Resubmissions

15-01-2024 10:33

240115-mln9sseben 10

30-01-2023 02:12

230130-cnc97seh7x 10

General

  • Target

    e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527.zip

  • Size

    741KB

  • Sample

    240115-mln9sseben

  • MD5

    a7cd16a6c7b1cf2eebd351abff7e8b47

  • SHA1

    803189d5b894a8d980abcd18dbda37fdc29b1758

  • SHA256

    fca69729e8052caad11c59e1ec5b7671bb1898724b3a1316ad77c8e565c85795

  • SHA512

    8ff49acfa683147d142249b77ca7d9e6f52d9b5bff6b5d451853e95773cc7dd866a84e50663a7292d84719b60e04126607d4a90120670e6f4ab945b57bb6a9a7

  • SSDEEP

    12288:uFZ3BHVlg6uEw2SHdaB4obTueFDIblY7SvT5rVXG3Zbru6oI7RohfUw5kdEHhAR+:uFZNs6uEw2soHZFD4ldrV2p+9IV8Uw+Q

Score
10/10

Malware Config

Extracted

Family

agenda

Attributes
  • company_id

    MmXReVIxLV

  • note

    -- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: MmXReVIxLV Domain: ueegj65kwr3v3sjhli73gjtmfnh2uqlte3vyg2kkyqq7cja2yx2ptaad.onion login: 6f031ccd-526a-4806-82a8-2e7d926243d4 password:

rsa_pubkey.plain

Extracted

Path

C:\Users\README-RECOVER-MmXReVIxLV.txt

Family

agenda

Ransom Note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: MmXReVIxLV Domain: ueegj65kwr3v3sjhli73gjtmfnh2uqlte3vyg2kkyqq7cja2yx2ptaad.onion login: 6f031ccd-526a-4806-82a8-2e7d926243d4 password: AgendaPass
URLs

http://ueegj65kwr3v3sjhli73gjtmfnh2uqlte3vyg2kkyqq7cja2yx2ptaad.onion

Targets

    • Target

      e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527.exe

    • Size

      1.6MB

    • MD5

      6a93e618e467ed13f98819172e24fffa

    • SHA1

      d34550ebc2bee47c708c8e048eb78881468e6bca

    • SHA256

      e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527

    • SHA512

      ac78fcd5ab3340fa691eb9941c729a58291ae58372ed8f535ae2a7ac23b99b0f57448343a020b4e889a7b7a822d116df32c8c5c14a4def0720987c2d6b966192

    • SSDEEP

      24576:KBz37bSK2rgyik2VZGiOYnSadiUm6M551SaJkqFYUe3xHj96khwkyITnoXlIEvXX:Kx6Rvik2VUKnzhQ4akWXUy

    Score
    10/10
    • Agenda Ransomware

      A ransomware with multiple variants written in Golang and Rust first seen in August 2022.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (152) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

MITRE ATT&CK Enterprise v15

Tasks