Overview

overview

10

Static

static

10

ransomware...om.exe

windows7-x64

10

ransomware...om.exe

windows10-2004-x64

10

ransomware...ab.exe

windows7-x64

10

ransomware...ab.exe

windows10-2004-x64

10

ransomware...ye.exe

windows7-x64

10

ransomware...ye.exe

windows10-2004-x64

10

ransomware...ni.exe

windows7-x64

10

ransomware...ni.exe

windows10-2004-x64

10

ransomware...pt.exe

windows7-x64

10

ransomware...pt.exe

windows10-2004-x64

4

ransomware...ya.exe

windows7-x64

7

ransomware...ya.exe

windows10-2004-x64

7

ransomware...en.exe

windows7-x64

8

ransomware...en.exe

windows10-2004-x64

8

ransomware...ky.exe

windows7-x64

1

ransomware...ky.exe

windows10-2004-x64

1

ransomware...ha.exe

windows7-x64

6

ransomware...ha.exe

windows10-2004-x64

6

ransomware...V2.exe

windows7-x64

6

ransomware...V2.exe

windows10-2004-x64

6

ransomware...om.exe

windows7-x64

10

ransomware...om.exe

windows10-2004-x64

10

ransomware...ya.exe

windows7-x64

10

ransomware...ya.exe

windows10-2004-x64

10

ransomware...d).exe

windows7-x64

6

ransomware...d).exe

windows10-2004-x64

6

ransomware...ap.exe

windows7-x64

1

ransomware...ap.exe

windows10-2004-x64

1

ransomware....A.exe

windows7-x64

6

ransomware....A.exe

windows10-2004-x64

6

ransomware...er.exe

windows7-x64

6

ransomware...er.exe

windows10-2004-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ransomwares.zip

  • Size

    41.4MB

  • Sample

    240315-1kxrfabg9t

  • MD5

    faef0354ee5f7c458afa16423e9ab04d

  • SHA1

    a30b5673664f797cb40cd287260136e145071b85

  • SHA256

    2eaccf2ffad0c83282b940b5ed1e65f38acacc9e002b48e3bf4f852e1097232a

  • SHA512

    e8f9958c346936da0b1e5a92cc8cf08fbf750029eda3ea341c0ce7e27e452b7ec937a1deb4a147e6694fbcdc60dc2280d30ca709a2d950ed6732482c2337628a

  • SSDEEP

    786432:Ox4aSbJJZiGQkTVugwej6bryq3sdGn/lCKVEKAhiDB9+DZwX1TpIb86PRzOISnxB:OyDCkTb+XpcdMnEAHWZATpIbBPRzOZxB

Score
10/10
fantomgandcrabinfinitylockmetasploitmimikatzsodinokibitroldesh$2a$10$hipnytfl4yad01j./dips.tdwq.qurm2fbum4pqfinkq45tak6xw65891backdoorbootkitevasionpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$hIPnYTfL4yAd01j./DIPs.Tdwq.QURm2fbUM4pQFInKQ45tak6xW6

Campaign

5891

Decoy

notmissingout.com

employeesurveys.com

delchacay.com.ar

sw1m.ru

sofavietxinh.com

samnewbyjax.com

pawsuppetlovers.com

panelsandwichmadrid.es

frontierweldingllc.com

antenanavi.com

nokesvilledentistry.com

partnertaxi.sk

tomaso.gr

levihotelspa.fi

myhealth.net.au

midmohandyman.com

kirkepartner.dk

zewatchers.com

lapmangfpt.info.vn

purposeadvisorsolutions.com
Attributes
  • net

    false

  • pid

    $2a$10$hIPnYTfL4yAd01j./DIPs.Tdwq.QURm2fbUM4pQFInKQ45tak6xW6

  • prc

    firefox

    oracle

    visio

    xfssvccon

    steam

    winword

    mspub

    isqlplussvc

    ocssd

    ocautoupds

    mydesktopqos

    outlook

    dbeng50

    sql

    agntsvc

    tbirdconfig

    encsvc

    thebat

    synctime

    onenote

    mydesktopservice

    thunderbird

    excel

    powerpnt

    dbsnmp

    sqbcoreservice

    ocomm

    infopath

    wordpad

    msaccess

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    5891

  • svc

    veeam

    vss

    backup

    sophos

    svc$

    mepocs

    memtas

    sql

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox fantomd12@yandex.ru or fantom12@techemail.com </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>UkGx+ymdE0lTgNARg2Q2adpLYcpSk6frnw2tf5k5JYeIQHVI4Wt+6cESXq65whJHQ5sELusGC+6hEC1PewRuM/oHz+i2x9y6IbQ3ppvW4sqxKlBGT9DUpOykbhNO2H63sraufMH9bzOhL08LmPBRhMik/DSrt5AJ0KCpY3zqpJCYhf12daOAV7lo54yqr89enyJomZcuTCwvILugb4+ni1hKsxxX8qLvBdxKvIJ6sQ8v2VDqXsWCZYD7kO9WAh4mjvWAj6W4G+annh8CjKhZZcXovCtDK6QGA1/ukOyAFps12GuAOKVjvVJwG+ZocC7afzgcdv2pQrNx0GRX0VeaEw==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>
Emails

fantomd12@yandex.ru

fantom12@techemail.com

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox fantomd12@yandex.ru or fantom12@techemail.com </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>KhI8FoWWoP4BalLuSCLZHINfRZEsjn9ulXl4JYEELILlONueye2htXSfzMsovIUDVOIHM5cdQf9GKkhO+TDPrKqG2fW49DniNng3w2H4tLS3t5E57XCVyD7LN6S/06CoECpYaxjedytrLFgAzzbbEDh0SyRZwY2GjtHRyXg6OuAITDn8j5brj+7IdR2DBJOvfTsDBPhH2YkC7Mbyp9JX5nU5kAM8PXg6p1PhT3NgMGi8vwapoxJNYmmq5qzH2bQtEudcFT62708wSGQqYM6NEO4QkqnBAenEURq+p0RO32PvJArt7ekFJyhv1laqr498oY1T4PNMXMZJ2xbng0MxXA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>
Emails

fantomd12@yandex.ru

fantom12@techemail.com

Extracted

Path

F:\$RECYCLE.BIN\HJTDTAUU-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .HJTDTAUU The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/d6d9280033ea2bf6 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAAAL+P0BnLiE9HVPpx21ck5CvJQu5vM+cwqzvsJ9tCS8EXTyZcTrVJjJTwScgaSJnSXpRqMwSQTxG5EOO5nVU7ETkbQqQZw/c4WWql4zO/FGHPyvHU0pNw+SUchj/yJ9s/5oe3RrjE9nxQZHrLx4A8jPZhf+8YUz56GcLsX7x+YQ/rUgESXxgSuLh6Tng6/Y3u7v8m0PNYaj6hErCBu9u1uoqrrwyT444OQUo36XDq0RJ3ehbLDHzdYvhJx+NHzmJIsnURHBeLx7BdxuHtQhwZ8YYT4ALOxs0tXjXYwifXRv3Lp+N8byoc6LsXwAsmN6dLireqRbKeEjND9Zpp67iau6CVl8J+5yr11NZsAOUdL/t4gpJVzt0Kxs0SIZ+LIO4I2XLLMkYmaf+Ah6E/HWOIfWTZof621+mbz9uiXxQzR/lMlKSBMmtVtCG02UNKV9DkdOjNA0BjkzNnOVFMiyNXTMKYAiAy28pCLIrzVKFpkVZjFK09F18E0fyOuV336Wr3gD6v5mPDlVFcJhdaYnRrFX69Fs9RQ+LvtLNvC/S/abisS++1G5Oc2TNHR+dIFIMELnXGljiFS3eZOsJjI12v/NjWuvN/5cI7jPp12CS4fsWhLR5ptkCTtFWqfWK9zFWGvHNLaUZtl4NJ6vWozXaduV2sGkydkvuztPVJRTn62vaeezsoeZ0Xey83DaqcSTzzg1uq9IiAKLj+ejFqu0Uu4HboWwf9BlQQc9GwFks0qHsWpuL1KCDWHMrck+9mPPPgse5tsBkjBY1mGhcacZ3yv8pKqocIsadQ4OuYGHQi2ycPt8/1P2aHEEG8Bke13tGyEEooSr6ZsV23mZwv5xnrcLaBCpDE6vPowS5zBL6H/e5MnBwNqH5YhRqcVrsdkeAU7iSmX42xpLAPikqqLmMphpa9pPzT9q8zo/eIpGWwQFITmYvQeYkEl9uTeNXeZlFSu+4GT7EXEEfZA3hMsk5n35Gu5b2E7vR6Bf42UsmYUxJbiSzn6okQkMX0FZnU76BbbNjBLNaIob4Ac/cp7o+lHVA91n9hTAyC+PVWog67nlhj5ukB8RjTE/cqeKw0+QkJvbPoURBCYzxGxr9S1YDFUOX6viXj7ZJsVvLz4zpnScWpOuPp3kUW2PIkcFo5CvF12zy/YbUw7imXjX3ORehQUpYWgAg0DxFJBkPZZc4jhRtGd6ZuaLFs6FTJPQJlyEXtgqIGPslbP7av8PUblKr9QZINLbMps7/xSGKTyDYLum4LF5oQfLptRQPml6NJGVIXRmxqkotYoHWbOwZymfWA3BJqfzeFa7pLhLoBPF68AGRwjbsGc7JrfdPWr7MW8tjnohjXHO4lXQ7//bSemGtKZkpV+jab67kU0616mGQ29Vu29+p7X0vOiBvhDEV0tEgfi5q2rqV8Mqy7errBJoVWwbh61mGvrpo5f31hcughCUFf8aeGcq6Epd3ZwsjrBE4a/0mzpyujLw8/aafVLTZoLIwtO9gWRxQ3GC2DmH7Y95AoM2CWulgUZ0dQabH7BfUour/kWwgNMu0mG/w02yXX9EEJg2xJfuyXnDMHdOX+nh1Dj0lp2h+bGWZpaOBepu5sHWYbP2JIkdKiRohCvP+dZdYkg2knyKjRvEBmLFb19SI3povoRswSR7PSa7FKh+qlhPc2FFGzp4u1SszrMrjATl1m9DAz830xc/u5kOxcU0djS07PSJ3/vThEJyI8YHldkTrzvO3+Ct0PFa9DZ/uqjAAZI6Z1N2avaeOo9aUJ+zlzYayZknXZRoqaTKZBqRJGpBWrK+OGhhqdQvkWCZWBDFmk3SKU4thZmIJ7OcKfEJVWe8M8tojVjGouboosQyuaS57/+CoTbYcIK+ip5m/Yu8vQaJ1pDgkbDEUfWH0MIY8TEhXoZlSXEU8VMcQVhPEOAH21Fyg4ALUy4bL/sS4wBlu0VJJaxegVkhDlcJqkhKZK7Lax5dv0nOWqaC+fs2DsLUFGgFhQwO4QAO4O68Pc0zMtmRJ7etOXrbGE82Oa2elpjep/kXZBV7yAIUU+ku5ySL697Jq1c0gwm0krHwLNON+d7/toPgYHjehpo+8LHa4IBCvCQelExAWeSoQ1nvULAFqxGsl+/1tWePrVl9B4kjIJjjUcL56YOgk0JgV7gZJUSzYDJwnuUPPbFZvuK9ypS5vYptbAxKW3Xs5jWWzafvbRMuubMDkKVrAepTKelJVJBNQ2Y3qgt1PWJ+6zvR2d7YI6Y= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZGTpBRqnYO7mJWsbfHTGSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bit7F0kRzB6eKm/242EesmGthYb1rWBnbtrxGEEY8bpycE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg73ZivpDxFM3vbLMOar1wYZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJHwHowOP7+LRYsPy4knV/fu67PJzMP9LnZDh5szqewLRaRtAf+EbjLWu+IPXpBeLdQo9FRha1KO2vpgy2mFLQkzlAtXfjb5QmECiQ== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/d6d9280033ea2bf6

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1497073144-2389943819-3385106915-1000\VUIAI-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .VUIAI The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/900a25aad39aa378 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAGO7nVCYlwX+c3TQsxCqIh1z7ub0iOsahv6O1OJHahtyDclVInSJN2rtJHhT0ML3aI+xwcWmuGetKmETI5sAl8aWIqB/nJTM6Y883MjOC028qsCduFyS4iCDO/B4IfVFX0eN+ne8b0FWVoyiAd9PKzdngv73/YZ+AZxbACv7t8qcJ0I4HnQNap2xYqkETms35+PSI0+m01djVfF1FUzcCJZiX45NW3OF7L4YCHLUT4sblOSZL/YpGYBaSs1+yuf82bcZkFMaT1Dzc1t4S7jJ8EccVOCM1QYAM1VIy/VbW+8Z0sRuflw3Lf9vq2ULNeWV8r54wUh98TfQBXOpdSdJWxW6M1Ovik/C2doxp5WdPMKZz3J4hQAblTiu/ysIcqFL35PQCL1BARmWFEfijFDhzJZbN2ZhlYHbG0sCiLH+bVCzogdZAwF3eXFcslCQb6yxSmiNBpoST82qLZZiEoXkYVzuI+QLbtzMY9rcSXoUY2LeoyBAHC+xVJ49OPH0A/q9Cp6j9+MDV/SmUb2a3aNgX57J93CER1lMqG5yhBLHyumzfI1mhm0rOXywiDJ/XWnyid/LVLZqlUeVDNm1b7WOf3IgdzYF4zgbrNCAXRO/gH6us1Uc14BHHkYDf+Wd8ee21oUltAyXyvBXioIV54ruuiZpFRBxVxQlU7Qtleu3QLaey+kuIEJTGj6SegqtGfKHexAxcgM3PBJoV8YQhewKa1fwVSVUhMRMiSOUimUeB8xAnHrCvCg3msnrQJihLGnKtKJZbTEZd9/hde6XYZJn3Gzh5abcQM3vYRVjZtofBqIqpbvIA99Xa1qoH9KGmdeh5CJtYs7eCddCfBRzWDM8lc0chhikpGIAdkBb/UxT5FT/ngYIROalH6D0l927iL6/jnOdog9ni0WDr7IwDztpi9ezQTowAxuYejpVVniKhio+eo5VQ8bVFcbNQNKxGwv4LtF/GqB7N+DP961th5prf3YN7Vncgp56G5V24lFU59s/hKKETMF4bt3aPx9QLQVl0v+pOnou4JmETam2YWFkItfd2uLkZKCvpWlXDdK9EVq0SNxJG73pZDbKkEsHeCPv0Lq3g/XD54oxtVGp2GxoCrGeTOqYny0fAw6uvSkwdjLvxMtY08BpkanAk87d25ufFLXf3hDQeYrbHosTBRR9BvWSjlRYuxbDyUZ6fOnuwKdXNKHc7mHGXOhSpx7UHvsn2PPOvDgLWsmlGuq9qnubT+M0jIgrrbgTW8vS8VQOGOTcZuPPXtT8gQ/Yeie43P4k20micQ1C9UzV7e6TSfkP+uL179xibwDywz95r2LL8ZK8Wjve+PFBReSBuDyBUBAE+eaiH8kB/OUlQ/ebkSdQbHplC9/9KN5Op3so5U8Khbe335i1te8GB6GcIUoQ51BQy+qZ3PILq4jjijCVVLW4feqDkoP48+3Un8dVuv/RpwMxE8r0vnmvZnQE9u90laj0XngZuJBOXJPB6d8eggXTD4Ep7VDO1qUKKtwM73KVm/q4hIcCHEkxe89KFTuckBElEycXbAobzgVH/9O9rvsrRlbEE6I9QyUiKGb2lgXyR1j/IbQd8Zszx/NX58JhJQrSgtY8WK1q0hgjvEGvp4iT3Xh76KKeYg3+Z0RE9pkx/NYm5jMpNrP+hSVMi+AXF39KX4QVCuQ4E+uLMeNJFWFi4qtUAkaKIc4Og7PyhEayKDHZwaE7zJPb7yniavVgMYCbxIAP/ul8tFbXrzdnPiwNYFdnk9qepiV+4GU20pDxCEjAy4Y+sjCaEcc2mLJRUtleJzdNeWCnCw6lmTMbgfq2gQekKYdzixLaPMjpPw21qMd6EybxWSJpoTMUe9Gcu6dBStHN1LtYqcX0Y4wfPJTrg50Es9iwaNKvxegUDfxFra8VPqSar6v9kgm4h8ylhidaw2UIxAFANXkJBWGJLVARdTSjxa5GICIllgB2fLfVzDt7hcZpnVAK/nmDbPtznytN3w0ndbfxtvENaGEq9cY/XJKE1tKCfJyHe5DxvSCBNw44Iy2k+2dTxkKrdZpBlyQ0kbB8ryFhNiLjbC9hJmgf4sodDWzn+koOAFJCiObAaa12gTnWox45S49/dABZAoLQrOnbWnC5pn6pvZZkqPNLDZA8gXobkZJKBHVUGAU0tgM1NXCRErAvkmQQMFLCSVhcBHQvLosp5DvADnw41I4aa1q97gu2UcriM7zTlN2xXXu8QKA2HPYZAAShjph46EGxz5SSPmI= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZQTpZRqXYU7npWqLfaTHWHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB6eKk/2Y2QOskGt5YPVrSBnPtrhHfEYgb8CcR4t64M6b3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDxFM3vTLNOah1wIZNHQXRleKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC2qZAEuDtLkioBZ9MNJGhHpcOfb/LRc8P54k7V/HuibORzJL9NXYEh8sz/ewORahtHP+ZbmbW4eJPXp1eNtQ19EJhJFLe2qhgw2mJLRMzwAtbfjn5E2ENiW4EkrJfTw== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/900a25aad39aa378

Extracted

Family

metasploit

Version

windows/single_exec

Targets

    • Target

      ransomwares/Fantom/Fantom.exe

    • Size

      261KB

    • MD5

      7d80230df68ccba871815d68f016c282

    • SHA1

      e10874c6108a26ceedfc84f50881824462b5b6b6

    • SHA256

      f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

    • SHA512

      64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

    • SSDEEP

      3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

    Score
    10/10
    fantomevasionransomwarespywarestealer

    • Fantom

      Ransomware which hides encryption process behind fake Windows Update screen.

      ransomwarefantom

    • Renames multiple (3028) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      ransomwares/GandCrab/GandCrab.exe

    • Size

      424KB

    • MD5

      95557a29de4b70a25ce62a03472be684

    • SHA1

      5baabf2869278e60d4c4f236b832bffddd6cf969

    • SHA256

      49b769536224f160b6087dc866edf6445531c6136ab76b9d5079ce622b043200

    • SHA512

      79b78cf77926e0d8b424ad9984f72d4461c7d9e7af58c4e2af32fa7c58cc445c534228b0709b87f5e35e1c8793b3d028dc60787151d852b8524023d08b57f103

    • SSDEEP

      6144:/UGV83D35bJrqV2L/E0tA+j16kUef5Nj1mB9WjEw0tzMV:qvmVe9h1qEtkBzw0tQ

    Score
    10/10
    gandcrabbackdoorransomware

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (265) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral3behavioral4

    • Target

      ransomwares/GoldenEye/GoldenEye.exe

    • Size

      254KB

    • MD5

      e3b7d39be5e821b59636d0fe7c2944cc

    • SHA1

      00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

    • SHA256

      389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

    • SHA512

      8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

    • SSDEEP

      3072:iTAjnioLO7WpLyLNZMcPSK7BaZ0NwAWMGc0HfmY4KsyyOiy12KJ3I4YgTl:i6nrD0ZMcPBAL7c0fTHs+2sYXg

    Score
    10/10
    metasploitbackdoorbootkitpersistencetrojan

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral5behavioral6

    • Target

      ransomwares/Huzuni/Huzuni.exe

    • Size

      65KB

    • MD5

      e988915eb5706f5eeea7b684eec41a85

    • SHA1

      05d11b2d393e68af9200fd23eee1ccc0f5850289

    • SHA256

      06b8827fc8494e0e7b284a8dcb704e38169347fb857e4114813a2b8db206ec2c

    • SHA512

      2b8a784fb2333c1b2313eb557dd0bc551403ff0ce9be5422241e5274ae2028487f1a4386fb098cb93bcb633cdefedc8bade80501ac919248455d53c974ab3e22

    • SSDEEP

      1536:rmFEdOkJa9HLSQyzboPGRyfbYPstUKEMzL0HPV1vsHTV1:zwpi/5yFuKEM30HP7vsHT7

    Score
    10/10
    evasionpersistenceransomwarespywarestealer

    • Modifies WinLogon for persistence

      persistence

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral7behavioral8

    • Target

      ransomwares/InfinityCrypt/InfinityCrypt.exe

    • Size

      211KB

    • MD5

      b805db8f6a84475ef76b795b0d1ed6ae

    • SHA1

      7711cb4873e58b7adcf2a2b047b090e78d10c75b

    • SHA256

      f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

    • SHA512

      62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

    • SSDEEP

      1536:YoCFfC303p22fkZrRQpnqjoi7l832fbu9ZXILwVENbM:rCVC303p22sZrRQpnviB832Du9WMON

    Score
    10/10
    infinitylockransomware

    • InfinityLock Ransomware

      Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.

      ransomwareinfinitylock
    behavioral10behavioral9

    • Target

      ransomwares/JanusPetya/JanusPetya.exe

    • Size

      22KB

    • MD5

      d99988fafeda4bf3b6c509cf3e955b44

    • SHA1

      dc32834e410febfb32cba8e2e036e214a04b0172

    • SHA256

      68e126f148ef6f94e73222d8703d719d03558f1330711705b08b654eb95ca794

    • SHA512

      fd4bbd33491fcf48b10e78465b5094c87c9a8792df02a6b89dd9acfe2166c7d6dd235065b161919280dd988c7e297b0a93217c63623cf2ffba101170f052c983

    • SSDEEP

      384:cjrKzK7DGRmhXM1YfjwTJ3b/Vj8CzpDMl+MpK/ckbyy7d+3GM3JcT/r:2eISRm3bwTZB8yJlMuxbyy7d+3R5cLr

    Score
    7/10
    bootkitpersistenceupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral11behavioral12

    • Target

      ransomwares/Krotten/Krotten.exe

    • Size

      53KB

    • MD5

      87ccd6f4ec0e6b706d65550f90b0e3c7

    • SHA1

      213e6624bff6064c016b9cdc15d5365823c01f5f

    • SHA256

      e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

    • SHA512

      a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

    • SSDEEP

      768:4yKoNLsn4Jp9ZvRInygrpMoZN+WtOl08jxBEHCDwBLpZTPCUvQK:j/sn4/OycxZN+MKxp8t9zQK

    Score
    8/10
    evasionpersistence

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Adds Run key to start application

      persistence

    • Modifies WinLogon

      persistence
    behavioral13behavioral14

    • Target

      ransomwares/Locky/Locky.exe

    • Size

      657KB

    • MD5

      0d0823d9a5d000b80e27090754f59ee5

    • SHA1

      b1f495b707ffaf53188c13f19a487dd94e7a0735

    • SHA256

      390ed1dde4ff03adfcf67c59ee02567ac5665bb5e029eaebf0332bc81e4d1891

    • SHA512

      52a4ae72e2685a6b6d274388b636fe63d96e5545475e521e9e250d56d4593657061502f00c6b90f5e54d05a63a9301509852804b9d705307c03f8fff739d3964

    • SSDEEP

      12288:JOSdwPgM57sv8ZqMM+ARd9rFk1S4e/NZS3peecnysPoBicrOl:JOSa2EZqeIPMelY3Cypicr

    Score
    1/10
    behavioral15behavioral16

    • Target

      ransomwares/Mischa/Mischa.exe

    • Size

      878KB

    • MD5

      8a241cfcc23dc740e1fadc7f2df3965e

    • SHA1

      1a5faa5637bec9805039a93d6e199bac26fce413

    • SHA256

      d4b6524315d5de727a8af3e4e73e8b28dab27c62fd0a6a7a891460061c2f3d60

    • SHA512

      440528b7f92d6703f008124206b9afce3d72efd30cc31b67386fa515f939b72a7eb8afe0b0cb81586680708948afdee021e33e9e5310b59aa3ab2bbdb2128318

    • SSDEEP

      24576:CImRL6PbLwYTirTy9KJ+UsrTo3XuSKqLRS:TmebMdZIUgoO0R

    Score
    6/10
    bootkitpersistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral17behavioral18

    • Target

      ransomwares/MischaV2/MischaV2.exe

    • Size

      279KB

    • MD5

      c8623aaa00f82b941122edef3b1852e3

    • SHA1

      1785230107633bf908034ef0d5403367765bcafb

    • SHA256

      ecc5cc62c8200954079191e586123522f88aa1414ae98908380176d75d2e7eab

    • SHA512

      4223cdb0734ba3d9055503b73e1c69a94299c345c19aca52ef85d5eefcb7715756b8ebb92c9c462030d503af47653cd6182e1e14d04cc32309c6200db458b3d6

    • SSDEEP

      6144:13hghT/p3pFlD0r5RZQa0cWhkt5yfx2NFreU6:lhgprDY7MhkQsh

    Score
    6/10
    bootkitpersistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral19behavioral20

    • Target

      ransomwares/NoMoreRansom/NoMoreRansom.exe

    • Size

      1.4MB

    • MD5

      63210f8f1dde6c40a7f3643ccf0ff313

    • SHA1

      57edd72391d710d71bead504d44389d0462ccec9

    • SHA256

      2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

    • SHA512

      87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

    • SSDEEP

      12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK

    Score
    10/10
    troldeshpersistenceransomwaretrojanupx

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

      ransomwaretrojantroldesh

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral21behavioral22

    • Target

      ransomwares/NotPetya/NotPetya.exe

    • Size

      366KB

    • MD5

      1271f1384b2bb3a7f6891c5252757c6f

    • SHA1

      e44a54bbafbf8dea573b7d0f8eacdb65d7d63851

    • SHA256

      ac7744734ae9ae7c4c303b6078f8ec6b1ad2557372a5efe39bd0a3743a60d13c

    • SHA512

      6d4aa6577b8a7325c571528d153adb79b6b1869818cf748aa2c5776c42c12f06a07a79824fe352c5e5657c89f19406faa7d81dbaecd5e571698da54924bb2f47

    • SSDEEP

      6144:PLh5iWs5gArF3LDd84ESQoCGhWg2ZQkyDfTbjfyLX1WYaaGM6Btk2:PN5iWs5gZ4E6CyWgcQBzvja4YaaUtk2

    Score
    10/10
    mimikatzbootkitpersistencespywarestealer

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • mimikatz is an open source tool to dump credentials on Windows

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral23behavioral24

    • Target

      ransomwares/PetrWrap/PetrWrap(Patched).exe

    • Size

      473KB

    • MD5

      cce6e95b821e8c20a121c47b652e6da6

    • SHA1

      ee61da9fda45e659913e505b8f6ceb056df9b998

    • SHA256

      29dbdd710288791a74d7f4da90086ef44d63a09af691dccefde18c26449b7532

    • SHA512

      28a3672308c41fb769ac44521f4a940f180b08844b7fca96447d2818182c669cb32d01f199187964ae3b63170a8f8e3c92c16205d22c2459dc30e0a061318a29

    • SSDEEP

      12288:PeaAhutLwUVsvLPcsZXYl0oIZdm9n50DNx:PejutLRuvLPcU8mC5S

    Score
    6/10
    bootkitpersistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral25behavioral26

    • Target

      ransomwares/PetrWrap/PetrWrap.exe

    • Size

      473KB

    • MD5

      17c25c8a7c141195ee887de905f33d7b

    • SHA1

      7fa8079e8dca773574d01839efc623d3cd8e6a47

    • SHA256

      e079fa28ea51fa98644164caf585ae3231d25372fccca1245902fb57488d4660

    • SHA512

      de95f18101b99d159fe459c5e5651e0db2b1c76e02c9c2741bfd920decc970abc6dc0b41651be0471b4c7c3deb8b5e9a6e956c6515f268f9dfee7b76087a1e2b

    • SSDEEP

      12288:ZPaAhutLwUVsvLPcFZXYl0oIZdm9n50DNq:ZPjutLRuvLPcX8mC5S

    Score
    1/10
    behavioral27behavioral28

    • Target

      ransomwares/Petya.A/Petya.A.exe

    • Size

      225KB

    • MD5

      af2379cc4d607a45ac44d62135fb7015

    • SHA1

      39b6d40906c7f7f080e6befa93324dddadcbd9fa

    • SHA256

      26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

    • SHA512

      69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

    • SSDEEP

      6144:DCyjXhd1mialK+qoNr8PxtZE6x5v+k6f:rjXhd8ZlKOrMZE6x5b6f

    Score
    6/10
    bootkitpersistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral29behavioral30

    • Target

      ransomwares/PetyaMFTDestroyer/PetyaMFTDestroyer.exe

    • Size

      14KB

    • MD5

      a8a9916266bd2cbbca8850c6c67a915c

    • SHA1

      5aeb52141addd70e408761d9bdad00751b995eac

    • SHA256

      07f5eeb863d8e000fd24cffbf278fae627a0872afb03db01f700355656a883fd

    • SHA512

      21e11f9d7b93dceb740fe157d6cc006ad24cb92d51769c471cdd8e63da8e87eacb8350cf8365ba7b64370ec8cc5ca6800d010fa266044a9706e9e347fbb03fef

    • SSDEEP

      192:gcUFGq6c+3a6mY49OD2JgH+q3QQ4B/W1bSyg+0SfEl:geaHYzyJE+q3QQ4B/WUyg7

    Score
    6/10
    bootkitpersistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Pre-OS Boot

8
T1542

Bootkit

8
T1542.003

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

2
T1547.004

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

2
T1547.004

Scheduled Task/Job

1
T1053

Defense Evasion

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

8
T1112

Pre-OS Boot

8
T1542

Bootkit

8
T1542.003

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

7
T1012

System Information Discovery

10
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3
T1490

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks

static1

upx$2a$10$hipnytfl4yad01j./dips.tdwq.qurm2fbum4pqfinkq45tak6xw65891sodinokibi
Score
10/10

behavioral1

fantomevasionransomwarespywarestealer
Score
10/10

behavioral2

fantomevasionransomware
Score
10/10

behavioral3

gandcrabbackdoorransomware
Score
10/10

behavioral4

gandcrabbackdoorransomware
Score
10/10

behavioral5

metasploitbackdoorbootkitpersistencetrojan
Score
10/10

behavioral6

metasploitbackdoorbootkitpersistencetrojan
Score
10/10

behavioral7

evasionpersistenceransomwarespywarestealer
Score
10/10

behavioral8

evasionpersistenceransomwarespywarestealer
Score
10/10

behavioral9

infinitylockransomware
Score
10/10

behavioral10

Score
4/10

behavioral11

bootkitpersistenceupx
Score
7/10

behavioral12

bootkitpersistenceupx
Score
7/10

behavioral13

evasionpersistence
Score
8/10

behavioral14

evasionpersistence
Score
8/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

bootkitpersistence
Score
6/10

behavioral18

bootkitpersistence
Score
6/10

behavioral19

bootkitpersistence
Score
6/10

behavioral20

bootkitpersistence
Score
6/10

behavioral21

troldeshpersistenceransomwaretrojanupx
Score
10/10

behavioral22

troldeshpersistenceransomwaretrojanupx
Score
10/10

behavioral23

mimikatzbootkitpersistencespywarestealer
Score
10/10

behavioral24

mimikatzbootkitpersistencespywarestealer
Score
10/10

behavioral25

bootkitpersistence
Score
6/10

behavioral26

bootkitpersistence
Score
6/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

bootkitpersistence
Score
6/10

behavioral30

bootkitpersistence
Score
6/10

behavioral31

bootkitpersistence
Score
6/10

behavioral32

bootkitpersistence
Score
6/10