badrabbit

Sharing

Copy URL

Twitter E-mail

General

Target

ransomwares.zip
Size

41.4MB
Sample

240315-1hdksabg4x
MD5

faef0354ee5f7c458afa16423e9ab04d
SHA1

a30b5673664f797cb40cd287260136e145071b85
SHA256

2eaccf2ffad0c83282b940b5ed1e65f38acacc9e002b48e3bf4f852e1097232a
SHA512

e8f9958c346936da0b1e5a92cc8cf08fbf750029eda3ea341c0ce7e27e452b7ec937a1deb4a147e6694fbcdc60dc2280d30ca709a2d950ed6732482c2337628a
SSDEEP

786432:Ox4aSbJJZiGQkTVugwej6bryq3sdGn/lCKVEKAhiDB9+DZwX1TpIb86PRzOISnxB:OyDCkTb+XpcdMnEAHWZATpIbBPRzOZxB

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$hIPnYTfL4yAd01j./DIPs.Tdwq.QURm2fbUM4pQFInKQ45tak6xW6

Campaign

5891

Decoy

notmissingout.com

employeesurveys.com

delchacay.com.ar

sw1m.ru

sofavietxinh.com

samnewbyjax.com

pawsuppetlovers.com

panelsandwichmadrid.es

frontierweldingllc.com

antenanavi.com

nokesvilledentistry.com

partnertaxi.sk

tomaso.gr

levihotelspa.fi

myhealth.net.au

midmohandyman.com

kirkepartner.dk

zewatchers.com

lapmangfpt.info.vn

purposeadvisorsolutions.com

Attributes

net
false
pid
$2a$10$hIPnYTfL4yAd01j./DIPs.Tdwq.QURm2fbUM4pQFInKQ45tak6xW6
prc
firefox
oracle
visio
xfssvccon
steam
winword
mspub
isqlplussvc
ocssd
ocautoupds
mydesktopqos
outlook
dbeng50
sql
agntsvc
tbirdconfig
encsvc
thebat
synctime
onenote
mydesktopservice
thunderbird
excel
powerpnt
dbsnmp
sqbcoreservice
ocomm
infopath
wordpad
msaccess
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
5891
svc
veeam
vss
backup
sophos
svc$
mepocs
memtas
sql

Extracted

Path

C:\Users\Admin\README.6d7daa23.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 90 GB data. These files include: Finance data Insurance data Buchgalting Data Banking data and details, bank contracts, creditors info Much personal data Marketing data Production, Technik data Email conversations dump and more others. All documents are fresh (last 365 days) and stored on our offline servers. All data will be published piece by piece. First data pack will be published in 7 days if we do not come for agreement. Your personal leak page: http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF On the page you will find examples of files that have been stolen. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH When you open our website, put the following data in the input form: Key: rIzr2nCuqbQL7MGMwoppaucqSp5AZufUiYhssYa1SGfO0XFf09fBDlLDWgKQSnnvIAfqYTsOgUhOTxzbxGsC9nH0yk2HOFhn7t8ntX8L0evyce8vKdgUKF7Xvjn6ljaQQ4HPEfPZFP2jvN0DgBVWl2WgNT1U3owZ1bNBjps34t33ObZc01Ce1yKx5CSlwUYbw1ktjqt5d7R9DwRL3NIGrTHvMX3qXI5aBAUnirnc4zHtfGPXq4CuFoh04Tv7VE81aohfvuz8D7wo7i28sbILoJyF6mzeQwSkAXolOhXKQAEPsGcdbfLxfY5uILkHB3d1gAyxT1owQXsY4heNQbY3yYL1Em7dDaLdbNhOf0adYWFiFfAl9EwLDRT96L9Xzsk17ho1B82wOWZ79ZqtT8yqnZ4APJb1LO91ASSsgUdNvR0lAaZTfXHHxUI1vDm5ygyV7cbxMlrQ5K1U6ughdd5WosogMJWVNjreirhzuDzY6SnixtukGYG0D9azzgOHcgidJcLV4n0orhzIaA1SMNYOpdOIadgBehCaHwEyr3hn8CEa6fgpUgK6E95 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF

http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox fantomd12@yandex.ru or fantom12@techemail.com </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>WdR7m3kx+e715b5elU5/wv2ER2lBxOuVRkB0abOjjQWcTX8KA0WxGsSi3QodTAanuTn+iwZYHDb/+4jw+54yjRfAn4N8VRJJepdleo+9+KTW2WHh0LOss+P6Rbghf97mDvqs8DUHTmZ9PJM/0C4U8KKUdd56GUVh+kyhWLp6+skBps3A8TTzCnhzgmjUhUhkSSCQmO4zIp9W3AaSAyyxyk0iRkkiG3fgvyTDs55KEI+CjpClDDKMlRXpRozwY+/lxWN84EmZAguw205zOTeflAB/sst4btLCOO5USPt2RsivvON5mfjlee8MYwEZeKhZy2nLSlef08uIcqWAdCFvTA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

fantomd12@yandex.ru

fantom12@techemail.com

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox fantomd12@yandex.ru or fantom12@techemail.com </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>B5ytiqAPYXsKisTdrC5AfxcNvO9EvCaFT1fwEm25wszCVhmm7uMU4WhUMUxvIzAKK8M/MOEh5xFr1kpOUTztcwy2Jpp46U4ibZ+gig96zH5acapNnGUxOsxZEYzkDmxgx2yQz23euTgj1pZMvv+B0krLS+gsfJs3GFLpymSSL1JQtn09vPww72In+JEFklUrEGinFpC4UfLEHgl/1jvsVXS2INUHBeUwV8kULD8caLGJy/M0kf1UhnfxurgLs0JP1qCThQxSJ4qkOK4muTTVlbRhbqiLBl80QBnFjyRX/16xZVa51I8UvvNN4WWgmtxdAQHANXz77C0CrKSUZS8Mlg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

fantomd12@yandex.ru

fantom12@techemail.com

Extracted

Path

F:\$RECYCLE.BIN\HIHGZIRRR-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .HIHGZIRRR The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/11401109ba5b939 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAALIbt7ITjVfULuaWRhOBORexxRgH68mVsC/Sd5yhRvS0T0GnLT4eUS2+L5SItPKPeVVQWvvVw1lvq4XVpwBhm51mO89CWb2mOZGXFroTUviHfkLtO1RLtJQHNsLFUFkEiFeSGCl7+30EzHerscOTM5vVEazj72daajPVABlUdr4jM/oquNAvO4xBTWwimV0y7iw4v/DNj7hUFECqfNqAZMeLa4KhUhSjG6B7mrZgKkpylmASSRzd0Ap99wIPbSWuVXCz2NCt967lbEDelIHAgeNgTZw+D9hG2NRRxUwSzBg/dVcoaBJajS+H7mY2uWlFeJ+Ljufft1k3KZ/p0lrMnphqB2vChnVn2fBdvPrnARXrUdbdiXmnv5ANGEBavGOE94dHw5xKM1o78PbkNS/Z/1JOgiOmCeGeLWGBO38ho546dq3AI6b8W1O3oSVgG6JYygKLuvNCWIC9mxShfmapVSts6tqq64wh4lcM79nLT1wjRLb9C1Xs+U4z5MDtNTgWusN5KiF3vBa0sZfl59DmOiv0Sastw1hSBbthP19FE2IkMdG1sVa3ulCsicWGkxIDeMsemLWgQhiG63iIgPZDpqJ+DRajXWlQguM7gu6sAwM4Q3FPOGFftmHwjMCnZ/IHflgPzgaeb6ClU/HAh5Xv/TWB3Gd9JzzqmpNZ2EY4lfUZxYjRlIH/mF/a/Ns4AKEj7OTRtvDUtkGMR5IV1BjChqYqK2va7OTJMmYqvMGctUX5DoKdO82FPRBH7zGkbMCLyKEdFK9MjhUJzjYo9c3Ypvb6NkOEIoZ4RpzLB6nkNp/1hLkUbeo2ZSWMzERI57K7FIRwnWrufmoPoLVgTChQMN1ozs47n2WitHp2gei6gIforgW97nu/+fFuHZRsSa7c0QhGvHI55/P6269824NgbA7hsqY8dNN5nzSdEIjXGhZa0TLvgLYDJnj5Ytt4h2C5O0ycyxoHKZvhNmeeL38Dqroeer9aX27FhL1l8jAevtw3guvltDzuf2Ak0vEpks6ZJIgcqFV5V+gQe4Lr8Gyqh54scJZlEvKggH3MTb44eTGpVGETUQGLmVXQMaG7tZXReADOUjmheg+KHR+LqfI/pgoyYD9kCW3K/ew2VTbEz2DDB0PxfSVJSrsKv8okfQ50Vs+GaVh69bIAgwAaOj7uXlqtvIcFU95M2unxlnYe+2AV8c9S9oIL24a++6yCHA5csgslsFds9A9axM0puJ1jLvr41c7yiP2oQkSEdY2Ed50r6tPVMFMlluFI3kdT9fp/8RkoiVJYeFDeRPPX4gGOADvTNxq/4zW6SJnmWLu0gFYSDVJB+ltiBgsyAxIiCndd2C/GKKjxxYq17YlNLMCtUgwpyInToP94XqE3EW5XS9pNC4MWzXNDOKyp35q6ZjNem5RuBPjP6VfbfvC8XSqqnUnA/wGacvNHHseBrL/ysv5pHQN+RlT0U+yF/QJo6Cb4pfhGnJhYrj8o2bLuQsDRxHhxjfewdyh7kWy8BpTpnaCTYDIYK8+BXy/fGA64+wwr9t0ZWS+X2SOtOFN6Yzf/y2oWPybDerbpgO8PFdAc7Ps0Wd5GJArkMxIC2XUit4D7IgTteyo2NmJxpgcjEV+i5KWVaAD6Um32MUsqJUPVF1A995XjtikTaU0VAHu6OOuisTdIqpbBGOjz4pYt05ElOw0CIqzk+LjnNdsEVIMvNewM5VDalkm45G5TcCGp3F92Uyv91mIwOFx/q8R0NJTjqViUn58QutX0CRO2wnqDSRIoG6TjQ/jW5EeuChUysT3RA2cFOnvUvzIoKosc+QKFjIrRo8SJyp3Q4y5dWfRP12NBdZq953D3WZgedgk8qpppOVGTPZtFItmMSypBq3ZBWfxiIa1et0pl1ckXhcJMFSx5ILWhUZ7Owkz9OkkP5/F6kJEhoB+BOWnnYo5hN3ftyIxwvUa1cpT/Ao6lqVDi35Bd3HO8DJfE93dkGElMt1bSL+otSS57Cvpv/Sp29STaKFaC3YvFvAWh8fztDwepL68CLHY6hTtx08pqQvjmPQi4F3cKWGN2ezDePl03UmN/y9EU55ex7hB2Vc23nmK4rBMVA6JgF6tkxwntjdKwXB3/a2/g2h3IkPV6MW8fATZDk7SHIgpBbSEfcE/E9n3gRGp1vMGsjaaYdtCyvdPQsaNUcvRvIO1+4GEk7Shc440169WEYjGkJFCUft7SBFa3i5h7aml9SSGM8I3HEWdHGheAB54aXY4= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZETpRRuHYY7npWt7fXTHWHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi4rFzkUzB4OKl/2c2EesvGolYPVqGBnXtpBHVEdAbtydK4o24b6bsY7hyY4zV2QKiqZRuTRsqAVO9JIcJoJFowNooAhPLnKY+DO5bAL6fi2Epg65rKw3oxAhKwA7xZijpCRFL3vTLNuav1xoZR3QcRiOKBTm51iTgAH9imUrfmSz2QU5nmbImlsyw6XINVYbpeDfrfB0ceMBkP3JNgn9SQ3nC26ZUErrteEilBYhMaJHjHtkOOb+cRbYP/YkqV67u57PNzND9fnZQh4wzqOwRRaJtAP/XbjrWoOIRXo5eMNQ99BNhaVKZ2udgzWmELVozygtVfjv5QmE= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/11401109ba5b939

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\XJUXCGPDEA-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .XJUXCGPDEA The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/86f7bad98bf1c24 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAKo24AM5fkyWDdR+JDjgFUVtl1LBxd+FUSGQ4FFx1PbdQ/+Ux6cs3EGk6UGO0mid/0V7A3zKIlMfER9qptPwRY5KcRA9Yi2CSWah3fnfwfOCaNwCWNdUl7SYru5z0/ldNYmUhsNTYt3qxJFowM+jhDyZQqXCnU+ktAGM6Bhm/Ju3AQe3bwrov8pz+pVKrOuePFai6muio/+eTqAitE+1T76BFwZaNGt/2RrORbF7uRJo0JI5FrJqfkJEQa1ZoTw5l/vnShiqN3nUtie4rOdBL5EjrtkYMNk60wmjTcLVRkPd+SAhv1ccwyvVrrKSxHWGXZe33jYjTQYm4g49f+O4Z0srTgpJA/9v51h6TTUmYCTsU+V4sdG6yziUH/nSCfLzi4ysMsn4dgSoknXDWfTpx40RhBhDdgYrIzDDnur04DYfztZGdnP6aLLMa1xuo4LTymAFsrOalx68BGWscovtYrYALRWw7rJiDlLDAuhGy7jww3iIIue6evF/Cgq/ydZ27wQZ0y+XqEe+mNbJKiAwsl9zZgJqym3/70nkr4qNbRQGkXP7F2+l/HAC2y8LbE2DvplMPAqz7sCCyN0/Kd+Fkz3Lyb3X+DQqHVzBWAzSXFnwY7mmoVapibp6soFnEWrq1fh9cQRz9dwiovVob4efTrMgBkwdjBCuuyjxJkTnqBC0j+YxtAcl4djZHeBPh5i4PMYKuInxd/pzSX5uTrx/gu1PAPoQ8DCIP6y2VoC983kW9r+ZCN+LiR/GikoK3uPJIAOKPyq/G+5UNiCr6UtX+eCgexTDXLNh6AqwHj6tVjadb+UKpMK5NgSMyaEtnna4irMQA2f3bczJE9fI/tccAneuS7xdLR7pvbazAebfny0ZQyQUXwKJrjVCjq+KPjpIR/BJ+hrYw45ucVsWqwjPG5qaAl41qYAtPtOychIkp2a+AEX+qVFjxdiU+YFCbSq0uZE7yURTXtMxDZLbdfltOcyKZ8FSfEPZC2ZYHQ0dXyshr0GAhbQiyyAOZVLOkMK9dEKhEkSYDwn1FRMVwxq/4alAFgXJhBL1FvUnYHIFC1OMXsLatxylVDL0OkEu0mYQ9vElwcSMP8GAt/wew318846E7hv2NXdTsM7tqeHIlHga4BMOKHeD3Vs0xEBNvN0Wole3Vo44QNiDNX8cjfRTHljHRukCfhEVnFDIsLQvpr4CzRoAI8LzQhIu9/vXP6f2pbh46oVJmBlmD0US/Xw8Ur88PUEVaMWBiitc0O96f8xISOb9e3eeNVWzG4+TSFFOJ5liidi15HacB3NiIE0okIByXdP8WkhqJBWZ/8afOrocXYwyRcfeForzyJ+9aPUOpHZ1OZrOa8535A8tziNMcojwbKL4iYj09hmnjy8c1DjK9u+2yRNdJTpPuATU8n6/U+qmRCzUXqHpsQ1fl1EEwgdWZMp763vAn5bdO1RWcjAmSXtqE0hLzBBCooyhP/71RgidJXZIrDZjKC0gDM2aX7jTl7oUu/ujw+f+/A0JNjNrGv9E3Ib0mccufVRlFEwtz5I63eVf6lsa6YUKsoFan1kG/MeW0kqPjHJKvw/EviM8+ykpZ8aIeM93KcJ5AovHmpJKTlAQQWaObCCPJXmNkWks+j70oGsVlmC2TddsRNacnmnM5h2jD4VwPqXrLYiMv+peiWTD16k0OvUnEhzrTulqqiWj20pO4V0O3znXU5NxU+Cz4qUO0u2NgpsRDm+aCawZZmEjk0OCxNfh0t9mPOSZ94HF/RbcBuPZSTPIeeFGoHPvXQXRG/zv7Rrb/O35K/m2byIEIXgXMGrdzX4Y7I/BuPYZXxIdpaeysSxqxinlm9KLlgWd5yySWW4eiBfHPcBqypbr7zVmkVihuqg2k5RMqZyAXJf98nOvKuf6LpGdAUD2dAkNUCH8q5UhyCC6+B9ARNvHiM8CvU3LVwbe1oPFaXb5CB14tWQTzDhVW0llGQby5ASGLsZm2UCF8GxicJGcxGx3X+OqqzKiAMlfvFGnJXvpjoi4wVG7SkzvwqrVeG03S8zwirVcMg4FcqaBJNtybiMjCLR8aCBlA4zP7AXkLRFB1/6hcIcXiMcA+3zxpVieSHZx9p1FDNVNNVu+V0EQhFes0mOgav7h2mzwYKfOn52++M/M5Ho68ZPmb3Xnh+Bg8GEIXI8MkrAXWgXjfIt+t1jaKVu9coasMKTj6MouSXXTMJ6UKnqeC7hWFyeb4YPGvTIK3iupmBYSbSjiqq6YrmM= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZbToZRtnYb7nlWtbfPTGqHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB6OKi/zA2Fut0GopYOFqKBi/t/xGAEdgb8icQ4t24Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFqwNcoBxPInKc+DO5cALafi2Eyg61rLg32xAxKww72ZinpCBFM3vDLNeaq1wMZNHQURkmKCjnb1ifgDX9lmT3f7CydQUtnnLIqlsiw73IGVY3pfjf3fBwceMB8P3BNg39XQ3DC2aZBEuHtLEi+BdBMOZH4HpsOeb/YRZoP4YksV8zuv7OczMv9OXYAh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhOVLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/86f7bad98bf1c24

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___E57PK4X3_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/76E3-A444-912F-0098-B410 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/76E3-A444-912F-0098-B410 2. http://xpcx6erilkjced3j.19kdeh.top/76E3-A444-912F-0098-B410 3. http://xpcx6erilkjced3j.1mpsnr.top/76E3-A444-912F-0098-B410 4. http://xpcx6erilkjced3j.18ey8e.top/76E3-A444-912F-0098-B410 5. http://xpcx6erilkjced3j.17gcun.top/76E3-A444-912F-0098-B410 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/76E3-A444-912F-0098-B410

http://xpcx6erilkjced3j.1n5mod.top/76E3-A444-912F-0098-B410

http://xpcx6erilkjced3j.19kdeh.top/76E3-A444-912F-0098-B410

http://xpcx6erilkjced3j.1mpsnr.top/76E3-A444-912F-0098-B410

http://xpcx6erilkjced3j.18ey8e.top/76E3-A444-912F-0098-B410

http://xpcx6erilkjced3j.17gcun.top/76E3-A444-912F-0098-B410

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___7H10_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/1C95-3625-BD4F-0098-B29D Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/1C95-3625-BD4F-0098-B29D 2. http://xpcx6erilkjced3j.19kdeh.top/1C95-3625-BD4F-0098-B29D 3. http://xpcx6erilkjced3j.1mpsnr.top/1C95-3625-BD4F-0098-B29D 4. http://xpcx6erilkjced3j.18ey8e.top/1C95-3625-BD4F-0098-B29D 5. http://xpcx6erilkjced3j.17gcun.top/1C95-3625-BD4F-0098-B29D ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/1C95-3625-BD4F-0098-B29D

http://xpcx6erilkjced3j.1n5mod.top/1C95-3625-BD4F-0098-B29D

http://xpcx6erilkjced3j.19kdeh.top/1C95-3625-BD4F-0098-B29D

http://xpcx6erilkjced3j.1mpsnr.top/1C95-3625-BD4F-0098-B29D

http://xpcx6erilkjced3j.18ey8e.top/1C95-3625-BD4F-0098-B29D

http://xpcx6erilkjced3j.17gcun.top/1C95-3625-BD4F-0098-B29D

Targets

- Target
  
  ransomwares/7ev3n/7ev3n.exe
- Size
  
  315KB
- MD5
  
  9f8bc96c96d43ecb69f883388d228754
- SHA1
  
  61ed25a706afa2f6684bb4d64f69c5fb29d20953
- SHA256
  
  7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
- SHA512
  
  550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
- SSDEEP
  
  6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv
Score

10^/10

evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  ransomwares/Annabelle/Annabelle.exe
- Size
  
  15.9MB
- MD5
  
  0f743287c9911b4b1c726c7c7edcaf7d
- SHA1
  
  9760579e73095455fcbaddfe1e7e98a2bb28bfe0
- SHA256
  
  716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac
- SHA512
  
  2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677
- SSDEEP
  
  393216:UMwm0qBknxdEX+LbMUgoSZmWSmh4aaRN22ChHCMNku1y:UMcKX+Lbjgd7W1RNVC9ku1
Score

10^/10

evasion persistence ransomware trojan
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Modifies Windows Firewall
  evasion
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral3 behavioral4
- Target
  
  ransomwares/BadRabbit/BadRabbit.exe
- Size
  
  431KB
- MD5
  
  fbbdc39af1139aebba4da004475e8839
- SHA1
  
  de5c8d858e6e41da715dca1c019df0bfb92d32c0
- SHA256
  
  630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
- SHA512
  
  74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
- SSDEEP
  
  12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Score

10^/10

badrabbit mimikatz ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Executes dropped EXE
- Loads dropped DLL
behavioral5 behavioral6
- Target
  
  ransomwares/Birele/Birele.exe
- Size
  
  116KB
- MD5
  
  41789c704a0eecfdd0048b4b4193e752
- SHA1
  
  fb1e8385691fa3293b7cbfb9b2656cf09f20e722
- SHA256
  
  b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
- SHA512
  
  76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea
- SSDEEP
  
  3072:pYV/aVHN9ySTn34w33FVTyuGAxsvBLSqAKZqoqrxy031l3y:8adNlltyu3Pa5gr33
Score

10^/10

persistence upx
- Modifies WinLogon for persistence
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral7
- Target
  
  ransomwares/Cerber 5/Cerber 5.exe
- Size
  
  313KB
- MD5
  
  fe1bc60a95b2c2d77cd5d232296a7fa4
- SHA1
  
  c07dfdea8da2da5bad036e7c2f5d37582e1cf684
- SHA256
  
  b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
- SHA512
  
  266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
- SSDEEP
  
  6144:nl578cxdGY87FohbnmM2i8ito7wTmCbL94KCT3OAmK:nl59zH8MiM2z+NLQBN
Score

10^/10

cerber discovery evasion ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Blocklisted process makes network request
- Contacts a large (1094) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral8 behavioral9
- Target
  
  ransomwares/Darkside/Darkside.exe
- Size
  
  59KB
- MD5
  
  cfcfb68901ffe513e9f0d76b17d02f96
- SHA1
  
  766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f
- SHA256
  
  17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
- SHA512
  
  0d26fa9478f4626107e38c570d1bae1049b744181cf0395d95fb07675575ca393d88d4783bf31bdf11bef1da5648a5a53a6d95b21492f96b4de35c0ec323ae0c
- SSDEEP
  
  768:9jjV7Iax7F3DS4/S96/P3rsAc4ci5pwwX5+R4VYY23W5:vx7Fu4/i6/P3rlckx5+R4VDZ5
Score

10^/10

darkside ransomware spyware stealer
- DarkSide
  Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
  ransomware darkside
- Renames multiple (184) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10 behavioral11
- Target
  
  ransomwares/DeriaLock/DeriaLock.exe
- Size
  
  484KB
- MD5
  
  0a7b70efba0aa93d4bc0857b87ac2fcb
- SHA1
  
  01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
- SHA256
  
  4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
- SHA512
  
  2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
- SSDEEP
  
  6144:lqHKx3YCgy8HmmjJpnVhvLqCO3bLinIz1wASx:lqHoyHNj/nVhvLcyII
Score

7^/10
- Drops startup file
behavioral12 behavioral13
- Target
  
  ransomwares/Fake GoldenEye/FakeGoldenEye.exe
- Size
  
  76KB
- MD5
  
  26758407117c78422332c443ca7ed21d
- SHA1
  
  9ab022e854166f4ec567d2ed4cf15880c13b3d95
- SHA256
  
  2900dcc4246afc601ada049b127c4344fa917acf1689a6a4748ee72f93f503ed
- SHA512
  
  ddbc118d3124508e4a9493b0d55eced154ae41c641f852f49b7f2b72fb9770d5af7ccf913b65e87bd9d66a4e0064d47bebd62e38cc03953c30d48ece13d501ee
- SSDEEP
  
  1536:5GIHamLYZy4hk7CR8yrO1gStZ6PjydhiAphYjy:rRfi88OOKZSjioJjy
Score

6^/10

bootkit persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral14 behavioral15
- Target
  
  ransomwares/Fake PetrWrap/FakePetrWrap.exe
- Size
  
  78KB
- MD5
  
  47e704798242cd00dd6c93d6d9f20162
- SHA1
  
  aef55dab9078e6e52699d8b219f6ccd7d0899a32
- SHA256
  
  5080b576bf0a64ed0e11799e102439101b176a3bf44ff774c94357ceab975d46
- SHA512
  
  269e944f1dbe65e488008d3281dc3cf02535ab4ff07179d024bdc70c808787b05943f04b44c37f9c2a54777a8d156e5fbf8cdd375dca8979a9d0ecd4f5d3081f
- SSDEEP
  
  1536:I7gG5fa/K66y31ma36LzZiraU11HhRkxV6Ey1n:c5cF6y30iraU1lhRkqEy1n
Score

6^/10

bootkit persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral16 behavioral17
- Target
  
  ransomwares/FakePetya/FakePetya.exe
- Size
  
  55KB
- MD5
  
  c01399c30e8744681251164fae8dca01
- SHA1
  
  46e215f2b1b3ab8b56d5a010b32e0da80b356d2f
- SHA256
  
  4146805a52db2d4fdb1183bb45f0cd4d90cf184cbd0d5ec2cf370e2fa2813cd7
- SHA512
  
  cc9e3e23dbe4ae9a2828c12de0fb0a593c5f7a4cd31ba7cc7457d3b3eee04931542b0dc925adc9960ea1051915dcc349460e262ca8770ba99b4c50e9804c1b08
- SSDEEP
  
  768:ZI3niJqlQTwuJVu8CX729+Nl/ObYxDlj6rJADzA4zt+jsIu8x:S3iJqlQj1K9NDDl2g8jsIfx
Score

3^/10
behavioral18 behavioral19
- Target
  
  ransomwares/Fantom/Fantom.exe
- Size
  
  261KB
- MD5
  
  7d80230df68ccba871815d68f016c282
- SHA1
  
  e10874c6108a26ceedfc84f50881824462b5b6b6
- SHA256
  
  f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
- SHA512
  
  64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
- SSDEEP
  
  3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi
Score

10^/10

fantom evasion ransomware
- Fantom
  Ransomware which hides encryption process behind fake Windows Update screen.
  ransomware fantom
- Renames multiple (1615) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral20 behavioral21
- Target
  
  ransomwares/GandCrab/GandCrab.exe
- Size
  
  424KB
- MD5
  
  95557a29de4b70a25ce62a03472be684
- SHA1
  
  5baabf2869278e60d4c4f236b832bffddd6cf969
- SHA256
  
  49b769536224f160b6087dc866edf6445531c6136ab76b9d5079ce622b043200
- SHA512
  
  79b78cf77926e0d8b424ad9984f72d4461c7d9e7af58c4e2af32fa7c58cc445c534228b0709b87f5e35e1c8793b3d028dc60787151d852b8524023d08b57f103
- SSDEEP
  
  6144:/UGV83D35bJrqV2L/E0tA+j16kUef5Nj1mB9WjEw0tzMV:qvmVe9h1qEtkBzw0tQ
Score

10^/10

gandcrab backdoor ransomware
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (261) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral22 behavioral23
- Target
  
  ransomwares/GoldenEye/GoldenEye.exe
- Size
  
  254KB
- MD5
  
  e3b7d39be5e821b59636d0fe7c2944cc
- SHA1
  
  00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88
- SHA256
  
  389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97
- SHA512
  
  8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5
- SSDEEP
  
  3072:iTAjnioLO7WpLyLNZMcPSK7BaZ0NwAWMGc0HfmY4KsyyOiy12KJ3I4YgTl:i6nrD0ZMcPBAL7c0fTHs+2sYXg
Score

10^/10

metasploit backdoor bootkit persistence trojan
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral24 behavioral25
- Target
  
  ransomwares/Huzuni/Huzuni.exe
- Size
  
  65KB
- MD5
  
  e988915eb5706f5eeea7b684eec41a85
- SHA1
  
  05d11b2d393e68af9200fd23eee1ccc0f5850289
- SHA256
  
  06b8827fc8494e0e7b284a8dcb704e38169347fb857e4114813a2b8db206ec2c
- SHA512
  
  2b8a784fb2333c1b2313eb557dd0bc551403ff0ce9be5422241e5274ae2028487f1a4386fb098cb93bcb633cdefedc8bade80501ac919248455d53c974ab3e22
- SSDEEP
  
  1536:rmFEdOkJa9HLSQyzboPGRyfbYPstUKEMzL0HPV1vsHTV1:zwpi/5yFuKEM30HP7vsHT7
Score

10^/10

evasion persistence ransomware spyware stealer
- Modifies WinLogon for persistence
  persistence
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral26 behavioral27
- Target
  
  ransomwares/InfinityCrypt/InfinityCrypt.exe
- Size
  
  211KB
- MD5
  
  b805db8f6a84475ef76b795b0d1ed6ae
- SHA1
  
  7711cb4873e58b7adcf2a2b047b090e78d10c75b
- SHA256
  
  f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
- SHA512
  
  62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
- SSDEEP
  
  1536:YoCFfC303p22fkZrRQpnqjoi7l832fbu9ZXILwVENbM:rCVC303p22sZrRQpnviB832Du9WMON
Score

10^/10

infinitylock ransomware
- InfinityLock Ransomware
  Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
  ransomware infinitylock
behavioral28 behavioral29
- Target
  
  ransomwares/JanusPetya/JanusPetya.exe
- Size
  
  22KB
- MD5
  
  d99988fafeda4bf3b6c509cf3e955b44
- SHA1
  
  dc32834e410febfb32cba8e2e036e214a04b0172
- SHA256
  
  68e126f148ef6f94e73222d8703d719d03558f1330711705b08b654eb95ca794
- SHA512
  
  fd4bbd33491fcf48b10e78465b5094c87c9a8792df02a6b89dd9acfe2166c7d6dd235065b161919280dd988c7e297b0a93217c63623cf2ffba101170f052c983
- SSDEEP
  
  384:cjrKzK7DGRmhXM1YfjwTJ3b/Vj8CzpDMl+MpK/ckbyy7d+3GM3JcT/r:2eISRm3bwTZB8yJlMuxbyy7d+3R5cLr
Score

7^/10

bootkit persistence upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral30 behavioral31
- Target
  
  ransomwares/Krotten/Krotten.exe
- Size
  
  53KB
- MD5
  
  87ccd6f4ec0e6b706d65550f90b0e3c7
- SHA1
  
  213e6624bff6064c016b9cdc15d5365823c01f5f
- SHA256
  
  e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
- SHA512
  
  a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
- SSDEEP
  
  768:4yKoNLsn4Jp9ZvRInygrpMoZN+WtOl08jxBEHCDwBLpZTPCUvQK:j/sn4/OycxZN+MKxp8t9zQK
Score

8^/10

evasion persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
behavioral32