General

  • Target

    e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

  • Size

    473KB

  • Sample

    240221-3sayrahc48

  • MD5

    f83fb9ce6a83da58b20685c1d7e1e546

  • SHA1

    01c459b549c1c2a68208d38d4ba5e36d29212a4f

  • SHA256

    e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684

  • SHA512

    934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396

  • SSDEEP

    12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ

Malware Config

Extracted

Path

F:\DECRYPT-FILES.html

Ransom Note
<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000000; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5 px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><b>Maze ransomware</b></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> </div> <div style="text-align: center; font-size: 18px;"> <p><b>What is going on?</b><br>Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system</p> <p>You can read more about this cryptosystem here: <a href=https://en.wikipedia.org/wiki/RSA_(cryptosystem)>https://en.wikipedia.org/wiki/RSA_(cryptosystem)</a></p> <p>The only way to recover (decrypt) your files is to buy decryptor with the unique private key</p> <p><u>Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!</u></p> <p>By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.</p> <p>In order to either buy the private key or make test decryption contact us via email: <br> <u><b>Main e-mail: [email protected]<br>Reserve e-mail: [email protected]</b></u> <p>Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies <p>If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">zGmW0mNRU29fuuumpZ6zrbbpZYO3scyl2VEilmOF3ZPNrs/sf+iES5UUHUtK0zqIX71HHHcMXvB/ROlg/aGkdwhM9xOKg3oY9nad0VkoBBM22c6ZgyM0lMgSle/+1TngGGRyImolB08+lRAlmuoJ+F5EHgIN9PFdA+GTh/dDfpVNCp/Sm2VMr+zMVGAudbZ8HiypEqBXnt8BftdSjAwjgzcDzTO6A0GpeCCPo9UYbPXddOBR31iEUlg+J+BZVjw/FHKxsvu6k0ZwJ3cSL0t43Lc+2i+XRpT5kZmorbiSV7LdBIXUKY+xiQWhbEE5keS2lxdLdybCNepZcKaPRS7ZKjMLg3kJna7ALlrzYm7zCYgL8e+KX+ppz6YZxT2RDhpCe9KkgkVw8z4N5BCEnz8YxrGxYM/4UdRTAgO/hgNAQh2txmwduDQL7AR+K8e9xcGrVWlAoYSEgY8iqYlHmUpVkpQJgnQXIWeLycI4c7TgwgEq5ilWAIhpd+AyR8bzi3Ql88ioePax30hdL8/0HbSzRNczl55J0pC87u5MEtPeEwa0+OejjHsxbiuZNRo6JKXA/WArjGrzbb5pA2O06m/L3Vt/TxGfOCZivj6pAzhgEWaFdUblNlzMyQijTDuo97Awn5i6GN2UOztS44GV3lbv/aJqUQuUDmPZCNsOQxwf4U4Z02fjJs6kp9Vi1q4cXUhQBbptvyRSJWiZHqtGbNzYLjbGaLT0WhXhUioxz8xC3u95Ju8rTQTmGjqrZVnN1ZNhS1byGU91ZeS6fDyLPaCKlqEgBl6Ty7OJYHntv188/aN5Ju8SUWlFbNW6pWJR+aZYFOpZqJjMB8YWOgzBDTerNOyFhGGcAn1uSXR/uC6BvrAMvMiIOmiC1zwXOhTTUhkjEXi1ogpK2Fa3b9GtD9OOoA2UoeHa76Gia+/Q2hi1ba6P9TR+Db0AV+v/D/YI0iNp19mAQEmG9m3ZO8Eo+UqqMIZ0YEKXxvavdR4I6I2beTluU78a0SRApy4At5kNy3SHacJRfMnhB8a4S4YAFFQgnc4Hg+qaco1FDXWxAircAQo3wq7E1Isv5VUPejcMxke0MbMuD2i4WYUBrEezHAjOfCcEZyhlhEv92PD6YeVM9z53WmV7g7gURI6Zc55s7Tv2dId7XaJd04oKLqbBSZKkOeGsdY2ObfOGDTiNoX8mxVqkWWxh5lnBKqJPPLByk1odwpSb6vNHFHoPAf+5skz4SaNSdxpiC5VbpenDtrOsNX3w+pIoLiYHkUn/pC+u8NUHBc0nmUyEzgVThra3gdZ0Mnpxatd8MLwj/r5W4JG9cCWObVrtXmjqCXVAZHrbT5aRoi3GKPRH9syMa2F31JIS/Hu6OrITYa/M/MGJmHBX6wkUi18j7s1CkBGUCP55/xpiCL6dQZ4/2pccmxmRqYCCI0gLvRawqAalN99pNXWZg/mJr8fdEiElza8bE8x1fNFoMhJXO2hxNU63YJ2NJ2UETbZCVSOCWV69pZwptcHq9MREYkMKuMmfaBTVqT2fvXM4tvbaFdL3/jZIfMFFlnqtBreA7bTXMd8k5GKKrkDyasAbybODf79YHjrcYu3NdOHza5YcXBDWYyPvzjUykLhEyptHbzZtACHLcKfrLI1kcDzfgV8Y5cWR65+0gQUknMj05ZpV0zwrKLSFI/umZ1EZU08iEhLm5MiMAeclaKUIgg1VlEsOjjhmFANujkaQ7F46RLHhSsE3HzFR9hZ1X3lcIh4yBG8A/p3YwwCsWQmT8hpPcJ9F7QsO9TdGSXHn0IDuGRECXYLRcSSeQ4f4xKiUxueoU257o4WF8jI+xAZG4FAFFFb2DNVlK77z3g/WI1sVFwrkAIT6K3a7CN+XcGZqJmGB9uxsQ6aaNdVVu7TM6zCrLrsZYLGqR5j8nURHCjDiv7zl2HMxq0i6laF6tQd9zbzgrbOdjxP057X/AH5WTz/xARX4u/sfrpez7/6s2RvBFpJkngLe1yLgUteqov2lfX63G2TA5MJF1vLEyaYROjOcSEb0j3vJ7cv9M+hEEM8RrObaAzX432rlX049dH8vwy1ZggSD7Gy7L5YjycWTWw3W6bllHzBVl89jNecU3gcc/UsOwit4hw/7ITVqfOP+z/rIFazo+yLkp1ir1aX/9YHXv1VaKI+WnAKugrVl0zmT7Nrqbuz6KohNIwPz4vqvd7RsESoEl4yz+dHSZmiMYB+1AhUAsLvc+v7SL4YOMRNm0UNWhAoiOAA3ADgAOAAwADkAOAAyADgAOQBkADIAOQBhADYAYQAAABCAYBoMQQBkAG0AaQBuAAAAIhJJAEsASgBTAFAARwBJAE0AAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCVnwAQwBfAEYAXwAyADAANAA4ADQALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAAzADgAOQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHCByNl7eAOAAQKKAQUxLjAuMg==<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"></tr></table></body></html>
Emails

[email protected]<br>Reserve

[email protected]</b></u>

Extracted

Path

C:\odt\DECRYPT-FILES.html

Ransom Note
<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000000; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5 px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><b>Maze ransomware</b></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> </div> <div style="text-align: center; font-size: 18px;"> <p><b>What is going on?</b><br>Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system</p> <p>You can read more about this cryptosystem here: <a href=https://en.wikipedia.org/wiki/RSA_(cryptosystem)>https://en.wikipedia.org/wiki/RSA_(cryptosystem)</a></p> <p>The only way to recover (decrypt) your files is to buy decryptor with the unique private key</p> <p><u>Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!</u></p> <p>By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.</p> <p>In order to either buy the private key or make test decryption contact us via email: <br> <u><b>Main e-mail: [email protected]<br>Reserve e-mail: [email protected]</b></u> <p>Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies <p>If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">LU499XQwZgpl5GPVUeP9P79ZocdVl5cYnMRdez0C6G+Ha2PoFqwd8IFaN1y7bbdoQ3kbiARsxZrfM7vnSl/scYjz3u4kKQQxdY6Bki0o4NBfhlSqciBom+GMnRg5vjEYGfLBgdhqAO+jUGtO5kgIE5s9E/RBYznLpshErSEpWqg55JnDh/uKQg+WNXuM1G6wU3OE53TlV0+y101Fz/A3cVh0wMhB41xFyiK1nngqdtjCrT2RMRvXw/qlk3OVhx2tIUj00/Hlm+GmMQbZoMkjdEUP0xXKGAh35q8C4LrgbVJmuguE1kfltjhRDJsXgulrQopnKbv732++emBDLt+y/pMapqmSFvgjECxDAYn1+jDnvxLcqhtiTJw9zEjG8bifSF6MZwWncXSLVErOs9xMI0YPzSRfzdXtk53AwJoa/4eCjoBwEW7fyFpvS1riaa4KIVUAPup05tCt8QeoYZy9WPrm9nbmy4v2S099F6zcq4kQBu+MC7yIfkFdYGOCD/jbsPyqJOYgL3PYysxo78ZaXuoISKWGUjTWmRUGDlWN4Vs/tjNS1z0QSf5qaUOLxNH7OxwWy2861Y4+qgTVEF1kttCcLizxLr4rcSlo42JCyEj/yhvAj7/0yCgkdHHI0mJdRzhs4tVGUC823sySPTYg1LeiyPf+rANdISjXF1oMk8x9hHIic5vkTeVD66vUNYwbxMFz9gKUtry6NJ2g8N45idqlxw8au7tyDI/vg01sEJ9AvfqVuTZ96oj7VXRg0EfflwUDGu+7roySpoz+0bIFvO4V0qC9s7wllqqiL2aLYo5yw4yVNkWv70AK5gTry53JzWJt2ta1J+tpFoPST5r/O/8InGBSOb4sA3nlR5S8lX3XumTUlpSrQtH8MshJW/9qFQmNfIxKWvoDg7RuwIswU16CakQMfBESIhPUV25q0/rpbyLtyenMJTKvRRj69oc2AyvmU7cPiQI4YnQ8co7QtnAp2obqftYQJtX3decydGomRWaxrlsbXAvJHRWCFUI9fuFRr+JD7Ic6RzVcXWkX6AdYMJI4ldI9awMrs/a+xFtlsiMkMFNqkrTnfznkWV2W8gt4qr15gndXBBaWCwmgrSNwEdzXP8Yn29ly3CNe3+9PF6GgswIaWAXUmQjFN/FKJWKxVl6vYDEHaaqb6963EEt8DmHZVyyIn/4UUrRyO93h1ahxtKUaZkrb3DxDZVfPqar44njZvWg7We+xREhSPJZzTwt4o0YD8uUxD3t+Y4dV6B8R0HHTJ/LphkHLRWg1UHxfjc7alizxJ4rZHR+I0KbIm260cWtU0SaDKjCorqsF7c0dC7bhOFbYcdQ0R+aPfhgQjiZdz9hLZLvyMT5YSsVFtpOxGwBV0YMxALS8q7r5aHVIiKkFPTjr5YS8tusgRMk9W6OUfDhyndqYHKEtKAGKa7/IE4IKK8R5h7gKePRVX0ib0n1971lwbhS7XsuaAp2KX7m33ezWMIBi3NWQXAp6YWgQuHnH7jcJlSSFxVF5spDX6rBSwhdHMp21gpzzVACj2EV8FVbBR4m3M88aaS5Q283c3fSeRPVUvCxUniEeVVJ6wITAYMP6oKqPPkK8Vqa37nb2PTkRlBoLibzEH2YlX9EpRnlDl/EJv0dScZiy86pgXZhtN5zaoFos6/j/ZjyJHW9ONgOD3qR9/OP5TQkRsbgVYrVJRJQ7eRo2wKd8unUVbYQrL/iAueyA9MyitZbs4Du7WWk/xAT4c05Fv65s0QmOvmt8Q85sZpmfzHICs4/aFhhj2RO5z0Uh56wg+SSL83buFRd4rbVeujHxLLFcbZfMu1L3ovR4rrhfhA51JaiM7X1C8Mdljou7q+NXK3wuw7XhtGxojMH9uoOmC3nA+/mwSK3mGYzjtlTyFZK958AXr/j62BbZqtpGNfa2f/+eest20gY8g60g6/9/xdiuaTyUZ2zB+tJ/poxHrp9Gq+9p4CLVEY21wjQbh8IFj9sxdGT4SbgpxUzpbhtFD2R0JV2ATPTFCcXCai+CrWcKFGRe9gjREihTQe6WXU8jYaQL8LSDHVQ8HvREBszmZTWgDe3mtsF7sNuMqR4zqUsW0i3LVhL+R1dlnSwkuhaux4ZoRV4fC6/tnMVzna4AceScNVpvD9Nk5+jmq7cOdq1l11fRS32bgHRcNmO/i8pbX7XuYLb+zi3feJ3RMH6Dt6TeoggS9HPMdb9YvJgE5vsOTyObRvPPe4axztTxERGMgn3UPAoiOAA3ADQAYwAwADkAOAA0AGMAMgBlADEAZABmADQAZAAAABCAYBoMQQBkAG0AaQBuAAAAIhJEAEMAWABRAE4AQgBOAFIAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCVnwAQwBfAEYAXwAyADAANAA3ADkALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAA0ADIAMQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHD3lt5yeAOAAQKKAQUxLjAuMg==<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"></tr></table></body></html>
Emails

[email protected]<br>Reserve

[email protected]</b></u>

Targets

    • Target

      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

    • Size

      473KB

    • MD5

      f83fb9ce6a83da58b20685c1d7e1e546

    • SHA1

      01c459b549c1c2a68208d38d4ba5e36d29212a4f

    • SHA256

      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684

    • SHA512

      934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396

    • SSDEEP

      12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ

    • Maze

      Ransomware family also known as ChaCha.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks