wannacry

Sharing

Copy URL

Twitter E-mail

General

Target

ZC-AIO.rar
Size

16.9MB
Sample

240311-shz5sadg8s
MD5

3facc1deb6e62481a0ceb4bffe07a906
SHA1

1cd5674d5ebcf54bbb48aa4153eaa2e371731616
SHA256

e6015567f25c32599b2c0cad7e3f1213ea6df23fcd04dd3876a18e33651d8a93
SHA512

6e3b459bd1541760af4adc25006c4d24b0eaf65f2c31ddfafb85718ed4b2193022c6078500de2bb126bc4ccc9bea0926bdf77b063f90820db160ef3e3a3190e6
SSDEEP

393216:GBJpAgVxiwQaFSxIM/d5OJLUdnXvpPRqGLNuwpLPwGQaA:iDAgd8xPF5R5Bpr18pV

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Extracted

Path

C:\Users\Admin\Downloads\r.wnry

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send %s to this bitcoin address: %s Next, please find an application file named "%s". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.

Targets

- Target
  
  ZC-AIO/anycaptcha-python-main/anycaptcha/__init__.py
- Size
  
  660B
- MD5
  
  1c63900b53a5c8f84ed65311e3eff35e
- SHA1
  
  2ad70997b8db067f53401c6533d6d24e1bc763d4
- SHA256
  
  415730615d50d0cdc314d0b56ea5cee2be8004b6f6856e12a591c629c2ce5415
- SHA512
  
  e16d931a23e37a9c01eda7e8cb4a5ae07ad492ec39946a2184a67c0ca9e6172d34fa1eb042b00dc953df32ff5479d44d0c8ab26210b1422f3592a4d9857e5d97
Score

3^/10
behavioral1 behavioral2
- Target
  
  ZC-AIO/anycaptcha-python-main/anycaptcha/base.py
- Size
  
  7KB
- MD5
  
  2289724b20fea57866e7077769b37567
- SHA1
  
  039881c8eb47b0550c3129ef27f478441849c009
- SHA256
  
  2f8cae5d7c1cb8774c101c93f3e960c1d81ffdc4c4154af7a5df5b95ba239e53
- SHA512
  
  c4a098a1c0eedf676a56de529584a2c38f32550b5524e2f6f4847191bbcf406c7a8ab20dbd8e895018d8821eebb3dbb2fe267f48cf232559d24702e54c11a156
- SSDEEP
  
  192:XT40Dayut3jj1l1lIWMbSqQEd9MMo3SFttFpkryJ:bDatvl49QEgItSG
Score

10^/10

wannacry bootkit discovery persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral3 behavioral4
- Target
  
  ZC-AIO/anycaptcha-python-main/anycaptcha/compat.py
- Size
  
  278B
- MD5
  
  5c97708c4dc15943eff639b19e87b2ee
- SHA1
  
  10aa100c8c02abd4de745977e142da3fac30a7d3
- SHA256
  
  eea7e96fd695e28ce2acc4b379f71e2948ceabfceecd0c4e1b25260d3710e074
- SHA512
  
  085ad3ecbee5d61a0fca9ce5c300fc3196539a7d47e61cde4b46c4c4bcb3c23a10f2abc783cffa4c4a8157f315f88667e9fbda5f720eb7e9e5a717754b2e809d
Score

3^/10
behavioral5 behavioral6
- Target
  
  ZC-AIO/anycaptcha-python-main/anycaptcha/exceptions.py
- Size
  
  1013B
- MD5
  
  eb468da2c92664555f160f82ebca2ddc
- SHA1
  
  539bf7d6dd232af1a2b40dddb13449ea4008e35d
- SHA256
  
  232fe0bded9d11aeb9475f367833a8ccd89a0c683df21ee9cb8a0628c3b2df08
- SHA512
  
  d16698743bf106859ec98494cf489935828b56b3a9bcb75915b47fef38948c9b9e514bb5fbdb6a149177bbacae43584c190c0a305a31f67f83b6444e7422f351
Score

3^/10
behavioral7 behavioral8
- Target
  
  ZC-AIO/anycaptcha-python-main/anycaptcha/fields.py
- Size
  
  5KB
- MD5
  
  5f14bbfc3204edc040551cac2490f447
- SHA1
  
  cc5a8eaee041774e180966f9e24630baae56085e
- SHA256
  
  0d8d399fda7bbeb8567eb6b01b20f6b442cb2921be5f49da7b1bc449052aa5d1
- SHA512
  
  9473faa03f0a2607fd9cf1729cedefa5102db17993c292e4d6cc8b41d82147d2a7e1c533c7d86d3799ff53076175308863180c383742b8d3c6d8732b7282f6d0
- SSDEEP
  
  96:Bx8IqPMFjQ42oHd7YfbuKhOqNz9RAXDjt+wMZQjxTqhdNanDqEPUS:wt+DDX
Score

3^/10
behavioral10 behavioral9
- Target
  
  ZC-AIO/anycaptcha-python-main/anycaptcha/tasks.py
- Size
  
  9KB
- MD5
  
  116d16e8362ee2136b4abb883d1fe61f
- SHA1
  
  f949c313f261c4568acf9bb82dad1edda81c9be3
- SHA256
  
  ca3dedeb3e577c0177a5dceaa88f286b3417c5ec014131b04d108719bf7b71f8
- SHA512
  
  bc154a6fe258d2738a83d48d4d603807926dfb010d0f05b68bba89451201f3466a7ca5490649f5683c91802267527dea0ef50f3cf47a8226accb447f536cb7b3
- SSDEEP
  
  96:+//P56AjsLADSXb6AjRjUhb787d3LhDiWBfT9AnW66WCB6m8TTud5t:w/RabXb3jUV787d35n9IkW7nud5t
Score

3^/10
behavioral11 behavioral12
- Target
  
  ZC-AIO/anycaptcha-python-main/demo.py
- Size
  
  5KB
- MD5
  
  dbcbd818db5b5da3d7949cd447a4ab21
- SHA1
  
  884865106096dad51d8163344e3cdebba403349d
- SHA256
  
  bb3ccacf7fbab9c705f752d97f2f86bb24977227eef491a798fd6d884b2a5082
- SHA512
  
  fa3a0c5b6b012ff9bcb522ac209a158b5322ce045a46df35637d0eac2e7e134fac41176ee8968ee9e395e126174c641fdaa2b99cc2c6e0e8bb6f12a835eaed47
- SSDEEP
  
  96:CfGiRbZaPfvEOA2vf6HvKfPHIjnAPf3bzfRTNLfxPNf8Bz:gVb4PXEAvSyXiavbzJTNL9NE1
Score

3^/10
behavioral13 behavioral14
- Target
  
  ZC-AIO/anycaptcha-python-main/setup.py
- Size
  
  150B
- MD5
  
  a1021857a071add28fe50a8dfbb6bcb1
- SHA1
  
  e98eb72dbadd15fa604603a39f81b12076aea46c
- SHA256
  
  5c43653e6a69b5d8fa75b3d40dc8cda716b04bc924af53fd9d1195fbc26d5c67
- SHA512
  
  5af112bb172071382e146e7bfabdc1cb254f7345c1e11ff823d8727ced87b49f8525e1dec99bad8ca72385ad075d3ec2a4534bc4d4c5d771141190eaee1460ce
Score

3^/10
behavioral15 behavioral16
- Target
  
  ZC-AIO/anycaptcha-python-main/varssearch.exe
- Size
  
  16.9MB
- MD5
  
  27362a0ed07e0d15642917fefd9a2362
- SHA1
  
  eaa7630db627f05166d5a0292e9f6186b7bf73e9
- SHA256
  
  cd74c4a814adb9ca377483d0f61b8eb183e7c2364bd91fe418cb2b3dedca76d1
- SHA512
  
  a37275dedf2da42550d138bc7d26fee2cfbbc0137ecdbb91262f2d9f2fc6e8636507bc20d3cc4a921ee36012b559074a74be60101908920eb48b187411029524
- SSDEEP
  
  393216:hEkZgf8FgP8AxYDX1+TtIiFGuvB5IjWqn6eclz13ypX8WjD+da:hRbFbX71QtIZS3ILn6ecfyCeD+da
Score

7^/10

spyware stealer
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral17 behavioral18
- Target
  
  ZC-AIO/install.bat
- Size
  
  91B
- MD5
  
  ae699746f445cdcb399b5962d1a85d4d
- SHA1
  
  6a84334656df64b6dd3207ef6ccadd1c7914c869
- SHA256
  
  56f4f57a1ebe01e57df3973c03764ae0f7182596115c2cba631d709226e73a05
- SHA512
  
  8654b3ec9724372185a669ab7c19e179403ebe8ceea378909c7542609f1970b7c6ecb833eaef1372585af917c9b8c994201aeba140522546ed89caaf0fcdc657
Score

1^/10
behavioral19 behavioral20
- Target
  
  ZC-AIO/modules/__pycache__/config.cpython-312.pyc
- Size
  
  6KB
- MD5
  
  04c3b054ba72c8a5b1dcb7f208f7bea0
- SHA1
  
  c94b10d2fab7cd41edca4688bfcfc14aae5f184d
- SHA256
  
  458154e623dd2a234ec190a790ecd36c4d23ae69e09b7e33fd9501f1b626a2c2
- SHA512
  
  0ca97c95d325d1e59655aa90ebbbbce02de56f4cb52be40432e46edf309d84a9b904e3c18ec38d95d07c4d88e1468c66db3f4b43f0ed78eb95eb9a6eb06dc089
- SSDEEP
  
  192:ghIa21Efgvf1NKQao4tHq+sbjcbREQvqyWMTd:pamagYhHq9j2h
Score

3^/10
behavioral21 behavioral22
- Target
  
  ZC-AIO/modules/__pycache__/functions.cpython-312.pyc
- Size
  
  28KB
- MD5
  
  9aa1d15d2cee1acaf9aaec8076754982
- SHA1
  
  f012ca8598620ffcb94c6ccadef8177d135e3014
- SHA256
  
  d2b973d697ed7c295dba22bc2db9728224321934afde74aaadcd0578763a2858
- SHA512
  
  5bc1f08b13af5a2eba2194d993c6d2c6a41dcd996577cd4e67b30968e4e6bf2537f3b41beb6f42f0cf4c5bbb79c25d20d4cedb86ce4b5caa1c6ea5cc6805dcb3
- SSDEEP
  
  384:M6dCCZHDHy1S2FqWdrhJrBipPW3lYI6HgMpL7fjXTwL8tmVRVAyIz:7zH7y1S2Xp3BiQVYI6HgMZbTwgti1Iz
Score

3^/10
behavioral23 behavioral24
- Target
  
  ZC-AIO/modules/__pycache__/start.cpython-312.pyc
- Size
  
  9KB
- MD5
  
  dff60e11150b7e57a1fe15bbf40c5667
- SHA1
  
  bb9b2757ab1a2e14dcb5ecb36293adf7f1b0bd8e
- SHA256
  
  65eb0787fe15e8f707730d067cd2dfd1ceedede4d50c383ec1ca9d7f928034e5
- SHA512
  
  d3fc203fc306f734c1e4ca777f4b1f6c4350d4b64bfc8d91a3d5700f8ed8cacb05ea41b78b6b17bde7b4525066297971c7b1cabcf759c7b51ecbda4f223ffd1e
- SSDEEP
  
  192:Xdm6W7UpUfS+rxVJ/IqYv3rrwx6lsNH+Qtw1i+zyhkltnohHa96:xIUpUfS+rxVJ/IqYv3rrvYgi+mA2Za96
Score

3^/10
behavioral25 behavioral26
- Target
  
  ZC-AIO/modules/__pycache__/updater.cpython-312.pyc
- Size
  
  706B
- MD5
  
  8d9aba99c0e55f9389148209ec7aa35b
- SHA1
  
  8c8eca94ae09dab89f3d93f01301b755cb1307c4
- SHA256
  
  83af4a716b6230aa8fbf49b0ec95d18623d0f2750a07d1c310e42ca10b195896
- SHA512
  
  27f71ff2482c7a81da5a98454496052cfa11056f885082928b16b2102584aded06d7b07ec12c655e0b061fd741001f287d19d4809ba1b90dec620dcfd716f4fb
Score

3^/10
behavioral27 behavioral28
- Target
  
  ZC-AIO/modules/__pycache__/variables.cpython-312.pyc
- Size
  
  1KB
- MD5
  
  68de46d897b40483bbdcd584216014d4
- SHA1
  
  0f7e592412220909277f5014e1219c0220cc621a
- SHA256
  
  c318eec2b6bb3a04626b1e729e954c97cb646ece5d06258719a516932ad74b6f
- SHA512
  
  27e48336afd85c70410dd120595bc73e9d3356e6acdb8b8aaaaa9bd11a44a792a7db1b55ad47793ae73e62e511c97aa4fa524560a58032b4745bd2932524c997
Score

3^/10
behavioral29 behavioral30
- Target
  
  ZC-AIO/modules/checkers/__pycache__/bonk_io.cpython-312.pyc
- Size
  
  3KB
- MD5
  
  83180c2d14797481b5c1f5b591f14013
- SHA1
  
  66dc41f6ff728d5ba3ce2f59c6b103e1818c0a32
- SHA256
  
  70be6555be5dc07a106c9262fbb09f7d907436362e2106d21cd6bcd851f15c94
- SHA512
  
  43d32be98dbc5d0c81780766d83243bb2f729fa2e0107035739eedc4e8ce8d2e9c68088a1f25334304fdba1700f60b9282f53831793a1f1bea15661129f556be
Score

3^/10
behavioral31 behavioral32