Resubmissions
22-02-2024 11:51
240222-n1a66agf8t 1015-01-2024 10:30
240115-mjzmrafbc2 1015-01-2024 10:22
240115-meastseabm 1026-12-2023 04:42
231226-fb3acafcdq 10Analysis
-
max time kernel
164s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-02-2024 11:51
Static task
static1
Behavioral task
behavioral1
Sample
21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
Resource
win10v2004-20240221-en
General
-
Target
21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe
-
Size
4.0MB
-
MD5
390b8c1bf2838bff01edcf34f9420990
-
SHA1
8a28ec5aeaf8e96b0d72115b589bc38eb153b3b1
-
SHA256
21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010
-
SHA512
3838a35dade4f16f07f7f5e384c868038b1abd5b03589563df6f6dbf63a1b33e270f81f97daea1231d4f1139fd44ddc6788b90ab558ebd3ca1c14df843b320a2
-
SSDEEP
98304:OytVc8V5odJBN4SIQLp468SI/JTpjaYDQ7toz/ngwa:OCO8EJBN4SJLp4b7VWYDQ7toz/Za
Malware Config
Extracted
agenda
-
company_id
Y4aYnqmoKD
-
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: Y4aYnqmoKD Domain: mc3lcg4lqmwcrk34geaqokyjyhvjeh2alsiklpgnaqe25466isopv3id.onion login: R5ZHFB-RiA_94UGXxYDObv6Xriy7JCxb password:
Signatures
-
Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
Processes
-
C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe"C:\Users\Admin\AppData\Local\Temp\21ab6e4cfe7a17c6fca334c920cd73dbbfac79ce881403b540c8001ae1aae010.exe"1⤵PID:2716
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2992
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:364