fantom

General

Target

Fantom.zip
Size

144KB
Sample

240319-j4vmraee33
MD5

b738112ed8d809a3779fcc4345a82b5a
SHA1

1b334eb7a111769cd54483f54f3331204b7a44fd
SHA256

7a13c0f6a7e9e68ac30dae2f143fd16ca2c192e261da2dc2c1ec32701c78441d
SHA512

beda690a67c1dbe7f8b3f6118126a3826f308a744f6a91ba568a7ff001f05ea22b712e28ce220834225344d49e234506221eacb3d008655232b5f79cf56786ee
SSDEEP

3072:rSfpoQvMBynzN4GeOBjSX+kb2d7JmPlnkgX+mU56xtZQ821caOzNN9y2+DuqJgyp:8DuqJzfW6VSgE29xxspm0n1vuz3h9Evk

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>DY7YfmMry1HV9XnAESmMWK5gKdWVo5HPSc5zf4SH6HnNOrmL5SDy8JzmueloS6od5vprGWIKwxJNvXq9SOb4CLL6E9KyL2Tz4lOSUMu5cJCjhZasqnJiQxbCUmRfobIeba3blA3wJMyDWDhs5WpPC1FvVpufr75gk0I0TNvFoSNKUw6mzd26FLYzs1bEh8Af4Mm80O5YTj+1suB38RZFJAN0drTvgdezTBtZ3o3j7O8IL1Hae0tCpPpFQ+6dLn5c69Ky/SRl3q6oCYajpsVsg2jgZ/6SChEL4lPlV7/+UanmAI3TqZsRdCdKvga9fEQIZz09rtX6aTexiYyc+dH8xQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\Program Files\Common Files\microsoft shared\ClickToRun\DECRYPT_YOUR_FILES.HTML

Ransom Note

Attention ! All your files have been encrypted. Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets. That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us. Getting a decryption of your files is - SIMPLY task. That all what you need: 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] 2. For test, decrypt 2 small files, to be sure that we can decrypt you files. 3. Pay our services. 4. GET software with passwords for decrypt you files. 5. Make measures to prevent this type situations again. IMPORTANT(1) Do not try restore files without our help, this is useless, and can destroy you data permanetly. IMPORTANT(2) We Cant hold you decryption passwords forever. ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. Your ID_KEY: pmXq5HTVFdUIPKnutBTyHc7Um4oqAX/DTSwOO8WGFU2T+RPhJBA9gQASWcKQ0PXqg55/viYn0RoIuLh+H3cfCQVI+IsPhPMD2nMdIGwjPEyozmBt6yZezDhX6FLHZwgSCqp2oTDeNI0URqA7KMztoR3ZtJbfv0BbzCCE+jPS44Xr0bLP18QelnOKx8qqoUSPKwqEnnb7cZQdxQw5NHW+3GCxCdoi3YDimz7AQ/9NFpjY7ifaOzWjqYW6/D+r35NPudsKfJmB/LtZmFEPGYX149p7SpwD0BMw7VZfMWXXQaZNAAq45K5OjxfcDBq1TIWAU09uwBEorLuLFuHFzjUeqA==ZW4tVVM=

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>DIfOX3b7h8VRKYdC6ov/agrL2ZBfrKedoVKJN8xxC42h1S9sr81Kg1FGoE6HPkNKnppsd3C6ZGsh3VbKM9sV/nXP5rZverPP26RKilVa1MTlSPb/j0zfLq1A9P1k4SthfzBunkAWZfgvhGWpA9Nj3pgnXh2y21bIjvmxtMHnwFqN/S4ybSSql/szIBOlQJDxqXN3B0ock6mBEu0ztl6x1TlES/bU21olEXQKiZlYfYfXfvbfaz0IsVGqsHKyTXxILoUaXK7jDSAA3VPyphkdoZo+IeL2pwspRzSt/vb6hwyobMnkpx0AWySZmRz6xxyrDM8Wet452hJb17iJNMcWxw==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>KYJBYnMuCDR+3Sv3jAsmFLdiUbguHSN17leODjSHC+MH8GNkBpLW3tLqO83GLLiaulmazPCIVs/DaPg2+aYhgU/31JRxk6mnyOfVm9Q6ahaIe8cNyUe6UmRy3CG5ICJjduA9mjtkOyuAeRlVzR6NdpDFnT/iXYwHTSn+y0pz3rebh3dHWnT/XhBkKXPzhs2okROnlrsaN21MBglj8LZ37GVXH0jBTMaEP8t16M0OGE3YwrP7IcKij3glzyKqUU+PBxUU6fn1Px0P2qXDptpvSEWRo8XtAD0NPoSvT/oWn/HgN+/Ck+5H+eq/TQYQbkgkhDcARKmSlLOWdvaKChjLKA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>Q/chF/T3+wGwfBPKUO78q1O0Tw4GLnNyXZXW1y3Z5dZ9r23WnwtZLISMvA6SB+dgDZmrTSkerjYICTkNvMpZjFKe6b9s/e9ahFMmNaht7Rk/3jT7Qhjtfw1x9OWsVUDMOeLsGHifOE4Mqc8kTItReueHi8ccc6POYZuDxCRu+nKy4S3/yrOh6k1MY9LaoBTYNg4tym8myq+okGLhHK7gVJIOcf4L6l1F01EbEjQyXIq0+7Ee9iwnxr4oaWtINg/jjKvCHhCpWvVZZ8Kh5asShiVt+Xj4/19ldVAVo4pC3UAxeQlRlXuQdkuHh1qS1ef/gok+mjZxnRGe4bB4YVlzRg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Targets

- Target
  
  Fantom.zip
- Size
  
  144KB
- MD5
  
  b738112ed8d809a3779fcc4345a82b5a
- SHA1
  
  1b334eb7a111769cd54483f54f3331204b7a44fd
- SHA256
  
  7a13c0f6a7e9e68ac30dae2f143fd16ca2c192e261da2dc2c1ec32701c78441d
- SHA512
  
  beda690a67c1dbe7f8b3f6118126a3826f308a744f6a91ba568a7ff001f05ea22b712e28ce220834225344d49e234506221eacb3d008655232b5f79cf56786ee
- SSDEEP
  
  3072:rSfpoQvMBynzN4GeOBjSX+kb2d7JmPlnkgX+mU56xtZQ821caOzNN9y2+DuqJgyp:8DuqJzfW6VSgE29xxspm0n1vuz3h9Evk
Score

10^/10

fantom evasion ransomware
- Fantom
  Ransomware which hides encryption process behind fake Windows Update screen.
  ransomware fantom
- Renames multiple (3844) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Executes dropped EXE
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
behavioral1