b6d54bc45265349e8d569fe7036c99f582ee47d9d6b8a41bc8eb02524baba8ed9c7d69975c27169b5afe

    • SSDEEP

      98304:Puzw2CTViOip5X+MHsMgBXN2/H4QJP6u822wpXJun9TLrynQnI1:PuzITVb0OysM49vgPCMJwHy/

    Score
    7/10
    vmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect
    behavioral7behavioral8

    • Target

      30e66f95b46c8162c921648e31f8c4146ba3f0580f4e5aa3b4c4de18687f6a49

    • Size

      1.2MB

    • MD5

      9d43722941309d477e25b7d48b085d00

    • SHA1

      79793205208d8679b1d1dfe06475a4e52c8b1846

    • SHA256

      30e66f95b46c8162c921648e31f8c4146ba3f0580f4e5aa3b4c4de18687f6a49

    • SHA512

      7f2e8a7c38776c1b3c2898b9c7367f51060b4a6ca1385314fd2da417cfe2d18a84f6891dfe18ef28e477037ed84eb2fbbecbeef294751cff0de52ea6c9566efd

    • SSDEEP

      24576:K6FBigVov3pjeA+07ASgSl+YYxJuWMvV36/K+VLebSKLvBTyPj+dyqG2W0b1:7Bi53w3eqi+mfJujkyqG29x

    Score
    8/10
    evasion

    • Modifies Windows Firewall

      evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral10behavioral9

    • Target

      335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf

    • Size

      3.7MB

    • MD5

      9c7e90d7637277bb4f4985405eb0ace9

    • SHA1

      5b0899d790eb4a37260e5d9b8a2ad3f2ada55b1d

    • SHA256

      335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf

    • SHA512

      7b57021edfa1108558c2d02df0600de55fd9338dfebc044c03dc677072975acc216a0374cff270d9d75f20e5b92b252f75b2ad3b94f603e7a09f69c14ca888d9

    • SSDEEP

      98304:Pvqlou/EtfzJS+1S6+T9aLcNvvj5Pudln7QktFJLRyC2hVW13:w/Q7I+T8aLcNvvjQn7QkjFkDVW

    Score
    10/10
    matrixdiscoveryevasionpersistenceransomwarespywarestealerupx

    • Matrix Ransomware

      Targeted ransomware with information collection and encryption functionality.

      ransomwarematrix

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Drops file in Drivers directory

    • Sets service image path in registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral11behavioral12

    • Target

      3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567

    • Size

      3.1MB

    • MD5

      3e24d064025ec20d6a8e8bae1d19ecdb

    • SHA1

      aaf26fd22d5cab24dda2923b7ba6b131772b3a68

    • SHA256

      3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567

    • SHA512

      02eeddcb6d33dada9214503ab460d409ba429dfb00c756722188e2b7b9a65dd054a0bdacf45613ef3d6aa9524f256da155e33daf94eade384dc94f7716724896

    • SSDEEP

      49152:yAqPm6R8fkBn5GSOsnvjXo2KzB931XYPy:0O6R8fklXo2KzBHX

    Score
    7/10
    spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral13behavioral14

    • Target

      42dcc46f9d6e6e8efe3f95bc09dbdfb6206a52a4347dbb652f315cec483a2046

    • Size

      1.2MB

    • MD5

      85f7df557b52cfb4850dbdd5040417f6

    • SHA1

      4773ecc3311a02f7a9851ef8721c2ab6e903ea78

    • SHA256

      42dcc46f9d6e6e8efe3f95bc09dbdfb6206a52a4347dbb652f315cec483a2046

    • SHA512

      ff2dc51db02259df61c70985140ae8f65690fc910ecc6161f65f71208a0ee0bacc7bd6df5dbc7802fa4cb4ce03968f52e3bf949c21b24a0fc543c6e473d686f1

    • SSDEEP

      24576:f6FBigwov3pjeA+07ASgSl+YYxJuWMvV36/K+VLebSKLvBTyPj+dyqGYV0b1:YBiI3w3eqi+mfJujkyqGY2x

    Score
    9/10
    evasionransomware

    • Renames multiple (167) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral15behavioral16

    • Target

      4fcaca23e9cfb7e5448f41bb520c9c35c68fd795ac6b3707d0c64cf92738acf2

    • Size

      4.7MB

    • MD5

      e86893b92eca6e8dfbcfb9bbc08ee973

    • SHA1

      acaf1392ea344a074cd4dd47faa6a7e1530747f3

    • SHA256

      4fcaca23e9cfb7e5448f41bb520c9c35c68fd795ac6b3707d0c64cf92738acf2

    • SHA512

      24f258fb7f088b9c139ef83dd90c63248eee3e85b871841406765386dad20e48d2b8cdd19a0e165e10ff5eeb4494bafd3c84989f3f73112c1273399f7b23f635

    • SSDEEP

      98304:0s7ZE5JsxXe8NpqBjkZxHJMAM0hsEfIOC34SSPl0V1Eo7N3grvl0iqN+XW0FUlK0:0srXe8NEMMAZhsXOCYe3P7NuI4WHlK8

    Score
    10/10
    dharmapersistenceransomwarespywarestealervmprotect

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (201) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral17behavioral18

    • Target

      5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7

    • Size

      4.8MB

    • MD5

      5a3c5576c359ce4f40b3274209db2e76

    • SHA1

      8d38f1c0953013d623bea6d6f6f47d5a0c7027f9

    • SHA256

      5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7

    • SHA512

      a9780e15702531d22a7088bb1de49c083499244819732f07c7a1c22bea00aa3592231766adae42ea8f980896a659a46a51a58e4e366a35e327f9d788ff88e5eb

    • SSDEEP

      49152:Dc2Ee3ScTnrb/T5vO90dL3BmAFd4A64nsfJG0CJZGSUeU/o/ZsPfNW7Ew5EzUgr0:73l8ZSUOyaEUVHB72INLu6SZJZ

    Score
    10/10
    ransomwareevasion

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Stops running service(s)

      evasion
    behavioral19behavioral20

    • Target

      627a5569d47d6c66be6888e4f68f0a50e491404a08da1a7d9242c2d29e3e8ee3

    • Size

      31.9MB

    • MD5

      446fb9d942879e16c30b4cdd4cfca25f

    • SHA1

      15db57519b54475ca7961a558806c6c49df85d5a

    • SHA256

      627a5569d47d6c66be6888e4f68f0a50e491404a08da1a7d9242c2d29e3e8ee3

    • SHA512

      14ec30f91f678fe0ae4b3d681389f4f5a5a01ea2b0cfaf7835025206bde8589f78e3a3a1308089c3331d650ee539ed9dbe723ca7edc72cb3b1996ef7b1d0ad6f

    • SSDEEP

      786432:k+yF8WWxUdUd1LRphkc3FphBWGlso5EYW8GUCUEDDu4Kucccd8:WF8WWxUUddRzFphBZd5E7UCpDfm

    Score
    10/10
    evasionransomwarespywarestealertrojan

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (2426) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Disables cmd.exe use via registry modification

      evasion

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral21behavioral22

    • Target

      kf12.pyc

    • Size

      21KB

    • MD5

      fec35c2b1a1da26cff18b89c0a687b4d

    • SHA1

      32444072a2558f1e11964ad40974dbb9d0369d69

    • SHA256

      7d8be3ab49fc7b8eb2c762a702d1b0c4702f02d62f534631c5e4258f64f88130

    • SHA512

      f4d812ab23b285ff17686cc03e15bdb348b1eefe89848a1b24dc5d63715fbe82f9f8f2cf83037baa113b94526f97161644484ef4a68cbd43010b016b440aade8

    • SSDEEP

      384:KXGa/jX2Fu1fC1t8jUG3keIkfkRkBk6k6k6keke4kzkNkZk6k6k6kekrkzkNklkQ:K2a/jX1fWeTMueFFFJeDAKmFFFJIAKSQ

    Score
    3/10
    behavioral23behavioral24

    • Target

      63fa775052a5c7258d44a00d9f2b4a9263f96fb7c61778cbb1ba9102fed2082f

    • Size

      7.2MB

    • MD5

      14d4bc13a12f8243383756de92529d6d

    • SHA1

      54b8fc5de74856d90cad60da8cc41b98940e6a15

    • SHA256

      63fa775052a5c7258d44a00d9f2b4a9263f96fb7c61778cbb1ba9102fed2082f

    • SHA512

      bbf499f3c3c20d5fe4310995edff3955365398923e6131cb318ee3cd762e034cd798e826bae00a680053846ef2a50c5f153bdb4d2d8cbc93688b9f8a8cf5b55a

    • SSDEEP

      98304:1VRCs/IYJ5dqZqbKW9oNV8xOerpA8sNqdKe+GCsJ+JjhLeA6dw3:1Vt/TqcbKLpea8s3XsJ+Jjd

    Score
    1/10
    behavioral25behavioral26

    • Target

      645b8dfe73255d9e5be6e778292f3dde84ff8c5918a044ae42bcace0fe9ca279

    • Size

      2.4MB

    • MD5

      38529ecca6f8857442331c40e1bd5f9d

    • SHA1

      37fe11751277dd8cc889e0c05d7fde88b98aa67c

    • SHA256

      645b8dfe73255d9e5be6e778292f3dde84ff8c5918a044ae42bcace0fe9ca279

    • SHA512

      a837e6f5452c939f7a7dcf16613fab486bb584c20aeb3121748d1dae731c4161a19ea2f9863bf621dc8c61101860b3ebfb3c4a780c8f1c07bd1ad59c90540d4a

    • SSDEEP

      49152:hxFNFf4ZjhxNdNGa5YLuOARYNdNXc0xI5mmswos1:hxF7Q3xDAa5qARYDS0xIg

    Score
    1/10
    behavioral27behavioral28

    • Target

      64862ec69991a7d454c3ea3a0c3a8f1cc9c80192078740b9c753abbf1b7bef1b

    • Size

      1.7MB

    • MD5

      2b34badcdfb0921ee43548475c0ec5bb

    • SHA1

      2cfe28584ae7649e3fe0ae150bfe49f7eabc6cf9

    • SHA256

      64862ec69991a7d454c3ea3a0c3a8f1cc9c80192078740b9c753abbf1b7bef1b

    • SHA512

      c31ac862ac9211821332aa8fd03110ca3ef89304fead4a900d2190c4a3950d2d6e5704b06ab3edf2ea6c6d3b9c225e5220e62496dc42948ec6125618924f880c

    • SSDEEP

      24576:++H1KCVkwjVSjdao2bwzUaSze1AeHm/gcgX+7waf7gm7yZADfBFdOgSeiseIK1S3:399byqze1I3o+rH+MFdOsZvShn9T

    Score
    10/10
    evasionpersistenceransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral29behavioral30

    • Target

      741d75a02d0c4974968f0738a8b67104e1c24a58143b73b5ed1c25ac023b695e

    • Size

      2.4MB

    • MD5

      675716e76d329c21fd1c8584c4bbf4e0

    • SHA1

      3f31361a356346980a458f72639b167f8557d997

    • SHA256

      741d75a02d0c4974968f0738a8b67104e1c24a58143b73b5ed1c25ac023b695e

    • SHA512

      33990b75e05409956567e2c417c4af3cefed346d18b1c990651ba9ae55f4c41e448f48e708ebb3f0a47dd2f95a648d99fa49b1f53bd68275754a98662451b75e

    • SSDEEP

      49152:T1qnoAYJ+dAyibulZllnhELJPA2GINhptUhwRVmif4lqKw1UWHgCw8SbdkYMy:pMoAYJlyi8WBAypSQVf4l21xw80ke

    Score
    10/10
    xoristevasionpersistenceransomwarespywarestealerthemidatrojan

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Renames multiple (2144) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops file in System32 directory

    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Command and Scripting Interpreter

1
T1059

Persistence

Boot or Logon Autostart Execution

5
T1547

Registry Run Keys / Startup Folder

5
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

5
T1547

Registry Run Keys / Startup Folder

5
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Scheduled Task/Job

1
T1053

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Indicator Removal

13
T1070

File Deletion

12
T1070.004

Modify Registry

10
T1112

File and Directory Permissions Modification

1
T1222

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

6
T1552

Credentials In Files

6
T1552.001

Discovery

Remote System Discovery

1
T1018

System Information Discovery

12
T1082

Query Registry

11
T1012

Peripheral Device Discovery

3
T1120

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

6
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

14
T1490

Defacement

2
T1491

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks

static1

vmprotectpyinstallerthemidasnatch
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

persistenceransomwareupx
Score
9/10

behavioral4

persistence
Score
7/10

behavioral5

Score
4/10

behavioral6

Score
1/10

behavioral7

vmprotect
Score
7/10

behavioral8

Score
1/10

behavioral9

evasion
Score
8/10

behavioral10

evasion
Score
8/10

behavioral11

matrixdiscoveryevasionpersistenceransomwarespywarestealerupx
Score
10/10

behavioral12

matrixdiscoveryransomwareupx
Score
10/10

behavioral13

Score
1/10

behavioral14

spywarestealer
Score
7/10

behavioral15

evasionransomware
Score
9/10

behavioral16

evasion
Score
8/10

behavioral17

dharmapersistenceransomwarespywarestealervmprotect
Score
10/10

behavioral18

dharmapersistenceransomwarevmprotect
Score
10/10

behavioral19

ransomware
Score
10/10

behavioral20

evasionransomware
Score
9/10

behavioral21

Score
7/10

behavioral22

evasionransomwarespywarestealertrojan
Score
10/10

behavioral23

Score
3/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

evasionpersistenceransomware
Score
9/10

behavioral30

evasionpersistenceransomwarespywarestealer
Score
10/10

behavioral31

xoristevasionpersistenceransomwarespywarestealerthemidatrojan
Score
10/10

behavioral32

xoristevasionpersistenceransomwarethemidatrojan
Score
10/10