magniber | 4bf92967b0d2aabec0cb16f3c3792e714857db3e41ad5768e3493780b9342465

General

Target

cd711f77c71b93a29494bba27afebb32
Size

38KB
Sample

240316-h12ffsgc35
MD5

cd711f77c71b93a29494bba27afebb32
SHA1

a0d84f184191454e90d4bb2b7df52f8428a3b387
SHA256

4bf92967b0d2aabec0cb16f3c3792e714857db3e41ad5768e3493780b9342465
SHA512

5ad95f1fd3365a51d6438f054ecc7b849a3ef8197592403504e227402629b7b482e403e652aa0da36c7dd4f6733351639497c1de6d58df51876b906d7b261bec
SSDEEP

768:e04Jtvq/PbXsmSh5Mj13C05bRUSMI2mpKghGR5ZL4Z/DtChqYWrYBZF:MJtvupS/Mj13CAUTI2mpF85ZcZ/JSN

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://6064f8e844d84a50aokdpgmu.hy5tprdl77synlgxroueyzpat4iszkkx52r4i3ufbg6l7b32zqkyc5ad.onion/okdpgmu Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://6064f8e844d84a50aokdpgmu.iflook.club/okdpgmu http://6064f8e844d84a50aokdpgmu.metthe.top/okdpgmu http://6064f8e844d84a50aokdpgmu.keystwo.uno/okdpgmu http://6064f8e844d84a50aokdpgmu.sameleg.site/okdpgmu Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://6064f8e844d84a50aokdpgmu.hy5tprdl77synlgxroueyzpat4iszkkx52r4i3ufbg6l7b32zqkyc5ad.onion/okdpgmu

http://6064f8e844d84a50aokdpgmu.iflook.club/okdpgmu

http://6064f8e844d84a50aokdpgmu.metthe.top/okdpgmu

http://6064f8e844d84a50aokdpgmu.keystwo.uno/okdpgmu

http://6064f8e844d84a50aokdpgmu.sameleg.site/okdpgmu

Targets

- Target
  
  cd711f77c71b93a29494bba27afebb32
- Size
  
  38KB
- MD5
  
  cd711f77c71b93a29494bba27afebb32
- SHA1
  
  a0d84f184191454e90d4bb2b7df52f8428a3b387
- SHA256
  
  4bf92967b0d2aabec0cb16f3c3792e714857db3e41ad5768e3493780b9342465
- SHA512
  
  5ad95f1fd3365a51d6438f054ecc7b849a3ef8197592403504e227402629b7b482e403e652aa0da36c7dd4f6733351639497c1de6d58df51876b906d7b261bec
- SSDEEP
  
  768:e04Jtvq/PbXsmSh5Mj13C05bRUSMI2mpKghGR5ZL4Z/DtChqYWrYBZF:MJtvupS/Mj13CAUTI2mpF85ZcZ/JSN
Score

10^/10

magniber ransomware
- Detect magniber ransomware
- Magniber Ransomware
  Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
  ransomware magniber
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (64) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2