badrabbit

Resubmissions

03-03-2024 01:34

240303-by6ttsbe94 10

03-03-2024 01:31

240303-bxkj7sbe62 7

Sharing

Copy URL

Twitter E-mail

General

Target

Ransomware.zip
Size

50.0MB
Sample

240303-by6ttsbe94
MD5

5c61c2a1c3ca33e7c95d5c9413b8815b
SHA1

611d0ba1332a7b154aa15797e2b5b3f08ec1d379
SHA256

022728f678d8dcc6cba20147595ed4099e9c98be0582c0f67518d5664e3b8523
SHA512

4aeab026c56c62b4ecc0a636a3efad4664644ba8aa542ea165598a5a756f52b81e5d4f079541483ab12c50dbef4536e18b4b33fb7a451f4c148abdbc4142503a
SSDEEP

1572864:f7b/TEAHWZATpIbBPnysyKkTb+XpcdM8pzOO:nHEEpYBPysyKc+XSdMul

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___30KOM_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/FBD4-9052-76A7-0098-B232 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/FBD4-9052-76A7-0098-B232 2. http://xpcx6erilkjced3j.19kdeh.top/FBD4-9052-76A7-0098-B232 3. http://xpcx6erilkjced3j.1mpsnr.top/FBD4-9052-76A7-0098-B232 4. http://xpcx6erilkjced3j.18ey8e.top/FBD4-9052-76A7-0098-B232 5. http://xpcx6erilkjced3j.17gcun.top/FBD4-9052-76A7-0098-B232 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/FBD4-9052-76A7-0098-B232

http://xpcx6erilkjced3j.1n5mod.top/FBD4-9052-76A7-0098-B232

http://xpcx6erilkjced3j.19kdeh.top/FBD4-9052-76A7-0098-B232

http://xpcx6erilkjced3j.1mpsnr.top/FBD4-9052-76A7-0098-B232

http://xpcx6erilkjced3j.18ey8e.top/FBD4-9052-76A7-0098-B232

http://xpcx6erilkjced3j.17gcun.top/FBD4-9052-76A7-0098-B232

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___KWOBF7XS_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/F629-7692-855E-0098-B536 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/F629-7692-855E-0098-B536 2. http://xpcx6erilkjced3j.19kdeh.top/F629-7692-855E-0098-B536 3. http://xpcx6erilkjced3j.1mpsnr.top/F629-7692-855E-0098-B536 4. http://xpcx6erilkjced3j.18ey8e.top/F629-7692-855E-0098-B536 5. http://xpcx6erilkjced3j.17gcun.top/F629-7692-855E-0098-B536 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/F629-7692-855E-0098-B536

http://xpcx6erilkjced3j.1n5mod.top/F629-7692-855E-0098-B536

http://xpcx6erilkjced3j.19kdeh.top/F629-7692-855E-0098-B536

http://xpcx6erilkjced3j.1mpsnr.top/F629-7692-855E-0098-B536

http://xpcx6erilkjced3j.18ey8e.top/F629-7692-855E-0098-B536

http://xpcx6erilkjced3j.17gcun.top/F629-7692-855E-0098-B536

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail coronavirus@qq.com Write this ID in the title of your message 07A35DEB In case of no answer in 24 hours write us to theese e-mails: coronavirus@qq.com You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

coronavirus@qq.com

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox fantomd12@yandex.ru or fantom12@techemail.com </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>h24rlga3vA6Ays+5Fa8SXO5zpX2riynFqeUssXin8eW5WEk4tPpQ2G44UuVsIVcnLRrPkxQJuitzwcd7MYDxhRsBgVdQWW7ITc0FbvhId1N1selCUM2BWr/qLBIjHuH6Yx9ix+/mAh3qTHQIuwqaUdpHCbZlQAw/nc8+jYu72n3PbpvJeZhpluQb+Jr2B9MxuMTDNsWhtoNZQj64Fm01grqlmgCDugLStQioJryLgvaAAmzXFihJVFrmc58f2H5GKhc07646HKm7HTLwAY+14VOjLH/fi6HQBjemcw0YQ+EjPrLudq6EFP8j50V94cLI9mJBKfTD3x5KSdVsC3g5lg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

fantomd12@yandex.ru

fantom12@techemail.com

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox fantomd12@yandex.ru or fantom12@techemail.com </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>lL9bqRgyUXfL3u2bSTBtfEZd4wPqv8GvV46al3Lh8+J46ggplrdHYV8uvwm7mH5DtkFk1QqpZMywXyyss10pM8v5i5n/nW//9+OnQKgzftji9x2W0WCFjC3q0vIpW95yfTqtGiPT4Mo7iju6r80qEKbNPCWohBK0yBGwypJKsMsOsz13scxpiRXy/IjfYkDSsIPpRJt2bM1o2Gap029s4ec3APTEGuZUxCOt404rZtdid2U2lAtFXHme01wIzkHjQchaMILcxOrAHwA5fxnDoxXr7ELglGj7EQm0tYzTq+IMDYjN+OwMjlmR3Iru3D33acixeGMK3QeeiuWR2IZ/pw==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

fantomd12@yandex.ru

fantom12@techemail.com

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\PJPAKBUCEL-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .PJPAKBUCEL The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/8390a8715ae44151 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAGyeZdDN8M7cYKV3dOaWbz6noqgO2Aff3TvNILWVBmSUlL4ono5aJbSzZSuSV1qPKZCRUVjQ/M+vSX/FlDaBbcMyquPAswtwm+P0JVtIXkEGVtmnL+9Azi4UnDavhAPDbxa5mq1JkCZARvaKjOIRXVJF8B8EBu+doX3u6VTYzg+OM2NIrjXHeGHXDl+G4qnuHuDqU8CLgmMY70FyHKZIdhkSuM+sgG2bIrHHajf0BLsR++r4RV5YCZmAKkqbA5NJ/jZ4AZAd24opG21Sq/RaaIQ3z5mpPiEPVPYCIltLm7zUlqz4h80wyo+ZaNoWG4hemURCuzKrOvHWGdUVk8q0h4ax6W45qkSwwPt68715FiAp4Taar2U7YCovZUthPGfMxHn9eEWbIHqDNYDP0JqXAPD43mGU9zosv7ep6G1BclVyETrv7ieEIy62erVi5hDEkqnYxtrpjxo6QCRcgQIlNnm6vSQxtOzwEQddTe7AhDgzmLLF9ehq+m52ChO5Ofd2MJbCaTpH2TG8kh2X89kJ9hkXdF1kGq76vVX4FoGqzV88ucNbb3xvvM6nFXpRS/2KRw4gElITYjJT2D/LbN3KEQXUeXy5kJLXmuwZX7IamF2Y4Bv/7vvO60OBujOYK6g5hgfdFYQeGK57VZ26jW/rLdrTg3uTo1eafn3jB++Bjh5MtAssesVMlVaXgfnihlFcFYuHnPiCmvx4w9Si+JW6aXxkbVyUaC43gXJVBIbH7mLlyrZAnjndXC8V4rBXLh/cWl9LXklv6qtwmk/weieWkg8FvWBVHS6mowVkMBpCBaRgJ791ONdLbY+c/GFSIWfJK7dljOeIdJIIKgVpmXYdjQQhYeqtIOe3/+gdkE6TCWgc4j33fL2nM2rtL6l2JXFDa++9TO0jTa7VfSKkAE52ZLUqqURNuh9DyyH59uaNkK7yW0wTo8y6ORUQjf4mGS+3lLNPjns8XEywwlalEV6mWbQ6uO2z5ipMjcNQ+o64X2Eq3Fy7UuNdikAqg+QVC7FtbDk2zPU4MalOTwu3Adbh7e8yE7+LhZdUc3uCtUlXgOlGlnldUAvUSGKpfpOPWPNlNBBb/dNh8DsltjDS4XBdxAbUpyYcRS4R6opdWw3nEhzDtd0InPJR1cz4XU4oYhTV2Ti3mKekZyyH0NkbwOE/kB89dYA4RNNZ1npr4Sgn00036HsNShCaQunQvNhIs2J0eEWl7Rx0LNreL3IzUf30BzsTIlg6fe+WOqIWYMgfvieNzv/mEd8ZdcTDr4xbIJMdnS0MOMNobCpnezETeVQ6v8wPewFwIOFj7Kdq6/5rk2D/QprUSe++4XHO6gPtRyftYwxk29EeITL/K+CMsJbVTAarIPJEnXZ02Qahj/P6Eu+oWO+h0q2Q8vv3TBB5MkcVCYA3nng7PLkmawS16vlIZ6SMg06kW+NuQ2QuTm/PgtqOe/3GhDzbGD/VlvK2m07JBJsK26lnURJ30S1A6kqIDnnzJR/yi3PMOn5xxWfnXImeKwiONvIcRx/0wPiZ+O++rqxyPAE84gxAXOBNjsenKuCnMMLzWuPpZnWzhyixtLUhJhN9GaHPWxagiFsanSo+zd57iKM+ylTV5OwBC+OYg9E7L8ul6IHkq4X+0s21se89gnkkufVipFncQwSY2Eof10BPS1ynoXjf7P8GIxlgaHxSl4B7684/Fi2Bh9qI+67vv0XXwGtVvOsGD1Qv/oCWFCq48VTsrXJW+KP7vSoFQsiXtTQeaCdwZ3erDnFHRFefJQQIzyJkGCklv56BYM/mGuvqmntqisBq15H2dcaHlK5z5iiiH+ELaIh72JTlzlSCtFqsi7pUfFbThFCxy9tiUDCdiS9cdJ0vqRqg00AVpW+hPOJhuVad16ma1idM4Ta7YgLdRvXze6cFUGHeJlTRg1Kb7gSanOlR/xC+CEVX8a4t7k3I2Z+063/Box0iozdmR4zyC9t5oTTPHEcjmRP5VaAK/6dQppM4HSuuuTWPU14j3engLuswBwjnhNZXKAJHeZIzHnWs0zUFoUMVpGnP2AileA2rb0qJ0al6MHYHanFLKj9kWnk96wPWeqa9+71f/yrd9G5UIpy/nmLEbxIu62Os0y7mSGsyUEVQ/Spt9VIt3l7hwTbTzol3qclAyRSIhxm9sjJOYC5JTyqCurUM+eJjblJe/8KVHvJ+cYbeRdeMcuVH7f2cDhDVrjuxwQ7rHFPaT2WuoNux+CEYm0Otl5OnF94= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD59NTJLJDAAvaVouDGRWjIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSDiDGtLOJfdBcBixqqcY/R+W3YLGZmdCRiEeBP9zy/fNzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhqApoTPFpp2CPDOx6ihEudzoNVoM6j2VyOmqqBlvZbwDrtsyoi8A1fulXDmY7q14GuxOgTOwQUyhb/ofzNwkLQejqrjTwFji9zPbKPSghI2dWKf+5gkQvDGihIFfEv5EsSM5AN7hzdQVIFj1CUHPyeWMbZ0K1g0/7uRQeyoEinT3CrvrP9dFPEuVIcosLqYb4AnecHqVubCDEZSsSLSNnIyaZEI9b5008FGYczrSlaIGDBHFzoGoqA9wiUaNxMzG ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/8390a8715ae44151

Extracted

Path

C:\$Recycle.Bin\FGXHJOO-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .FGXHJOO The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/70166305e7032a13 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAFhWbk5YSeygmW8n/NEWaPyyDRisx0oXfZ7gauKJtjwjMGND2emK7t8jh+B+vH7AEyEvoZUR4U305/NfDkGBmgLH0lP2MGIJBcSU9aSFTRdvmszzocx9vetYFVwr/0X2mQ47FxvZM9VOqF+jNwdmGG3JrVWnx1m4NgX/lnNTEeARbIei5RDeMEdyeGN2jYVpszvfFQGmIPOdNJqkM7kGd5OsODERnLDlX4IHKG5Zv1Pjy20usONJ4anlRhzU31IC0J3hXzjxXMGVblLcsLRmIEe99qeZElgLKSnmj40StAWlQhzBrJAaRufrl9/MZWKqZo+RFeHLSV93//Cluc+7S5AGjFb0pzpEgpjnR08iyJCZll/lJuI0v0ot22Q5wxBcNCvJ7ay88tltkRpyFMz1jqbw4rIxmVyOfToDkos4RZohyHID7ztX8HIyHq/B2UlNkn7/nGi0CxtyvYnf/D+qsg+eEypS6ayVTejNCgFklfeqva/HQI4bKoHOt8jr1IdYOisxcCrX5ZE1zCYafB+aneiBfl+b/lpTPA3SiqdziW7s+BedVSJuIzewdlHVJ6eBB6jjDXCo2MrxBYG7ckKf3OtyOHrxRwNSETL+m1mOno9S1d9KBW7ZQPPOlIG/adUnjtqczYhaXjAaEJdFhL0ntWbbNTXRVn4Udc0xdn9jbQxfOM2gdNQnHWj0yhD9dW6TqTzaJzKAG5e/KrJLj9En74lH3yLaA/0fWBPhG3kd5K7A1SoEFg0uyy+oY/BVrzsgJ7/kh35NApG5hU04V06SDTdeLrF+jLuvnk50vut93F32MWjeASwzsnWlMM1J0ZkKC80s0aqBNW2/CVYrgkT84MpNGJ8pgVfPclJAEa5Uqs6n9FIp/3+SBN0hXgD7j4eBWN7g9TEdOS+AWmVKv5QUb9OKAUQXtqzwOlV1UkeKjFSq6LQQMRXVKPaPhkGBh57eo8nh4p/uasOJ+30aI4XUMQ73gFA02UsGYgYNrzTQjfIFEaPFCmOHiEmYcsY+nqtzsZJJKwxmp5IBlnZ14RKKLtHqP5dX8DVk50engXu0bB9a29wTMA3D6XtUqr98V84w7O7xKdE/+8Xxg/+CrhPJXzYSxKDqERKm9kVI1jCcfEIN2bj8Qnf6INVB7bOIuP/0BidA6T3kV2YLwJV8r5ZQS+ghwF1IYpSM8pTmEUT07MhxkEzqDtgR5coHOUHbAvraDMe5+f2knyDXUYa6ZXrbW0ODrV9yEb4tfGMWq98yZzj+q1uHP6sgC+Xew9FLCK3YDdf3zeVhA39mxVsc01SW9/VkGYhBxR+RHo9ERLcv/kfUw/8oqZrj8ONNqmODY8yLgJV2PkzJHB/JuGbTH0zznpPRa0Mfx+MtDKM7Xe4WxzbgrYiUcG7PLqu4W/AY1ovfxQu7+GUoGP0wJLLejBIg2RNOba2mBA1inZH+Fr4mFLOKDysCah1KpqozlYTgKBd1ztL7tJe7ea2KSeZDqEBjUgQhFIywUiXoxpop0kjE8TVSKWRZDJrJh7qVcREXZa+aCFIfIRvuiFm9/hCuWd4bFSC8TNHos1OmgaMvl4Z9gYVkvos3AuQ8Z9ddjObfKIlDZI0OIIrpYmCRPbAdg4yW/IEI547xeQ/pkn9QN5Bqtll8zPAbJtriCCaqeuhuJb+A06jZrdZ5bYi73LbDJ7NBUz4bCGm1FKvGL95QGrGRwt4ni1d6n4Q5hFpOe2b6fV02ICklH6Zit/VKingUyQhXG2fGWwMk1luw1TkjcQPonfXxSy/s9hj5b1tauG2Nt7Plv6qIxYjNVlc7cfCVDsNWHLSBYXYp+xnVReDXkT6l4VcW7BnpzQlNiSmKi/A8ybvxanP6A/6oMhZhCULCUFjyx9ceraMwALbjzizhq6HeS83en+4ELHxGp+WijnXFVJZv2c/xoD/D2TxT4TF/7+V5Pc+NNDuBA5q/R1Ut5DB6r6iWKRus7vf4Ig4hse4JBnBL+ONzHpUBvSxW82jLEugMIof/+QpE1A9RtDM4R2io2UJeHCLTlTFUnwdBLxg53AbgQSOC7rHa6jwfQD9Vd/cPZZXOpByDiSjWDYd/5HJMpB5fZHgEMCZgIlS7JID5aOKqDf38n7h9wta/QYymhcieCFlA+1nkKdnFnh4Abjm7r6J2rfBt9+fL8AZ9aivOPZZV5Q6/j0nAKmV99MDOEyH0V9DpbQU755gjFwMT3uDOQcjvIvcIsF15v91DBnHULenGfue+Q3c= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD09NfJLpDJAuuVoeDMRW7IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJetANBiVqqMY4R+O3MbHJmYGRi0eAP9ry/vM0LLXjWqP0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtoypS8G1fulWjmW7q14BOw6gT2wK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhxNQXIE31UkGbyf6MN51c1gY/++QRe2kEznTbCqfrOdcnPBOVfcolLq8b/gmccCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/70166305e7032a13

Extracted

Family

metasploit

Version

windows/single_exec

Targets

- Target
  
  Ransomware/$uckyLocker.exe
- Size
  
  414KB
- MD5
  
  c850f942ccf6e45230169cc4bd9eb5c8
- SHA1
  
  51c647e2b150e781bd1910cac4061a2cee1daf89
- SHA256
  
  86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f
- SHA512
  
  2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9
- SSDEEP
  
  6144:Av+lDAAB6fm00rx/Qdd1QkfRLT+vLtls6LEmynPsVpw/pcPk19:RdAAB6Mk1HfRLqzPlLEmynPsVpwBT
Score

8^/10

evasion ransomware
- Disables Task Manager via registry modification
  evasion
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2
- Target
  
  Ransomware/7ev3n.exe
- Size
  
  315KB
- MD5
  
  9f8bc96c96d43ecb69f883388d228754
- SHA1
  
  61ed25a706afa2f6684bb4d64f69c5fb29d20953
- SHA256
  
  7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
- SHA512
  
  550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
- SSDEEP
  
  6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv
Score

10^/10

evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral3 behavioral4
- Target
  
  Ransomware/Annabelle.exe
- Size
  
  15.9MB
- MD5
  
  0f743287c9911b4b1c726c7c7edcaf7d
- SHA1
  
  9760579e73095455fcbaddfe1e7e98a2bb28bfe0
- SHA256
  
  716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac
- SHA512
  
  2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677
- SSDEEP
  
  393216:UMwm0qBknxdEX+LbMUgoSZmWSmh4aaRN22ChHCMNku1y:UMcKX+Lbjgd7W1RNVC9ku1
Score

10^/10

evasion persistence ransomware trojan
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Modifies Windows Firewall
  evasion
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral5 behavioral6
- Target
  
  Ransomware/BadRabbit.exe
- Size
  
  431KB
- MD5
  
  fbbdc39af1139aebba4da004475e8839
- SHA1
  
  de5c8d858e6e41da715dca1c019df0bfb92d32c0
- SHA256
  
  630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
- SHA512
  
  74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
- SSDEEP
  
  12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Score

10^/10

badrabbit mimikatz ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Executes dropped EXE
- Loads dropped DLL
behavioral7 behavioral8
- Target
  
  Ransomware/Birele.exe
- Size
  
  116KB
- MD5
  
  41789c704a0eecfdd0048b4b4193e752
- SHA1
  
  fb1e8385691fa3293b7cbfb9b2656cf09f20e722
- SHA256
  
  b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
- SHA512
  
  76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea
- SSDEEP
  
  3072:pYV/aVHN9ySTn34w33FVTyuGAxsvBLSqAKZqoqrxy031l3y:8adNlltyu3Pa5gr33
Score

10^/10

persistence upx
- Modifies WinLogon for persistence
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral9
- Target
  
  Ransomware/Cerber5.exe
- Size
  
  313KB
- MD5
  
  fe1bc60a95b2c2d77cd5d232296a7fa4
- SHA1
  
  c07dfdea8da2da5bad036e7c2f5d37582e1cf684
- SHA256
  
  b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
- SHA512
  
  266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
- SSDEEP
  
  6144:nl578cxdGY87FohbnmM2i8ito7wTmCbL94KCT3OAmK:nl59zH8MiM2z+NLQBN
Score

10^/10

cerber discovery evasion ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Blocklisted process makes network request
- Contacts a large (1094) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral10 behavioral11
- Target
  
  Ransomware/CoronaVirus.exe
- Size
  
  1.0MB
- MD5
  
  055d1462f66a350d9886542d4d79bc2b
- SHA1
  
  f1086d2f667d807dbb1aa362a7a809ea119f2565
- SHA256
  
  dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
- SHA512
  
  2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
- SSDEEP
  
  24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2
Score

10^/10

dharma persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (325) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral12 behavioral13
- Target
  
  Ransomware/CryptoLocker.exe
- Size
  
  338KB
- MD5
  
  04fb36199787f2e3e2135611a38321eb
- SHA1
  
  65559245709fe98052eb284577f1fd61c01ad20d
- SHA256
  
  d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
- SHA512
  
  533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
- SSDEEP
  
  6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv
Score

10^/10

cryptolocker persistence ransomware
- CryptoLocker
  Ransomware family with multiple variants.
  ransomware cryptolocker
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral14 behavioral15
- Target
  
  Ransomware/CryptoWall.exe
- Size
  
  132KB
- MD5
  
  919034c8efb9678f96b47a20fa6199f2
- SHA1
  
  747070c74d0400cffeb28fbea17b64297f14cfbd
- SHA256
  
  e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734
- SHA512
  
  745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4
- SSDEEP
  
  3072:naRQpzd/99wen3XgWorw8I3h8LkMvqCgQfBUnPy8L6kssU:nJdTwo30ri3h8LkMvqCgQfBUPy8L6ksP
Score

9^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral16 behavioral17
- Target
  
  Ransomware/DeriaLock.exe
- Size
  
  484KB
- MD5
  
  0a7b70efba0aa93d4bc0857b87ac2fcb
- SHA1
  
  01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
- SHA256
  
  4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
- SHA512
  
  2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
- SSDEEP
  
  6144:lqHKx3YCgy8HmmjJpnVhvLqCO3bLinIz1wASx:lqHoyHNj/nVhvLcyII
Score

7^/10
- Drops startup file
behavioral18 behavioral19
- Target
  
  Ransomware/Dharma.exe
- Size
  
  11.5MB
- MD5
  
  928e37519022745490d1af1ce6f336f7
- SHA1
  
  b7840242393013f2c4c136ac7407e332be075702
- SHA256
  
  6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
- SHA512
  
  8040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c
- SSDEEP
  
  196608:JZnMy97vfgla5NX7YaP6uIEJsp+jb4agYSUpHm6g90MrYmhZZoG0tLzr1+W:LnMy9rfma5NrYaVzC0b4vpZZoG0tR+W
Score

9^/10

evasion persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral20 behavioral21
- Target
  
  Ransomware/Fantom.exe
- Size
  
  261KB
- MD5
  
  7d80230df68ccba871815d68f016c282
- SHA1
  
  e10874c6108a26ceedfc84f50881824462b5b6b6
- SHA256
  
  f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
- SHA512
  
  64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
- SSDEEP
  
  3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi
Score

10^/10

fantom evasion ransomware
- Fantom
  Ransomware which hides encryption process behind fake Windows Update screen.
  ransomware fantom
- Renames multiple (1698) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral22 behavioral23
- Target
  
  Ransomware/GandCrab.exe
- Size
  
  291KB
- MD5
  
  e6b43b1028b6000009253344632e69c4
- SHA1
  
  e536b70e3ffe309f7ae59918da471d7bf4cadd1c
- SHA256
  
  bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a
- SHA512
  
  07da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf
- SSDEEP
  
  6144:nSRCSpUtLz+/enihebWBUOP3yIhLVMmi0CtG7go+I:SUOEnNnHbmP3yIE3tGX
Score

10^/10

gandcrab backdoor ransomware spyware stealer
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (288) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral24 behavioral25
- Target
  
  Ransomware/GoldenEye/GoldenEye.exe
- Size
  
  254KB
- MD5
  
  e3b7d39be5e821b59636d0fe7c2944cc
- SHA1
  
  00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88
- SHA256
  
  389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97
- SHA512
  
  8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5
- SSDEEP
  
  3072:iTAjnioLO7WpLyLNZMcPSK7BaZ0NwAWMGc0HfmY4KsyyOiy12KJ3I4YgTl:i6nrD0ZMcPBAL7c0fTHs+2sYXg
Score

10^/10

metasploit backdoor bootkit persistence trojan
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral26 behavioral27
- Target
  
  Ransomware/GoldenEye/GoldenEye.js
- Size
  
  365KB
- MD5
  
  c4e9fc349d5c8b24c0ddb1533de2c16b
- SHA1
  
  147e938bd06709b3c20eea4ac461093d573be037
- SHA256
  
  28fd3a1d9087d7b103b7f6cfca002798b6365fe6ebcc66fa02dbb4a9e6378e71
- SHA512
  
  fd0cf6f434e665aabc91f6095394a08483990c12a0b6ad3a1bd820b740af0ddbc02bc0a2592be429c7488b3cd2889afad8f758b4258009dfe51e9faac76842be
- SSDEEP
  
  6144:Jnm5mwYxm+DzkzFIDIWCy49ezGywT7PDSzT3enlJ1BJ0exGqkIb1Taha6e2T6Huv:FnaIEWeqWdnlhJ+eHHu+1Qk3C+MAQ
Score

10^/10

metasploit backdoor bootkit persistence trojan
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral28 behavioral29
- Target
  
  Ransomware/InfinityCrypt.exe
- Size
  
  211KB
- MD5
  
  b805db8f6a84475ef76b795b0d1ed6ae
- SHA1
  
  7711cb4873e58b7adcf2a2b047b090e78d10c75b
- SHA256
  
  f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
- SHA512
  
  62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
- SSDEEP
  
  1536:YoCFfC303p22fkZrRQpnqjoi7l832fbu9ZXILwVENbM:rCVC303p22sZrRQpnviB832Du9WMON
Score

10^/10

infinitylock ransomware
- InfinityLock Ransomware
  Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
  ransomware infinitylock
behavioral30 behavioral31
- Target
  
  Ransomware/Krotten.exe
- Size
  
  53KB
- MD5
  
  87ccd6f4ec0e6b706d65550f90b0e3c7
- SHA1
  
  213e6624bff6064c016b9cdc15d5365823c01f5f
- SHA256
  
  e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
- SHA512
  
  a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
- SSDEEP
  
  768:4yKoNLsn4Jp9ZvRInygrpMoZN+WtOl08jxBEHCDwBLpZTPCUvQK:j/sn4/OycxZN+MKxp8t9zQK
Score

8^/10

evasion persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
behavioral32