badrabbit

Resubmissions

18-03-2024 22:36

240318-2h9hwsba88 10

Sharing

Copy URL

Twitter E-mail

General

Target

Ransomware.zip
Size

50.0MB
Sample

240318-2h9hwsba88
MD5

5008e241494e7ccf51328d0361cd423c
SHA1

36f2087cb4a8d06d6be1ec63346581abbe7c1196
SHA256

0b432f20d54647f077811ecb1df4dbc64fb17fbd6a9e0cce4ac9437d5f7891fb
SHA512

c5a75506d5a5f4ba1b599b888b4c0124019f868be1ae3e3215340355e6d1b4fda732c51fede1dccf7819d4895e94c8033012b792544ccffcc27ef597b837c407
SSDEEP

1572864:LyCzOJ7bNypeEAHWZATpIbBPRkTb+XpcdMwd:uuYy2HEEpYBPRc+XSdM8

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox fantomd12@yandex.ru or fantom12@techemail.com </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>YLrl4nUT9BIbCvGo4C/mo/jAyHYT86SjgVJleuu7bAsZnf9jxe/aMC/Z/r2nnkolGH4mRDJnc0FMydQ9T+ywyrtsfHcENrUg8mS9tL+/Kgu7ncL/4vQTQQT1vTBp95yyuwzHozEvMCTl1KRBjJY7Sj4KMtPvaqcklZNELRuTmpiNV+jl014Iszt6nSBZHbSvOBls0RP3pMHsWa+XdIISwty9zYypL9+uE/dFkH06Cc28yLwoAX2jNfw9x6frKt96fGvD0uW6WXqCuUjnbCxl7LVlAMrWABa5kiHvTHd9p8YGi/3V5++XLCmgs4Q/GHKLDDa5ZsiXIrYasgZhgaO4Yw==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

fantomd12@yandex.ru

fantom12@techemail.com

Extracted

Path

C:\$Recycle.Bin\TCOSKHQIR-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .TCOSKHQIR The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/9c5c0a3eaa441c76 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAG1zsukZpC5i+Xz5VllbMLdqF/aZhkge3CP55o2dn0fNoecR4pKRkm9csgP9z/wt5MLKKfSWrZz/vius4BXGD7DbNNvdgtO5sct83yQoEJdlU12UfPiNrqyPbahlEbzR/Puhf9CEKBsQ5aBrKd5n+vkrxOoBHwktn4z27IjyfTz/c0pnPDrAGxPni9ivd9gBn0QFKcu+e8KQOjwALzGsVxhlXdSNG5V1GS4L6jeSSH/7Sbfv8fOFdcpEOwLj0pOaG5A15pIuOxdJsj36kgyPALeexM0iUsx7WR82oUb9d8H2+/aFigdHn3k3W4qKY5cYF7qyTDXhT760Hqruo5JVT0S0uVI88ERNl8D7KlSg8H+PtfbZjD14c9HwY2Z2JMRS8zxj9L8zReAzHAp49jS+f+1xhcLoHL50o0vifD/h7NgkbDdCVoKhRbGpdLjptH/PU6ZwXoaQ8fpteYOo5l+odTiD08gS9eLnpY7rpPB5RBDMBSVhReebir8zwwejeyUHLhFQKnHbsbMKpS8p24BRtUnOqCSqtRlOCYkWCfOvJZ9v1eo9b5uQMXLFCfEgNEQohChI86yeSderbtj5TdBrNILjGgjgTi5Tp0peq+cG4RO4mbis87Az/vJ8hwoG9qG7cosMK/JjbM2IcQXltxAIWFwdOWi98IFRBoaxa/zBqywzrdhCNbz5+8q0LhvVs/hegG8ECACnKO5vtFCuPfzCkIl2TNWZti+aezJOP6j4756jPqzEKN6d/V12gc/ncH3X2m5ZG5JsPOLQ7bSd0y4bx9misVP1eCb9hYduQACyAIwScHQNMTlN2GoTt+6VlQ7Ep2AgeozcXGPMMreXB+sfZY86PL3+LSJ76dduQ0k0DkElOKG0S3F3tiGZxBxbwIPKnJ/sZZ3LRVrkEKUV64+uRDSC+R6KY/2YqDdtcT5GD7EyD/IRKfJC9UuEuM3lHaa013Hme+ciR4b1kw8NyUF3YbMzQ/13MhSqdsKwZrnLBwDR2OBdSkt0rVD0avan+sdR5JbilsQmwtpQn0f5NsOACYmjsgD/w6r7OvliaMQpudSEyxa9qupXh0S4Qhb2ODjh6LhwhyoVEl2RF8tN4jyp/XY7pc09q9HvJQ6t28P/YLbH2tQIGNvnEQuPKPbin3u8TSSNOsuFC/A70wasxKl0MZdAefV3ejt4rrN885FrNohaWtTbue3UdN5y/dCJ82AnFm//+iN0Cg2sPOLKbd5COmGyAZiwV1gDtKdpLOS/MjWwl1IVVCywKWwXEoxL5zdOs6CfR5KlmIrgCB0EuPzV+fhR/Y05dI6g5jDyrHgv91HCDC9U8N+RclS7DXlxPaVdAuklCuJ84oRdIDICPBq9BcXr+Dxp/N/8EvHMmt0qDo6p5fzYjjp9WLPaZHEYsGPrRrcdJ/xTS9qE5/Ce8YPwl2IvYWjsyEnLMNTkVzPf2eUA8csrOqJDMYSnQkHqfvTHtLYVyn6nQG75mCdpwN/uLHUZ6RZHtzRohPqvW6rvYByE3gobNVrkBb2vwNkV9+nkgrPJR40yJvyZUaGMMqzEhY7UaWLbmFwGM6HmZz7KHjxela0uU8W+/rhiFPis2e3WnOq6H039RST1m7EuxBSmZ34P01SFRzSYZtWwDS+hhLSf3eKp+1088bP5inGqVXRFAg1uRJDHZRUCc3HSODGNQS5KgQwApXxAP4NssaIkneiYGkEeMb64Cutd5AectVow2ksYh3QvDdPWSW+R3mnDKZVcXvBrkHZbYT0PCMzwlZm99S5N633E8efvB+T7L8vcCBBvaSSq+RWC9/x0tSrNssxThrLx8vzhyMxRx7Y1GgrmvhEnJqwDyakWgPXYPQVIW723eW+DKiyaCpHUOHXNLIEr+9/UGD786ogNgzx0RvVzpjLFAT09VJZ3/Pub2QjIET5gP1PoY2nXVXv+PRNlvbRAA8JdzOJ83YXbsfKP+GVs0jwqKkY9uNslVp7zAJJ9M+5bTerRZKjVrE6VrW0CECb/FVcBBosUclO2yzodYX/r24XtlUMGgq9N6LQ5mCMjzQ2/536MQODaFyk7GU7+DpBmzDdsgAw7PaEmVvPMpQpZUHT0TxgTg9IEjnoj5tm/8eKqHJtf+mpQDJz35JIXvtn8lqEyRP3Ka+4VxEJngVXdigW+R+UjCAvRGvU3qqBwDAXe3yt6QS9azpS57caQbpmwqg2KuSMB3mWXm94EqKl8ot/AVQS6miPrq3zcH9nK7gMglFc= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD09NfJLpDJAuuVoeDMRW7IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJdNBeBiFq/cY+R7G3MrGZmYWR3UeEP93y/fM2LLPjX6P0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtoypS8G1fulWjmU7qZ4D+w7gT+wK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhxNQXIE31UkGbyf6MN51c1gY/++QRe2kEznTbCqfrOdcnPBOVfcolLq8b/gmccCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/9c5c0a3eaa441c76

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Path

C:\Recovery\WindowsRE\README_HOW_TO_UNLOCK.TXT

Ransom Note

YOUR FILE HAS BEEN LOCKED In order to unlock your files, follow the instructions bellow: 1. Download and install Tor Browser 2. After a successful installation, run Tor Browser and wait for its initialization. 3. Type in the address bar: http://zvnvp2rhe3ljwf2m.onion 4. Follow the instructions on the site.

URLs

http://zvnvp2rhe3ljwf2m.onion

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail coronavirus@qq.com Write this ID in the title of your message DD90145B In case of no answer in 24 hours write us to theese e-mails: coronavirus@qq.com You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

coronavirus@qq.com

Targets

- Target
  
  Ransomware/$uckyLocker.exe
- Size
  
  414KB
- MD5
  
  c850f942ccf6e45230169cc4bd9eb5c8
- SHA1
  
  51c647e2b150e781bd1910cac4061a2cee1daf89
- SHA256
  
  86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f
- SHA512
  
  2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9
- SSDEEP
  
  6144:Av+lDAAB6fm00rx/Qdd1QkfRLT+vLtls6LEmynPsVpw/pcPk19:RdAAB6Mk1HfRLqzPlLEmynPsVpwBT
Score

8^/10

evasion ransomware
- Disables Task Manager via registry modification
  evasion
- Sets desktop wallpaper using registry
  ransomware
behavioral1
- Target
  
  Ransomware/7ev3n.exe
- Size
  
  315KB
- MD5
  
  9f8bc96c96d43ecb69f883388d228754
- SHA1
  
  61ed25a706afa2f6684bb4d64f69c5fb29d20953
- SHA256
  
  7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
- SHA512
  
  550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
- SSDEEP
  
  6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv
Score

10^/10

evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral2
- Target
  
  Ransomware/Annabelle.exe
- Size
  
  15.9MB
- MD5
  
  0f743287c9911b4b1c726c7c7edcaf7d
- SHA1
  
  9760579e73095455fcbaddfe1e7e98a2bb28bfe0
- SHA256
  
  716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac
- SHA512
  
  2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677
- SSDEEP
  
  393216:UMwm0qBknxdEX+LbMUgoSZmWSmh4aaRN22ChHCMNku1y:UMcKX+Lbjgd7W1RNVC9ku1
Score

10^/10

evasion persistence ransomware trojan
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Modifies Windows Firewall
  evasion
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral3
- Target
  
  Ransomware/BadRabbit.exe
- Size
  
  431KB
- MD5
  
  fbbdc39af1139aebba4da004475e8839
- SHA1
  
  de5c8d858e6e41da715dca1c019df0bfb92d32c0
- SHA256
  
  630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
- SHA512
  
  74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
- SSDEEP
  
  12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Score

10^/10

badrabbit mimikatz evasion ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Clears Windows event logs
  evasion ransomware
- mimikatz is an open source tool to dump credentials on Windows
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
behavioral4
- Target
  
  Ransomware/Birele.exe
- Size
  
  116KB
- MD5
  
  41789c704a0eecfdd0048b4b4193e752
- SHA1
  
  fb1e8385691fa3293b7cbfb9b2656cf09f20e722
- SHA256
  
  b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
- SHA512
  
  76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea
- SSDEEP
  
  3072:pYV/aVHN9ySTn34w33FVTyuGAxsvBLSqAKZqoqrxy031l3y:8adNlltyu3Pa5gr33
Score

10^/10

persistence upx
- Modifies WinLogon for persistence
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral5
- Target
  
  Ransomware/Cerber5.exe
- Size
  
  313KB
- MD5
  
  fe1bc60a95b2c2d77cd5d232296a7fa4
- SHA1
  
  c07dfdea8da2da5bad036e7c2f5d37582e1cf684
- SHA256
  
  b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
- SHA512
  
  266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
- SSDEEP
  
  6144:nl578cxdGY87FohbnmM2i8ito7wTmCbL94KCT3OAmK:nl59zH8MiM2z+NLQBN
Score

8^/10

evasion
- Modifies Windows Firewall
  evasion
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral6
- Target
  
  Ransomware/CoronaVirus.exe
- Size
  
  1.0MB
- MD5
  
  055d1462f66a350d9886542d4d79bc2b
- SHA1
  
  f1086d2f667d807dbb1aa362a7a809ea119f2565
- SHA256
  
  dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
- SHA512
  
  2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
- SSDEEP
  
  24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2
Score

10^/10

dharma persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (507) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral7
- Target
  
  Ransomware/CryptoLocker.exe
- Size
  
  338KB
- MD5
  
  04fb36199787f2e3e2135611a38321eb
- SHA1
  
  65559245709fe98052eb284577f1fd61c01ad20d
- SHA256
  
  d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
- SHA512
  
  533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
- SSDEEP
  
  6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv
Score

10^/10

cryptolocker persistence ransomware
- CryptoLocker
  Ransomware family with multiple variants.
  ransomware cryptolocker
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral8
- Target
  
  Ransomware/CryptoWall.exe
- Size
  
  132KB
- MD5
  
  919034c8efb9678f96b47a20fa6199f2
- SHA1
  
  747070c74d0400cffeb28fbea17b64297f14cfbd
- SHA256
  
  e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734
- SHA512
  
  745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4
- SSDEEP
  
  3072:naRQpzd/99wen3XgWorw8I3h8LkMvqCgQfBUnPy8L6kssU:nJdTwo30ri3h8LkMvqCgQfBUPy8L6ksP
Score

7^/10

persistence
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral9
- Target
  
  Ransomware/DeriaLock.exe
- Size
  
  484KB
- MD5
  
  0a7b70efba0aa93d4bc0857b87ac2fcb
- SHA1
  
  01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
- SHA256
  
  4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
- SHA512
  
  2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
- SSDEEP
  
  6144:lqHKx3YCgy8HmmjJpnVhvLqCO3bLinIz1wASx:lqHoyHNj/nVhvLcyII
Score

7^/10
- Drops startup file
behavioral10
- Target
  
  Ransomware/Dharma.exe
- Size
  
  11.5MB
- MD5
  
  928e37519022745490d1af1ce6f336f7
- SHA1
  
  b7840242393013f2c4c136ac7407e332be075702
- SHA256
  
  6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
- SHA512
  
  8040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c
- SSDEEP
  
  196608:JZnMy97vfgla5NX7YaP6uIEJsp+jb4agYSUpHm6g90MrYmhZZoG0tLzr1+W:LnMy9rfma5NrYaVzC0b4vpZZoG0tR+W
Score

9^/10

evasion persistence
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral11
- Target
  
  Ransomware/Fantom.exe
- Size
  
  261KB
- MD5
  
  7d80230df68ccba871815d68f016c282
- SHA1
  
  e10874c6108a26ceedfc84f50881824462b5b6b6
- SHA256
  
  f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
- SHA512
  
  64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
- SSDEEP
  
  3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi
Score

10^/10

fantom evasion ransomware spyware stealer
- Fantom
  Ransomware which hides encryption process behind fake Windows Update screen.
  ransomware fantom
- Renames multiple (4949) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral12
- Target
  
  Ransomware/GandCrab.exe
- Size
  
  291KB
- MD5
  
  e6b43b1028b6000009253344632e69c4
- SHA1
  
  e536b70e3ffe309f7ae59918da471d7bf4cadd1c
- SHA256
  
  bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a
- SHA512
  
  07da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf
- SSDEEP
  
  6144:nSRCSpUtLz+/enihebWBUOP3yIhLVMmi0CtG7go+I:SUOEnNnHbmP3yIE3tGX
Score

10^/10

gandcrab backdoor ransomware spyware stealer
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Renames multiple (269) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral13
- Target
  
  Ransomware/GoldenEye/GoldenEye.exe
- Size
  
  254KB
- MD5
  
  e3b7d39be5e821b59636d0fe7c2944cc
- SHA1
  
  00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88
- SHA256
  
  389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97
- SHA512
  
  8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5
- SSDEEP
  
  3072:iTAjnioLO7WpLyLNZMcPSK7BaZ0NwAWMGc0HfmY4KsyyOiy12KJ3I4YgTl:i6nrD0ZMcPBAL7c0fTHs+2sYXg
Score

10^/10

metasploit backdoor bootkit persistence trojan
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral14
- Target
  
  Ransomware/GoldenEye/GoldenEye.js
- Size
  
  365KB
- MD5
  
  c4e9fc349d5c8b24c0ddb1533de2c16b
- SHA1
  
  147e938bd06709b3c20eea4ac461093d573be037
- SHA256
  
  28fd3a1d9087d7b103b7f6cfca002798b6365fe6ebcc66fa02dbb4a9e6378e71
- SHA512
  
  fd0cf6f434e665aabc91f6095394a08483990c12a0b6ad3a1bd820b740af0ddbc02bc0a2592be429c7488b3cd2889afad8f758b4258009dfe51e9faac76842be
- SSDEEP
  
  6144:Jnm5mwYxm+DzkzFIDIWCy49ezGywT7PDSzT3enlJ1BJ0exGqkIb1Taha6e2T6Huv:FnaIEWeqWdnlhJ+eHHu+1Qk3C+MAQ
Score

10^/10

metasploit backdoor bootkit persistence trojan
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral15
- Target
  
  Ransomware/InfinityCrypt.exe
- Size
  
  211KB
- MD5
  
  b805db8f6a84475ef76b795b0d1ed6ae
- SHA1
  
  7711cb4873e58b7adcf2a2b047b090e78d10c75b
- SHA256
  
  f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
- SHA512
  
  62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
- SSDEEP
  
  1536:YoCFfC303p22fkZrRQpnqjoi7l832fbu9ZXILwVENbM:rCVC303p22sZrRQpnviB832Du9WMON
Score

10^/10

infinitylock ransomware
- InfinityLock Ransomware
  Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
  ransomware infinitylock
behavioral16
- Target
  
  Ransomware/Krotten.exe
- Size
  
  53KB
- MD5
  
  87ccd6f4ec0e6b706d65550f90b0e3c7
- SHA1
  
  213e6624bff6064c016b9cdc15d5365823c01f5f
- SHA256
  
  e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
- SHA512
  
  a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
- SSDEEP
  
  768:4yKoNLsn4Jp9ZvRInygrpMoZN+WtOl08jxBEHCDwBLpZTPCUvQK:j/sn4/OycxZN+MKxp8t9zQK
Score

8^/10

evasion persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
behavioral17
- Target
  
  Ransomware/Locky.AZ.exe
- Size
  
  181KB
- MD5
  
  0826df3aaa157edff9c0325f298850c2
- SHA1
  
  ed35b02fa029f1e724ed65c2de5de6e5c04f7042
- SHA256
  
  2e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b
- SHA512
  
  af6c5734fd02b9ad3f202e95f9ff4368cf0dfdaffe0d9a88b781b196a0a3c44eef3d8f7c329ec6e3cbcd3e6ab7c49df7d715489539e631506ca1ae476007a6a6
- SSDEEP
  
  3072:hVingY1rYkIsBu0qhEEaXIwfBhZ1nJ7lUbKVjcApXH3nX:PigJkrBuAXpZ71nVlUbKtc
Score

3^/10
behavioral18
- Target
  
  Ransomware/NoMoreRansom.exe
- Size
  
  1.4MB
- MD5
  
  63210f8f1dde6c40a7f3643ccf0ff313
- SHA1
  
  57edd72391d710d71bead504d44389d0462ccec9
- SHA256
  
  2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
- SHA512
  
  87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
- SSDEEP
  
  12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK
Score

10^/10

troldesh persistence ransomware spyware stealer trojan upx
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies Installed Components in the registry
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral19
- Target
  
  Ransomware/NotPetya.exe
- Size
  
  390KB
- MD5
  
  5b7e6e352bacc93f7b80bc968b6ea493
- SHA1
  
  e686139d5ed8528117ba6ca68fe415e4fb02f2be
- SHA256
  
  63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a
- SHA512
  
  9d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6
- SSDEEP
  
  12288:ef/X4NTS/x9jNG+w+9OqFoK323qdQYKU3:EXATS/x9jNg+95vdQa
Score

10^/10

mimikatz bootkit persistence spyware stealer
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral20
- Target
  
  Ransomware/PetrWrap
- Size
  
  473KB
- MD5
  
  17c25c8a7c141195ee887de905f33d7b
- SHA1
  
  7fa8079e8dca773574d01839efc623d3cd8e6a47
- SHA256
  
  e079fa28ea51fa98644164caf585ae3231d25372fccca1245902fb57488d4660
- SHA512
  
  de95f18101b99d159fe459c5e5651e0db2b1c76e02c9c2741bfd920decc970abc6dc0b41651be0471b4c7c3deb8b5e9a6e956c6515f268f9dfee7b76087a1e2b
- SSDEEP
  
  12288:ZPaAhutLwUVsvLPcFZXYl0oIZdm9n50DNq:ZPjutLRuvLPcX8mC5S
Score

1^/10
behavioral21
- Target
  
  Ransomware/Petya.A.exe
- Size
  
  225KB
- MD5
  
  af2379cc4d607a45ac44d62135fb7015
- SHA1
  
  39b6d40906c7f7f080e6befa93324dddadcbd9fa
- SHA256
  
  26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
- SHA512
  
  69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
- SSDEEP
  
  6144:DCyjXhd1mialK+qoNr8PxtZE6x5v+k6f:rjXhd8ZlKOrMZE6x5b6f
Score

6^/10

bootkit persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral22
- Target
  
  Ransomware/PolyRansom.exe
- Size
  
  220KB
- MD5
  
  3ed3fb296a477156bc51aba43d825fc0
- SHA1
  
  9caa5c658b1a88fee149893d3a00b34a8bb8a1a6
- SHA256
  
  1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
- SHA512
  
  dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
- SSDEEP
  
  3072:EJv/3Ppzq+M4Lh5VWK5qlYRV+hvuFiweXXbGgL90v5mq33Z3:8hzEA5GlYMWFBeXvx0c+3
Score

10^/10

evasion persistence ransomware spyware stealer trojan
- Modifies visibility of file extensions in Explorer
  evasion
- UAC bypass
  evasion trojan
- Renames multiple (76) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral23
- Target
  
  Ransomware/PowerPoint.exe
- Size
  
  136KB
- MD5
  
  70108103a53123201ceb2e921fcfe83c
- SHA1
  
  c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
- SHA256
  
  9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
- SHA512
  
  996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b
- SSDEEP
  
  1536:3VrdxBvcGdDHHtWv8udA1JYREgJ/qEOpsChnU4V1lyqHv4vAmOG9HSDKRppppp5B:1H5D0dSgo7ppTV1lyqPOAmOG9HSOD
Score

7^/10

bootkit persistence
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral24
- Target
  
  Ransomware/RedBoot.exe
- Size
  
  1.2MB
- MD5
  
  e0340f456f76993fc047bc715dfdae6a
- SHA1
  
  d47f6f7e553c4bc44a2fe88c2054de901390b2d7
- SHA256
  
  1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887
- SHA512
  
  cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc
- SSDEEP
  
  24576:/4GHnhIzOasqUgEOr69/BRH7dCibu+XoAX0eOTva49ttrSpt81ekHPyWe:AshdasJgEOrGBRxCihH7OO49rveMG
Score

9^/10

bootkit persistence ransomware upx
- Renames multiple (121) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral25
- Target
  
  Ransomware/RedEye.exe
- Size
  
  10.6MB
- MD5
  
  e9e5596b42f209cc058b55edc2737a80
- SHA1
  
  f30232697b3f54e58af08421da697262c99ec48b
- SHA256
  
  9ac9f207060c28972ede6284137698ce0769e3695c7ad98ab320605d23362305
- SHA512
  
  e542319beb6f81b493ad80985b5f9c759752887dc3940b77520a3569cd5827de2fcae4c2357b7f9794b382192d4c0b125746df5cf08f206d07b2b473b238d0c7
- SSDEEP
  
  196608:+ahZ5qN3wvdJBiAv1hXx7jeeDt9/wGoyIu+sTvDmQONhL/LslAVyq8rZyA+TXtT4:+w6NAvPAA/Xx3eeDtTD+GDONhL/AlAV8
Score

10^/10

evasion persistence ransomware trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Modifies Windows Firewall
  evasion
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Sets desktop wallpaper using registry
  ransomware
behavioral26
- Target
  
  Ransomware/Rensenware.exe
- Size
  
  96KB
- MD5
  
  60335edf459643a87168da8ed74c2b60
- SHA1
  
  61f3e01174a6557f9c0bfc89ae682d37a7e91e2e
- SHA256
  
  7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a
- SHA512
  
  b4e5e4d4f0b4a52243d6756c66b4fe6f4b39e64df7790072046e8a3dadad3a1be30b8689a1bab8257cc35cb4df652888ddf62b4e1fccb33e1bbf1f5416d73efb
- SSDEEP
  
  3072:kGXc7vE4k8sWJnmiWpJtCkGwJ1ED7qztG:RXD8sWBmiW0wX6Gx
Score

7^/10

spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral27
- Target
  
  Ransomware/Rokku.exe
- Size
  
  666KB
- MD5
  
  97512f4617019c907cd0f88193039e7c
- SHA1
  
  24cfa261ee30f697e7d1e2215eee1c21eebf4579
- SHA256
  
  438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499
- SHA512
  
  cfbb8dd91434f917d507cb919aa7e6b16b7b2056d56185f6ad5b6149e05629325cdb3df907f58bb3f634b17a9989bf5b6d6b81f5396a3a556431742ed742ac4a
- SSDEEP
  
  12288:bB/72HFAQBMiZB7fJJ2qDHKK/K5FJL+xQhrwjeI:bBKqFiT7fJJ2qbKK6F5+xQhrEJ
Score

10^/10

ransomware upx
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (55) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral28
- Target
  
  Ransomware/Satana.exe
- Size
  
  49KB
- MD5
  
  46bfd4f1d581d7c0121d2b19a005d3df
- SHA1
  
  5b063298bbd1670b4d39e1baef67f854b8dcba9d
- SHA256
  
  683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
- SHA512
  
  b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5
- SSDEEP
  
  768:AbFw10RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiwtDj:Apw10vnAOIUaJh4IXdWXLXTWLfuFj
Score

5^/10
- Suspicious use of SetThreadContext
behavioral29
- Target
  
  Ransomware/Seftad.exe
- Size
  
  48KB
- MD5
  
  86a3a3ce16360e01933d71d0bf1f2c37
- SHA1
  
  af54089e3601c742d523b507b3a0793c2b6e60be
- SHA256
  
  2ebe23ba9897d9c127b9c0a737ba63af8d0bcd76ec866610cc0b5de2f62b87bd
- SHA512
  
  65a3571cf5b057d2c3ce101346947679f162018fa5eadf79c5a6af6c0a3bc9b12731ff13f27629b14983ef8bc73fa9782cc0a9e6c44b0ffc2627da754c324d6e
- SSDEEP
  
  768:WQbWH9cNN5EM4Xk9fFhPc28F3hT/BysVPkzEDGlnwOMYsGfM:v8cbWMFO28FxT3VPkpk
Score

6^/10

bootkit persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral30
- Target
  
  Ransomware/SporaRansomware.exe
- Size
  
  24KB
- MD5
  
  4a4a6d26e6c8a7df0779b00a42240e7b
- SHA1
  
  8072bada086040e07fa46ce8c12bf7c453c0e286
- SHA256
  
  7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02
- SHA512
  
  c7a7b15d8dbf8e8f8346a4dab083bb03565050281683820319906da4d23b97b39e88f841b30fc8bd690c179a8a54870238506ca60c0f533d34ac11850cdc1a95
- SSDEEP
  
  384:akN70EPxIDesCUxvDuzbKGxc5X4LtOFV4U7vqydPNdG2l2Zk1mvlCnqA+PQ+O9G:vZPxIuQunKGxJ44OdPNc2lEfCnqA+PQ+
Score

10^/10

evasion ransomware spyware stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral31
- Target
  
  Ransomware/UIWIX.exe
- Size
  
  211KB
- MD5
  
  a933a1a402775cfa94b6bee0963f4b46
- SHA1
  
  18aa7b02f933c753989ba3d16698a5ee3a4d9420
- SHA256
  
  146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc
- SHA512
  
  d83da3c97ffd78c42f49b7bfb50525e7c964004b4b7d9cba839c0d8bf3a5fe0424be3b3782e33c57debc6b13b5420a3fa096643c8b7376b3accfb1bc4e7d7368
- SSDEEP
  
  6144:7hsIquZ3xJ7zOUTPQcXK9GMgCsO92FCPot+M:9LquZ3n6cXDM5X2FCgt+M
Score

1^/10
behavioral32