3b246faa7e4b2a8550aa619f4da893db83721aacf62b46e5863644a5249aa87e

General

Target

Ransomware.TeslaCrypt.zip
Size

479KB
Sample

240326-rgm86abh65
MD5

f755a44bbb97e9ba70bf38f1bdc67722
SHA1

f70331eb64fd893047f263623ffb1e74e6fe4187
SHA256

3b246faa7e4b2a8550aa619f4da893db83721aacf62b46e5863644a5249aa87e
SHA512

f8ce666ae273e6c5cd57447189a8cf0e53c7704cf269fa120068f21e6faf6c89e2e75f37aee43cac83f4534790c5c6f1827621684034ef3eb7e94d7ee1ac365e
SSDEEP

6144:xQAq0svy/pQhk1NBePvxGNWeOyqYAGfr/H/h60BHtzbprAvNGTG/fi5QCIq3h11Z:LyKoUlWeOP8HXrINZ/2uJUgVu

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt

Ransom Note

All your documents, photos, databases and other important files have been encrypted with strongest encryption RSA-2048 key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main encryptor red window, examine it and follow the instructions. Otherwise, it seems that you or your antivirus deleted the encryptor program. Now you have the last chance to decrypt your files. Open http://3kxwjihmkgibht2s.wh47f2as19.com or http://34r6hq26q2h4jkzj.7hwr34n18.com , https://3kxwjihmkgibht2s.s5.tor-gateways.de/ in your browser. They are public gates to the secret server. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 1FAL6UtCctgTbFoGWsgo9EG1ZqnozKf97T Follow the instructions on the server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://34r6hq26q2h4jkzj.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 1FAL6UtCctgTbFoGWsgo9EG1ZqnozKf97T Follow the instructions on the server.

Wallets

1FAL6UtCctgTbFoGWsgo9EG1ZqnozKf97T

URLs

http://3kxwjihmkgibht2s.wh47f2as19.com

http://34r6hq26q2h4jkzj.7hwr34n18.com

https://3kxwjihmkgibht2s.s5.tor-gateways.de/

http://34r6hq26q2h4jkzj.onion/

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt

Ransom Note

All your documents, photos, databases and other important files have been encrypted with strongest encryption RSA-2048 key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main encryptor red window, examine it and follow the instructions. Otherwise, it seems that you or your antivirus deleted the encryptor program. Now you have the last chance to decrypt your files. Open http://3kxwjihmkgibht2s.wh47f2as19.com or http://34r6hq26q2h4jkzj.7hwr34n18.com , https://3kxwjihmkgibht2s.s5.tor-gateways.de/ in your browser. They are public gates to the secret server. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 1CqcdSuhXBkkeBXFR7AC7GbAczJga19gr6 Follow the instructions on the server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://34r6hq26q2h4jkzj.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 1CqcdSuhXBkkeBXFR7AC7GbAczJga19gr6 Follow the instructions on the server.

Wallets

1CqcdSuhXBkkeBXFR7AC7GbAczJga19gr6

URLs

http://3kxwjihmkgibht2s.wh47f2as19.com

http://34r6hq26q2h4jkzj.7hwr34n18.com

https://3kxwjihmkgibht2s.s5.tor-gateways.de/

http://34r6hq26q2h4jkzj.onion/

Targets

- Target
  
  3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
- Size
  
  284KB
- MD5
  
  209a288c68207d57e0ce6e60ebf60729
- SHA1
  
  e654d39cd13414b5151e8cf0d8f5b166dddd45cb
- SHA256
  
  3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
- SHA512
  
  ce4a7e42738154183fc53702f0841dfd4ad1eb0567b13cc1ff0909f1d330e9cd2fb994375efc6f02e7eddaaae1f465ff93458412143266afdaff1c6bf6477fc3
- SSDEEP
  
  3072:rYXT8PUsMNL8V4tD2My/JAAbQoM29wlV58lbNnolY7VgsYiVTPtiTu/q:rowUsML8g2j0o9wb0bNoaKsYImui
Score

9^/10

persistence ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (696) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2
- Target
  
  51B4EF5DC9D26B7A26E214CEE90598631E2EAA67
- Size
  
  257KB
- MD5
  
  6e080aa085293bb9fbdcc9015337d309
- SHA1
  
  51b4ef5dc9d26b7a26e214cee90598631e2eaa67
- SHA256
  
  9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122
- SHA512
  
  4e173fb5287c7ea8ff116099ec1a0599b37f743f8b798368319b5960af38e742124223dfd209457665b701e9efc6e76071fa2513322b232ac50ddad21fcebe77
- SSDEEP
  
  6144:xy+als+0nIycigV5cbEo6dZbBODPIsjQ/UFsYW:xy+aCFnIycigVSbObBODTMUd
Score

10^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (355) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  E906FA3D51E86A61741B3499145A114E9BFB7C56
- Size
  
  261KB
- MD5
  
  6d3d62a4cff19b4f2cc7ce9027c33be8
- SHA1
  
  e906fa3d51e86a61741b3499145a114e9bfb7c56
- SHA256
  
  afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18
- SHA512
  
  973643639cb02491b86d5b264ee8118a67d8a83453307aea95de2f4c6aa55819d37730c41dc3338116ebe86f9a4f2bba7d9537ea744ae08b9755f05c15153fad
- SSDEEP
  
  6144:93g0BQG+aZiycigV5bbEo6dZbBODPIsjQ/UFsYWo:93g0OGjZiycigVRbObBODTMUdj
Score

10^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (368) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral5 behavioral6