Overview

overview

10

Static

static

3

5b24eb87f1...0f.exe

windows7-x64

10

5b24eb87f1...0f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5b24eb87f1c370705cde8ba80db46614d8f3e89ed296bf43a113676a0291860f

  • Size

    1.2MB

  • Sample

    240320-msapzsfe31

  • MD5

    28f4fbd1c4d57fb94e5c8b6d880f3abd

  • SHA1

    2009da94134397c2c8f62ffa6774606511e90313

  • SHA256

    5b24eb87f1c370705cde8ba80db46614d8f3e89ed296bf43a113676a0291860f

  • SHA512

    ed99f80f5b05f4437cca182ddc4ac14f03b386e220da157302d377ed1756543434dbaf4153bd445d6b7a03bb8051fb815d61b89942c805fc9366b3fbd7e50b2e

  • SSDEEP

    24576:hjbFOttJFW5tVPsBua8iHkYs5BSC8jLXHlIZ9zHN25:hX4ttJAcBPXTs5d67q2

Score
10/10
targetcompanyzgratevasionpersistenceransomwarerat

Malware Config

Extracted

Path

C:\Users\Admin\Contacts\HOW TO BACK FILES.txt

Family

targetcompany

Ransom Note
Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 11F17659A195F20683D4BDCA 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�
URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Targets

    • Target

      5b24eb87f1c370705cde8ba80db46614d8f3e89ed296bf43a113676a0291860f

    • Size

      1.2MB

    • MD5

      28f4fbd1c4d57fb94e5c8b6d880f3abd

    • SHA1

      2009da94134397c2c8f62ffa6774606511e90313

    • SHA256

      5b24eb87f1c370705cde8ba80db46614d8f3e89ed296bf43a113676a0291860f

    • SHA512

      ed99f80f5b05f4437cca182ddc4ac14f03b386e220da157302d377ed1756543434dbaf4153bd445d6b7a03bb8051fb815d61b89942c805fc9366b3fbd7e50b2e

    • SSDEEP

      24576:hjbFOttJFW5tVPsBua8iHkYs5BSC8jLXHlIZ9zHN25:hX4ttJAcBPXTs5d67q2

    Score
    10/10
    zgratevasionpersistencerattargetcompanyransomware

    • Detect ZGRat V1

    • TargetCompany,Mallox

      TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.

      ransomwaretargetcompany

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies service settings

      Alters the configuration of existing services.

      evasion

    • Stops running service(s)

      evasion

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks