General
-
Target
New folder (13).rar
-
Size
5.3MB
-
Sample
240326-q11g6abe63
-
MD5
ee064dd6c224e77d73c08588c72fe38f
-
SHA1
0be18fdd02f206fcf8fbb0693bc3778808051fdb
-
SHA256
3526c74a22a6a7ff285bddc4a055d22e443bd2d9ceb47aa7bc20240256084787
-
SHA512
c3b8a5347303c8121ed4884099a7ded0658196ebca8b19baf4c742bf79dfed61d4bc7e64fbb1e432cc726bc751b8880ce381dd971ebaf1415ede49e88e055522
-
SSDEEP
98304:N7lNcNlD8XfLEFIkOuiScSKebhWgkVPaN8lxzF/QZQb5d5wdBQnYouCiU:N7K8PQyddSt/96SanNQOL5iaYoxp
Malware Config
Extracted
sodinokibi
13
49
alaskaremote.com
epicjapanart.com
narca.net
mediahub.co.nz
mustangmarketinggroup.com
alcye.com
reygroup.pt
letterscan.de
jax-interim-and-projectmanagement.com
unislaw-narty.pl
justaroundthecornerpetsit.com
bescomedical.de
bertbutter.nl
parksideseniorliving.net
reputation-medical.online
biodentify.ai
polynine.com
nvisionsigns.com
luvbec.com
hospitalitytrainingsolutions.co.uk
-
net
false
-
pid
13
-
prc
mysql.exe
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
49
Extracted
C:\MSOCache\XSOFCM-DECRYPT.txt
http://gandcrabmfe6mnef.onion/2a15b28b8fcd0c36
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\AUJSLF-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/91eed623f5163c3
Extracted
C:\MSOCache\All Users\HOW DECRIPT FILES.hta
class='mark'>[email protected]</span>
https://xchange.cc
https://xchange.cc</a></strong></li>
Extracted
netwire
nsa.read-books.org:3300
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Extracted
C:\Users\Default\95d8232k5x-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/04F1766F84D4E61F
http://decryptor.top/04F1766F84D4E61F
Extracted
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\ODSWC-DECRYPT.txt
http://gandcrabmfe6mnef.onion/4634d3d6159b2403
Targets
-
-
Target
174ac08f7fd9c8486511122f2b8c730018c68d4492bf58840f7dbe5338072883.exe
-
Size
163KB
-
MD5
3f2003b1f21f3fe386f1904b602b7bda
-
SHA1
b796cb31384bd373b0b78ce8f2f4ffaec8f3dd43
-
SHA256
174ac08f7fd9c8486511122f2b8c730018c68d4492bf58840f7dbe5338072883
-
SHA512
e98138e04eece0404f720f2ac489b2771314f30888e148f58a2edaa64cf23da51a033837412ce0a76831fe054e8cc69971d28d44538ac4c87c9d9980e43bd367
-
SSDEEP
1536:WKmTnl2YvQZS/6+U5aHQa1RRh1tvxeznqPhcHCH3yXCyK+:WKmTnl2WQS1U5aHQuRRh1tvxezq0w3y
Score1/10 -
-
-
Target
21697ff9c9b2ad4fb91d805cd139175a4ff8fbddf1fdff52c9dd8eee78612b27.exe
-
Size
453KB
-
MD5
862cf65eca1cf1395e947222b6258fb8
-
SHA1
78872ba55112d4381a26543b87f2558b475fcf37
-
SHA256
21697ff9c9b2ad4fb91d805cd139175a4ff8fbddf1fdff52c9dd8eee78612b27
-
SHA512
e56ed23f230de3e879586d95de32f16c19b1dc26cae13e040c123290a7bb268563ccb9101ab81cdf9fdfc23bca6574230ed484f9914ae0b48ab5065d74ef1f01
-
SSDEEP
3072:a/Q5Y48JB8FmHTafIa+XiRKCPqp2Jda45+8BSf6/yEhA/a9rwV:2QwzFa+XigCPycda4U88f6/ywAi9k
Score1/10 -
-
-
Target
299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe
-
Size
357KB
-
MD5
ec3f1de3d4cbf11a03d8b009e304670b
-
SHA1
09e5d173dac5fc4afd3954017b39375f00f32ebe
-
SHA256
299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88
-
SHA512
e78a3724a53a780a7ee85ceabd325dbb778b0d2dc7ac13b5ba8e0b5698eaafbbe22bb2edff78324ec86c97e7749ae92b77f675bb9259a7287ec031f0ba293a67
-
SSDEEP
6144:x5mYqVMTMrX5MvgEJBe/OtpgJwOEV71iR4K/Rlxz7WAkDNoIpa4d46/:xjqVOMrXWvgEfe0UwtoZ7JkD84K
Score10/10-
Modifies WinLogon for persistence
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
390f8ea3044007611ebadad5352708aa3d0df0872b4550100f439a0aad7213a2.exe
-
Size
34KB
-
MD5
24de130fc752a95c45989f0552956be2
-
SHA1
f0981e152f2a13a972c92e10fa88bdb3817e449b
-
SHA256
390f8ea3044007611ebadad5352708aa3d0df0872b4550100f439a0aad7213a2
-
SHA512
25518f56b78b0be316b29946fbac3d5d50a6580c8cdc1a1e92d9236f066b198c23708a20199a4b7f69bba8e8ac2e81340789799f26659d1f81c9402a494b81c6
-
SSDEEP
768:7gs3plhY5bDZZnD7MJ+D7YC+t3XgxHjMzn9ygvtbx2ha5n:Es3plahDZFD7++/YC+Rgi9ygV0K
Score1/10 -
-
-
Target
3d26ddb0a96c825ff98a6b6456bf52dab1a896da2a8690a041524a6c82213a05.exe
-
Size
267KB
-
MD5
6d4c037eb8ba3f50e55f5a1f0d8a59d2
-
SHA1
7a91a47cfdc65fe7463eef406c15877ee194a2a2
-
SHA256
3d26ddb0a96c825ff98a6b6456bf52dab1a896da2a8690a041524a6c82213a05
-
SHA512
1de971175cff40a906c6fb5bd6aa40007b7acb8698b5d38c858108ad2ff45be60cfa28227beabab4b70a0bff46caecb1284c1c72e23446051d6949b811073608
-
SSDEEP
6144:o603faijWMA7PaSLeVHYjsNw9ENcBegswERi1umU:2vVvaPaSLwDqMcBePwERi1s
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
-
-
Target
51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.exe
-
Size
374KB
-
MD5
4cdf272264c0a1ac4ece4df6f1da1402
-
SHA1
b75672a775a6ded522c8b3f294fd323819e1ac30
-
SHA256
51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54
-
SHA512
d08e14f704de9238190d1955bee6378e8e0223cf581c42df605a4000f4ccb72c5187d9a60bec58d6ece9ab76538d88e2a072526f6e16515c351ab010d6e24103
-
SSDEEP
6144:VaLnnkc+VVufoje7H4p7ai1sNBG40os/b1iTBdl7yAOxckNM9VN:VaTneVw7Yp31sNqos/BiTTl7yNa
Score10/10-
Modifies WinLogon for persistence
-
-
-
Target
600db89be8dbd50e60c620ea147688cea7d512b1dc545a6b95fe41f0dfeca57f.exe
-
Size
48KB
-
MD5
3663358301ea6c5d5b3d5781278c7463
-
SHA1
13bde896d7d7873360bef334459430b3080abb8e
-
SHA256
600db89be8dbd50e60c620ea147688cea7d512b1dc545a6b95fe41f0dfeca57f
-
SHA512
0115d0681659ccd9915f2bda2bf58104954c7077192a64172f6015543cf0f2b2cef0660786536de9429cbc6c8ea159c22ea58970ff426f65ee09375f7a654806
-
SSDEEP
768:C1IWBH0x4CL/C6SVk86TjZELLtiPdSWaP6laZ950yjT:44yj6PyNiPo2m57H
Score1/10 -
-
-
Target
6860173ca54b7e763cc667ac54435f1a18a821e09453b9e41556b6c2e9323eb1.exe
-
Size
19KB
-
MD5
1dc214e694aa0bea8649d840581c07b5
-
SHA1
4d905f6faddbac18fa5a9b9926c4853ccda2a165
-
SHA256
6860173ca54b7e763cc667ac54435f1a18a821e09453b9e41556b6c2e9323eb1
-
SHA512
035620842a278ed03cae8d9f1dd749eee54f0aa00357b2d5df5e91f91c04cc7184d2fd3b8e0ba60bc6216097ef5689e5e9cd856bd09a0c60d105a4c091823543
-
SSDEEP
384:FsAHwKr2eLG2ydifQuvREasXLmQLFRkoC/kDKqdojB8/c:FsxKr2eLG2ydifQuvREawLnL7C/qKty
Score1/10 -
-
-
Target
6fd5bdcc625d735f67f0ad4cacd06feb2ae20a2ec7626ff91fbd1848d1173d34.exe
-
Size
197KB
-
MD5
f54bf8a9ac0619ebb290f76affd35624
-
SHA1
0a9ad51006dab3b145c2ba65f93e7548d5f61691
-
SHA256
6fd5bdcc625d735f67f0ad4cacd06feb2ae20a2ec7626ff91fbd1848d1173d34
-
SHA512
97276d801d46e59b36f222ae2054f43dd96a326669955062b2282673993308db1f682038796e7b6dd11debd93734a6362a2778dbcad9f3942654e6cafbad705c
-
SSDEEP
3072:mBL85NXa8SH2sNladJHHfcukDkdrvRk+j1HBoftYzeZG5+76gkXRkT:jrRSHKHfcukMrvX6VIeZc26XXRkT
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
87cee50a81408e14f015d7507a87950e678742ba78015fd65d24f9934d22c9c7.exe
-
Size
155KB
-
MD5
cc3031638f4aef9c8d4062bb3103140b
-
SHA1
2f4628c65da5ad001953468c294550b32cca9124
-
SHA256
87cee50a81408e14f015d7507a87950e678742ba78015fd65d24f9934d22c9c7
-
SHA512
939c12b95db960d6c03a879a4ead4e19adcc82c3410d711ed6f955e812eddd86046e3760334843fbc3a22b850dca7878dcbfa6a7e3aa19c9958d5870d13af0cf
-
SSDEEP
3072:SqhFvhfBQBlLY6hiYbeRMj9JVHThG0HWZlOOPIdLEvJxBroBXPVNPHUWt7outd:SqhFHAYwiYbuu93HThvulZPgLAxB0BXL
Score10/10-
Modifies WinLogon for persistence
-
Deletes itself
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
93564e681c3b63f14bfb67df98f5461917c447f343770a3a944ab251c4dac5ca.exe
-
Size
324KB
-
MD5
7f2e755385cce6862a68d60053d4ad64
-
SHA1
bb7ab43a8537b4aa019f4873bbfa27fa9721c945
-
SHA256
93564e681c3b63f14bfb67df98f5461917c447f343770a3a944ab251c4dac5ca
-
SHA512
3e549a4527a1b4d82313436af4d2858566e2611034970fddaa21cae4e1cc22c1c3ea864751ad409d014e67ec35f0faaee08c25bb25684ba3e0d2f72da43aae28
-
SSDEEP
6144:KWw1sSGm39FkhqL58C14Aox2hK/bbeLjbBmnZxl0FRqfcCiUUqq6YYjYzwTRoSM:Kbdb39mhC8CyTbytgiyUhUUqq6rjdRoS
Score10/10-
Modifies WinLogon for persistence
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
9c109b79dae8527b370cc0b91d5822f4a69b3acda284c361b310e18738ec5a97.exe
-
Size
165KB
-
MD5
e3566b5bad34be0acd68d975274f48f0
-
SHA1
b4a8116598f602486598ba4b4e41fa82fe41b763
-
SHA256
9c109b79dae8527b370cc0b91d5822f4a69b3acda284c361b310e18738ec5a97
-
SHA512
ac8da074e8f6d5ed1d1f012d9cec9d38a17e3d28ae13527394f719ab045e3f92f9ad99978a982edd5377ec9102c747e00ad55011e7d47179af2c7188cf060d60
-
SSDEEP
3072:xJ60eHr2T1ds7Z2gcsRxAHxZbL4W9qZVLzbce2liSsU5t9rL+Au9TGLyPl:xJh42T1dMZ2gcok3lazbX2zJ+bxN9
Score10/10-
Modifies WinLogon for persistence
-
Disables Task Manager via registry modification
-
Modifies WinLogon
-
Suspicious use of SetThreadContext
-
-
-
Target
9c8685a98f9be3a699ea95314449fd90fbaeac3e587efdfcb0c495621e7b087f.exe
-
Size
57KB
-
MD5
2ddb9321572e375dfeccceaa606f57f6
-
SHA1
d37068c9be009dfc7af9712abafa5c738da30492
-
SHA256
9c8685a98f9be3a699ea95314449fd90fbaeac3e587efdfcb0c495621e7b087f
-
SHA512
ba31c0d8fc5f7cbd2506c6b3ceb362992bba02620a650d15d36a01278b40716690ac6532fb6e0c31fc390264f40b37709910b51517dca1912f4771c5f7dba32e
-
SSDEEP
1536:m0dPL1G+r31JLduRROT999+kD/J+AaCer+nouy85:miDBtuHU999vgAaUout
Score10/10-
Modifies firewall policy service
-
Modifies security service
-
Modifies visibility of file extensions in Explorer
-
Modifies visiblity of hidden/system files in Explorer
-
UAC bypass
-
Windows security bypass
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Sets file execution options in registry
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
-
-
Target
CrypMod.exe
-
Size
594KB
-
MD5
bdc7130f8edce09b538b6ec22ea7a1aa
-
SHA1
254bc06fcd8d5929a9cec304cec82951ba46f1a0
-
SHA256
a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2
-
SHA512
d054c46c77566fa22ad4e8bfa9585be860873f838da32a2e7ce2d44ac1d85941fe1e3e02920b544f653b5939b802e40407c5f0c27de58a73d94e392ad7058cc5
-
SSDEEP
12288:me/nu8i7TZz5/c+K5lCT26pOhiR1O6sve2kC8T5J:me//2TZzLwCT26pOhG1Cve24T
Score10/10-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (312) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
Fuck.exe
-
Size
168KB
-
MD5
d1c616cf0fd1eb61164e9091cad354c5
-
SHA1
444539834e496f04cf9c07594645ca252f3b52a8
-
SHA256
b5a2fe5b87deed18b789929faaa7601771de63dfe6a670d09224aa57ebe8c6b9
-
SHA512
441477d5a429dad3e499e943c8dfb54ad673320eed81f4fec00b3798839b3bb296c446354d5e1f46ec52aa278417011ab8ae7f374df1347e341e46243276af00
-
SSDEEP
3072:B36NS6YsVsI11Tl2JD5wMPm+RY8RvPCdSGk8RQcj2Er:B3H6TsuzYGMgWcSE
Score10/10-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (311) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
Generic_Ransom_1.exe
-
Size
1.8MB
-
MD5
84b51ee1b45d26e08c525d9c87a4945a
-
SHA1
04d9559bb0ed6e964b05d1583a7410eca837f1cf
-
SHA256
debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8
-
SHA512
d3a4c07119ce03d1199ed2e6fb98b1504c171fe1d8ce1d71c33e2f2562ad0149e4fd5018ae837d9500761ad3d73f30c48d8c44d72438b048c8fd5f914d3549c9
-
SSDEEP
24576:sVLOUsdmcKn0RVIC0GN9eyS7QPkIIgmWmQL3taRHLM36T22CKRJqNE4u6FOcnDs7:stJ6F7PN3taRHwe3clnBowQg7K
Score8/10-
Registers new Print Monitor
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
Genericcc.exe
-
Size
293KB
-
MD5
dbc292a2292c6061700236830d45ca91
-
SHA1
fcdfba4b95c145a715209d694639de6be0478f6b
-
SHA256
e60fc4473ada26f3a8d2dd5c5f226441073bf86737e271f6f2ec61324ef9ab60
-
SHA512
551e097fb31a5e7a6b6ecf602f7ae8cb63dc620940fe47b003ebcafcedbfdb391731cfce399b48111ee9524f2272f53eb4076c84f65e377336930fd6b3c3e0fe
-
SSDEEP
6144:6qcbmoTtMUxxzP75a2eoEnnZcYupty6DPlQ82hmbN:6NTTyUX/5a2NGZcTs6DPlahmbN
Score10/10-
Modifies WinLogon for persistence
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Drops file in System32 directory
-
-
-
Target
Gneeirc2.exe
-
Size
110KB
-
MD5
c35506bd3fedad57e7f1ea975ebcaec5
-
SHA1
0977676ae8c8716824a13037c7eb4c7b95c58ae7
-
SHA256
208cca124ddafe35a122f6bdd36191151a2730b4e1051804d5f68d0cb4b44145
-
SHA512
adbc0991a10ce0fd293f3706583f44bd0805a97e10e45da896bcb2eb3cbc507eaeb711f2ff98df941d12aba9804fccc5c6a1948991fd278736360acd9b411b51
-
SSDEEP
1536:vAakOZurAqbsvCFWc1dIgF/q52677fqdmT7K:vAa+rAqQufK7WET2
Score10/10-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
-
Modifies Installed Components in the registry
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
-
-
Target
MyxaH.exe
-
Size
286KB
-
MD5
86d543779889aa512f7395edece0d852
-
SHA1
9b657e8ee0075ebf0cd48cea54b4628f06cdfd1c
-
SHA256
e6087745223ce9ce7de8b4c18c2d141ed9057d9088b7faf77473953a921cbb73
-
SHA512
51310d932e8eacba62c2647a39394c33427044d907bffdf3c63c982b49048848d3e77bdf9e5500a64d52b0cc93e447a9b7ba70ebbc97ad4713fc3d80f1bba76b
-
SSDEEP
6144:smGIhLaUrYyu2Pcyl+lxnHFCGcjN+c+iUri27J5P/Xj2qQ:73bzuPHj5Hria7z2qQ
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Loads dropped DLL
-
-
-
Target
a1e86fc6cfb129a978b7de1f8b773f766640e50874d8989999be2c55c6d022c2.exe
-
Size
350KB
-
MD5
77cdacf274d43d2a1e1b6d82cc2350f6
-
SHA1
eb49f61e80ae9c58f5d2a4ee4aedf14ac022b9c5
-
SHA256
a1e86fc6cfb129a978b7de1f8b773f766640e50874d8989999be2c55c6d022c2
-
SHA512
1afa8783f4176dba9afbcd6ad86edc1a8cd34f03d341f0745c63e5ea5008a7e68be87d05055495dcbc7383c3d17871b453dd440059716ae11bfa83057d882f85
-
SSDEEP
3072:kLQBOJeFK/MtgYcjuwiBrqg0Q+KUYN3PSe57vsR1pEzm43vHG/b1K+wk:kskQK/JdRios/UOPSe570Szp3ujN
Score1/10 -
-
-
Target
add230a2e7aabf2ea909f641894d9febc6673cf23623a00ce3f47bc73ec9b310.exe
-
Size
157KB
-
MD5
4bd82da426f6b59e08b40044adb5a3d2
-
SHA1
097db21cb36c15979730a775ac6bad1240d75275
-
SHA256
add230a2e7aabf2ea909f641894d9febc6673cf23623a00ce3f47bc73ec9b310
-
SHA512
77dc3f9089bb1877defa28e39a9c3a615efed7975dbbe3a4d3af942a450776cf2935d164059d2519aa2d5105ab06106c39431e4baba82c42c3f2cbacfb82b630
-
SSDEEP
3072:wi8Iy8EytSLbi4eTMlwDCnuZ3j9ifgwbDJ1fMP:B8IUykbnWJZ3jkflJ1fM
Score10/10-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (167) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe
-
Size
8KB
-
MD5
5ebcd7121459a0fe3155f9f6f63a1a6a
-
SHA1
edb50b9de18115b11dabe9941f5b8becf36c9999
-
SHA256
ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7
-
SHA512
c8994370f6af18855851879ced2456f9c87b6c6c5f4e7bee048fafea5cbbcc17b8f91ad06c8617b7a04ecad70eb9d22babdd8a3fe0fae7269490a0beac714a00
-
SSDEEP
96:WQ48k/t9wUnsggfHGyK0/Dia4QJT9hHKwCSJAPVj3BiiZD43EXYUHvh/F:z4p/t9/UuyrL54QdAPfdGle5F
Score10/10-
Modifies security service
-
Modifies Installed Components in the registry
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
b878926219059096382653b807efb9476435cc6d3401667c502d2c7bb2f6d7be.exe
-
Size
161KB
-
MD5
ba6e3d454c86502e413c299303686cab
-
SHA1
8ffa2398965a1ad4503566e07e0a8cea4cd168e4
-
SHA256
b878926219059096382653b807efb9476435cc6d3401667c502d2c7bb2f6d7be
-
SHA512
b0035f23c520f8f84b88498fcb3945e4b7edf1f7713de9837ed9a4c02443d0bbec3200dbece3671d866803bf7ac07a4d7116afc89b619767dea6e71e91c4a1df
-
SSDEEP
3072:a1mDHCjYBNCERkjlK7Xa3mUrvwF+OPgAwVbAtOP+uLXD8Ku7IhhV6u:FOjkCE/a3mmvwFavV/L4Kq4e
Score7/10-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of SetThreadContext
-
-
-
Target
c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
-
Size
248KB
-
MD5
d3e517e198379ed5b8faf580bef47961
-
SHA1
5daf25a32e1a3f8dbbf14d488487c0175d266d60
-
SHA256
c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a
-
SHA512
3902b8f850c5d1242840f7c61d38b677a7d98356097c939dd2f06ed9d18f1391784775ca213b1d3cf5a1e661f2d79a14f250bbfb8202124646ac89e451b0d162
-
SSDEEP
6144:5Qscj0zoT9nfNARb+m4hOZTIpZh3usSoSVGM:yQzoT9fNAcmeV4xoS
Score10/10-
Modifies WinLogon for persistence
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
cryptmod2.exe
-
Size
532KB
-
MD5
6d497a11457912bff6d4b92b5e383037
-
SHA1
d8e41fdc4acc037ac3f4155321b62e9e14fd9220
-
SHA256
f6e4a44a1c6bd6a79041746337fbba4e725abb70afb48d676a60dd3ba0c5c65f
-
SHA512
1f72e2b6182debbb0a46ee08d944cf67b6cc19f89be6e614b27b4bd7156865f32db56c6eac1f619a84072afb126e30537759382e7a299d04ac347efffa8af78a
-
SSDEEP
12288:T0HVVyZ0fNuTJHLvpkMPrQ4YVZq3Yu8/Cv9qFe4K:TKHcTFLvprs4YVcIu8sl4K
Score10/10-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (267) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
d041a11a04bba9142ee44712a53c8e94bccefeefe1d382ac35171518cd6b64a7.exe
-
Size
242KB
-
MD5
3cea112008870b0f75a3e707281ca483
-
SHA1
3119927821ea72c74022b5b4d8d749bdeb467bfa
-
SHA256
d041a11a04bba9142ee44712a53c8e94bccefeefe1d382ac35171518cd6b64a7
-
SHA512
e0c187c0acf772b4808eabdc792e2d4598ec206ffd76df3b04d6e4aa2f263aa39b6ff19fafb81499685c16cde7e5b8e1f15858e1f99cbf292bb20145e8fb7ff1
-
SSDEEP
6144:fkY8lsGOLp9DJKnDNdVRQnTDwd7x/t8mRaYESWPXgLgadXoSAj:LUsG+3JYbnQnTDwfVFsuWPEgkoSO
Score10/10-
Modifies WinLogon for persistence
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe
-
Size
188KB
-
MD5
4f92d8fccd5ade0673aadefea9f04f44
-
SHA1
927bd3212787d5ded2a21301d1f483203b23de29
-
SHA256
db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f
-
SHA512
fe029565179ee63dc1416fe8f739248ad510f7ec4d54f4ea863541f874af86a9ddd768d999b8c29c15dfd7732ce9d0e9b07230d5523b62bc4defe317fa3c8bab
-
SSDEEP
3072:E2sAaxYA5sKkzigXD0+H4gQU3YZA3vX5/exte:uAzzXF/r
Score6/10-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
dcb283e040d84bf1a86b381bfb0ce6b8dc070b58ba5d3150eed9cb7becf769ea.exe
-
Size
112KB
-
MD5
c835d22fdb3c6981ce4b103bddf5e992
-
SHA1
f33af47012692e3cd18b0224e78637325113772e
-
SHA256
dcb283e040d84bf1a86b381bfb0ce6b8dc070b58ba5d3150eed9cb7becf769ea
-
SHA512
a66405cb2ed2c4fb211d95e216aebf894c88bfee461484bb3d4f846ee0e0aedaa8e92aed5b19fc05d52653e60f148fc49a911c9381a5555a8237e277d88f7b4e
-
SSDEEP
3072:lqkp02Jksl00uL14yNYRDJWN9udpsL04lwT8:82Y0u6yNY23+c3CQ
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3.exe
-
Size
55KB
-
MD5
7d4ef2a82587ae1bddeb41529560f6f0
-
SHA1
9c97a609d0ed9cbc5a3e7c40fb9dce196c63c82a
-
SHA256
e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3
-
SHA512
1b333e8704b0afbcd2282ab1d6b9c5bc75e5be0f133a57b01da57bbb1dbfb3429eaa7f6eacdc048646476bf44799add0358c5cc82e2fd60006b4b0682a746491
-
SSDEEP
1536:NVok6yvYSerI7XB0EiV5vpl1N5lJeltvW:roklxkI7XB0EAf1PeltvW
Score7/10-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
-
-
Target
f14fd49537695f6e33bd102633b0737a2713df3197e36b7cdb176bc8683f6919.exe
-
Size
13KB
-
MD5
77f38a73c7c99d1ffbdc62361a4c34b9
-
SHA1
669eaa55c605e63a97ba4e944c0832a7c7602c85
-
SHA256
f14fd49537695f6e33bd102633b0737a2713df3197e36b7cdb176bc8683f6919
-
SHA512
6a0caf648b6806de6553154039cdf739603be03dab2878d73bc3cfd6eac1bc4ecae716b5f1bd2a2304f214a5bb0b6c01aa509f606d367c847f1f119a416ababd
-
SSDEEP
384:O2wcl2mx1mbMz1YCRJwiQ+EYE4JqP6ySqH9:Rw2QkhRJwiQtYE4XySqH
Score1/10 -
-
-
Target
f7ee55f1571b1a082a8e61811811009b02e5b0d651bd7c3f8d29ca16ef1e14ed.exe
-
Size
284KB
-
MD5
1bb03d2ed04d84232c79e2cb8bc9bb16
-
SHA1
0680e85a0edbf41816791ca8b0704cf74c362cde
-
SHA256
f7ee55f1571b1a082a8e61811811009b02e5b0d651bd7c3f8d29ca16ef1e14ed
-
SHA512
78aecaa2c5cf9c00ef15a6940908468f8318d0f5f7b38dc2c54a5d0d344a0196e3004ff7dc8ab3f19fb29508029a676944561202139efd0b0c1a22dbc0bbceea
-
SSDEEP
6144:SMXLW0lA/pXoXA9OZyRQAXFMdJ2d3ReNPMV3r5ZloYO9+i7UOuZYhYDlVoS:TiQA/pYgHHX3hxV3rtPJi6XoS
Score3/10 -
-
-
Target
genenenrnenr.exe
-
Size
808KB
-
MD5
e49c40f6a69af400f2e11dd8fe6604dd
-
SHA1
56107d38cc5a94c67bdb92aa7566768b8e82b1f2
-
SHA256
b4c2ffccfe807167860d70ea95cde0390f2dc4220992d272497ced04afb97edd
-
SHA512
80f782bf58a405559a1140be30838b7d46ddca5423d9001cb1f87005e0e46e2a6e20ae3229bd095e86d8f2fbc30020a7be8f08c7f47f095247168424b2412e28
-
SSDEEP
12288:oTsKNGpaBPxBlvdtsYuj+Ue8vQjY7heDHcMicoXfC/ye:YNG+PxvU3tvQweDHydqJ
Score5/10-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
6Registry Run Keys / Startup Folder
4Winlogon Helper DLL
2Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
6Registry Run Keys / Startup Folder
4Winlogon Helper DLL
2Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify Tools
3Indicator Removal
2File Deletion
2Modify Registry
19Subvert Trust Controls
1Install Root Certificate
1