buran | 1cdf0dcd13a46906d73588a4f2ef20637d25706ce90b53a7b6f1701c28cb3596

Resubmissions

26-03-2024 14:35

240326-ryecksfd5y 10

26-03-2024 14:27

240326-rse2xsfb8y 10

Sharing

Copy URL

Twitter E-mail

General

Target

New folder.rar
Size

15.3MB
Sample

240326-rse2xsfb8y
MD5

6677e9a1e490857b5bdfb0744cd260fe
SHA1

20a0692c3001f36c56f811d614dfbe6b2a0b5612
SHA256

1cdf0dcd13a46906d73588a4f2ef20637d25706ce90b53a7b6f1701c28cb3596
SHA512

52c80873ff9d70a2ef1669ccfb1f2e1cfeb2a521102d0b38164c88f680924b84560245c3104b6c7e742bd952617db405720f6b08f541d6c4cdf1c33a25478ab6
SSDEEP

393216:NUYQW+GfB8a8lENPHeGcC6yz9Jp0tu/5TKP0Arl:y9GfBntHeO9Jpn/Fe0AR

Score

10^/10

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail admin@fentex.net Write this ID in the title of your message D658F9CF In case of no answer in 24 hours write us to theese e-mails: admin@fentex.world You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

admin@fentex.net

admin@fentex.world

Extracted

Path

C:\Users\Admin\Documents\READ_THIS_TO_DECRYPT.html

Ransom Note

<html> <head> <title>-</title> <style> html {font-family:Consolas;font-size:20px;background-color:lightgrey;} div{ margin:0 auto 15px auto; border:1px solid; background-color:grey;} p,h3{ text-align:center; color:white; } #R{background-color:darkred;} button{padding:10px 15px; margin:15px;} </style> </head> <body> <div> <h3>YOU PERSONAL FILES HAS BEEN ENCRYPTED</h3> <p>-</p> <p>Your data (photos, documents, databases etc.) have been encrypted with a private and unique key generated for this computer. This means that you will not be able to access your files anymore until they are decrypted. The privete key is stored in our servers and the only way to receive your key to decrypt your files is making a payment.</p> </div> <div> <p>The payment has to be done in Bitcoin to a unique address that we generated for you. Bitcoins are the virtual currency to make online payments. If you don't know how to get Bitcoins, you can click the button "How to buy Bitcoins" below and follow the instructions. If you have problem with this task use internet.</p> <p><abbr style="color:red;background-color:black;">You have only 1 week to submit the payment.</abbr> When this time ends, the unique key will be destroyed and you won't be able to recover your files anymore.</p> </div> <div id="R"><h3>YOUR UNIQUE KEY WILL BE DESTROYED IN 1 WEEK FROM ENCRYPTION!</h3></div> <div> <p>To recover your files, you must send 0.1 Bitcoins ( ~$37 ) to the next Bitcoin address:</p> <p><abbr style="background-color:white;font-size:35px;color:black;">15F5FM7qMhLQ44RDxuozbKRwSbHKmq7N39</abbr></p> <a target="_blank" href="https://bitcoin.org/en/getting-started"><button>How to buy Bitcoins #1</button></a> <a target="_blank" href="https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)"><button>How to buy Bitcoins #2</button></a> </div> </body> </html>

Extracted

Path

C:\Users\Admin\Desktop\_READ_THI$_FILE_33QNII2_.txt

Ransom Note

CERBER RAN$OMWARE --- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/12EA-1E35-D050-0446-9493 Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://p27dokhpz2n7nvgr.1hpvzl.top/12EA-1E35-D050-0446-9493 2. http://p27dokhpz2n7nvgr.1pglcs.top/12EA-1E35-D050-0446-9493 3. http://p27dokhpz2n7nvgr.1cewld.top/12EA-1E35-D050-0446-9493 4. http://p27dokhpz2n7nvgr.1js3tl.top/12EA-1E35-D050-0446-9493 5. http://p27dokhpz2n7nvgr.1ajohk.top/12EA-1E35-D050-0446-9493 --- Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://p27dokhpz2n7nvgr.onion/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1hpvzl.top/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1pglcs.top/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1cewld.top/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1js3tl.top/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1ajohk.top/12EA-1E35-D050-0446-9493

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail admin@sectex.net Write this ID in the title of your message 3C7AF601 In case of no answer in 24 hours write us to theese e-mails: admin@sectex.world You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

admin@sectex.net

admin@sectex.world

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: DharmaParrack@protonmail.com wyattpettigrew8922555@mail.com

Emails

DharmaParrack@protonmail.com

wyattpettigrew8922555@mail.com

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All FILES ENCRYPTED "RSA1024" All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL 3442516480@qq.com IN THE LETTER WRITE YOUR ID, YOUR ID 06B78492 IF YOU ARE NOT ANSWERED, WRITE TO EMAIL: 1169309366@qq.com YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON'T PULL TIME, WAITING YOUR EMAIL FREE DECRYPTION FOR PROOF You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) DECRYPTION PROCESS: When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you: 1. Decryption program. 2. Detailed instruction for decryption. 3. And individual keys for decrypting your files. !WARNING! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

3442516480@qq.com

1169309366@qq.com

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

==== GERMAN ==== Alle Ihre Dateien, Dokumente, Fotos, Datenbanken und andere wichtige Dateien werden verschlusselt. Sie konnen es nicht selbst entschlusseln! Die einzige Methode Zum Wiederherstellen von Dateien muss ein eindeutiger privater Schlussel erworben werden. Nur wir konnen Ihnen diesen Schlussel geben und nur wir konnen Ihre Dateien wiederherstellen. Um sicher zu gehen, dass wir den Entschlusseler haben und er funktioniert, konnen Sie einen senden Senden Sie eine E-Mail an daten@cock.li oder daten@airmail.cc und entschlusseln Sie eine Datei kostenlos. Aber diese Datei sollte nicht wertvoll sein! Mochten Sie Ihre Dateien wirklich wiederherstellen? Schreiben Sie eine E-Mail an daten@cock.li daten@airmail.cc (reservieren) Ihre personliche ID: <! - ID -> Beachtung! * Benennen Sie verschlusselte Dateien nicht um. * Versuchen Sie nicht, Ihre Daten mit Software von Drittanbietern zu entschlusseln. Dies kann zu dauerhaftem Datenverlust fuhren. * Entschlusselung Ihrer Dateien mit Hilfe von Dritten moglich verursachen Sie erhohten Preis (sie addieren ihre Gebuhr zu unserem) oder Sie konnen Opfer eines Betrugs werden. ==== ENGLISH ==== All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email daten@cock.li or daten@airmail.cc and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email daten@cock.li daten@airmail.cc (reserve) Your personal ID: 1DB76747-5F5B-890E-56B4-B35D45E3198E Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

daten@cock.li

daten@airmail.cc

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail admin@fentex.net Write this ID in the title of your message D4457B8A In case of no answer in 24 hours write us to theese e-mails: admin@fentex.world You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

admin@fentex.net

admin@fentex.world

Targets

- Target
  
  081899c5257cdf6b27b238f9114b9151a755a2044cb463eb2214fa9101c4cd89.exe
- Size
  
  24KB
- MD5
  
  bdd728030128165279b3cadf246d495a
- SHA1
  
  032479b1a1d4bb21fdd07736a8d4d9c5fa4a70c4
- SHA256
  
  081899c5257cdf6b27b238f9114b9151a755a2044cb463eb2214fa9101c4cd89
- SHA512
  
  8ead3841b4c7d5f56f6456ead428c5e43c748cc05252a7c119b3110143ab1c29c97e5e1779e53f26142cba48c17b04de259bb639d1a23b9ed315b7cbf7be9330
- SSDEEP
  
  192:+W0UBkFvRFGHPQWT3e9+qQ/1/zJvZvdW9+2Cp92xR42eMX8:+WiFvROPQWa9+qQ/1qMyeMX
Score

1^/10
behavioral1
- Target
  
  082060e3320870d1d576083e0ee65c06a1104913ae866137f8ca45891c059a76.exe
- Size
  
  799KB
- MD5
  
  f6a8d7a4291c55020101d046371a8bda
- SHA1
  
  09b08e04ee85b26ba5297cf3156653909671da90
- SHA256
  
  082060e3320870d1d576083e0ee65c06a1104913ae866137f8ca45891c059a76
- SHA512
  
  547ad8ac404e494cce474209ebfbe33a40b69feb59f564215622f479e98dd93699794f4950b05d21225af271c55987da24c68d7c4c172f1d99ba7050b7063888
- SSDEEP
  
  24576:Fpfzmg0hsVxPJHnhxqj/jELyOpQR2dnCy:FpfCHKrPFnh4jEWOpQEdnCy
Score

10^/10

ransomware
- Drops startup file
behavioral2
- Target
  
  09d22d634084239df510d088dd1685886fdba2810df4067771142fb2204cef64.exe
- Size
  
  108KB
- MD5
  
  61d03ddc11ca4fc3e752abcb03bc53ed
- SHA1
  
  a872988919744d81154025b1d17cab2bc70b8e99
- SHA256
  
  09d22d634084239df510d088dd1685886fdba2810df4067771142fb2204cef64
- SHA512
  
  1d0ed13686785e03d8ab33d879e6d949179bea7d7051525ffc55bf28896d0f6456e17295a9941e07d07ffbc13f138df99fa0871dd6e070da292dd221f7ca216b
- SSDEEP
  
  1536:OTu/iJ0cjtqTgpdJEHlwKg2cxhDfiJ8xmeoBJIKs3Z3P4lGLD:4u0jtwaPBKg2ihjiJ8MeoBJIFZ3UyD
Score

1^/10
behavioral3
- Target
  
  1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe
- Size
  
  2.2MB
- MD5
  
  f5f2f6c370db4b38bdf8032ea3ef2a64
- SHA1
  
  b5e188540539bc2b1d128f408160fa91e724c84b
- SHA256
  
  1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4
- SHA512
  
  f2216faac5d07fb2d6f3faf6cf1e18e94c0ada8aba35a8d2d8491efd1ada526d5358a592b6877a9783cc9b5e81dd54fec8b9969ffd650c0f8aff2e3243dbe18c
- SSDEEP
  
  49152:UtAZanCoV4BdnctNbS/iXmYjlV8O7pzTs8OYFFxZbVybdXERd:9x6Mdn0p7pzTsQR
Score

8^/10

spyware stealer
- Drops file in Drivers directory
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
behavioral4
- Target
  
  20efc37efcb36bc4a7cdf75ff667d3193959bf1858a4c115fd4301ca11ce8ddb.exe
- Size
  
  28KB
- MD5
  
  07ce060934a9106a3e135c33ebd64e9e
- SHA1
  
  e9d0fdb9d91ec314778f45065642066cbd4c575b
- SHA256
  
  20efc37efcb36bc4a7cdf75ff667d3193959bf1858a4c115fd4301ca11ce8ddb
- SHA512
  
  c3c17c911464deb7be6daf3339738fb53e89a93f0b58eb5971d6ffbbd7aced4d88ff61ab2ac973f8c1f6dafdf9e4dc505d17607b0b8b9be822b98b0b8a320f8a
- SSDEEP
  
  192:EmUk5kULV+jC9LDADPF9+qQ/1nwzJvZvdW9+2Cp92xR43beMs7ui4jrh:EmFDR+jCpAJ9+qQ/1nZMHeMsCj
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral5
- Target
  
  23b5ce252f1cb3ff40a3bcb3ea53dd674175c3ad782b00e33ae45c8c87fa265b.exe
- Size
  
  235KB
- MD5
  
  fc7b0066d7d250b619a3c6c3ee1b22f9
- SHA1
  
  f307dc2d7d41e5d2678144de98445fa3c14e7583
- SHA256
  
  23b5ce252f1cb3ff40a3bcb3ea53dd674175c3ad782b00e33ae45c8c87fa265b
- SHA512
  
  4178ac9a1e5e9f5817412de1ab210c1c95ebe1a47875f14844ff5e234191c2facaf8f7ae184c9fc33c334cdfa8615ccbdc8aaaac1d3aa6697d4ea49ef01aa1bd
- SSDEEP
  
  3072:BS4er0KRFMyC4FtM/LMZaIfhhM35E8/OZZe6WXVDhjt6SeFUkgYF6UTcysS:BShA40/haM3hGEphsxUYF6Ecyx
Score

10^/10

dharma persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (314) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral6
- Target
  
  35fdad147c2ab2c36dd7fd1ad1ae26b80be6c501bb22120b741be3ab34be168f.exe
- Size
  
  542KB
- MD5
  
  ce29783e7465bd57067f67afba0f996f
- SHA1
  
  c6d5bc37d17d43a1cdb17d39e46b8f3d61d46578
- SHA256
  
  35fdad147c2ab2c36dd7fd1ad1ae26b80be6c501bb22120b741be3ab34be168f
- SHA512
  
  b92a1bdb77f05c5a6cf0b883bb2b4205c6d3a97dce1e6f82a102d6e6fcba1a025d3953ed7f3ef9268f6383a7cd2f6af2de37fec736eb4d77aff40b12a901c0be
- SSDEEP
  
  12288:5Pi8GS/emxzM+fElwVCqCJbDj9//k/rTcPcYYYgYYYYYYYgYYYYYYgYYYYYYYgYh:5PBNz3fyDj9//k//IcqHDC
Score

1^/10
behavioral7
- Target
  
  36bfd9f40ce0043c878b28ca80dda5315cf681215baf4e1d539456d89b907807.exe
- Size
  
  108KB
- MD5
  
  82bccb8988fd54529192665fa974f056
- SHA1
  
  2b83f745d8424b7ad6e8012da3260dbf0663ce3c
- SHA256
  
  36bfd9f40ce0043c878b28ca80dda5315cf681215baf4e1d539456d89b907807
- SHA512
  
  95d9996d65f4bd0ac2ad7d6c2ab3089e1101c9d0a22b304e2380512428b21767bd6c53bbaa3b3c3afc778c98be1d32ceac5331d2c85db64e7f80a78777a4f8a9
- SSDEEP
  
  1536:8tu/uJ0cjtqTgpdJEHlwKg2cxhDfiJ8Xm3oBJIKs3Z3P4lGLc:0uAjtwaPBKg2ihjiJ8W3oBJIFZ3Uyc
Score

1^/10
behavioral8
- Target
  
  56ec95785f91418751ad5788f9076af108ae19e03d2e0c0551ae8f8d8f5acba4.exe
- Size
  
  526KB
- MD5
  
  00d374f3142e46c53e621504e020dd86
- SHA1
  
  49c55f442702c3d96bf507f369676a54315851d0
- SHA256
  
  56ec95785f91418751ad5788f9076af108ae19e03d2e0c0551ae8f8d8f5acba4
- SHA512
  
  169149b510a6c502f90b18d518f10c7f0f1c7e426d62b2e90b8adfa87d76a0d1d8b819305fdb75231ac80d5fcac1dcf7982ed9e493f22dcf12ae203a0960edb9
- SSDEEP
  
  12288:oOfgiGHObrYmluIhccUnj9//k/rTcPcYYYgYYYYYYYgYYYYYYgYYYYYYYgYYYYYV:oOwGrv4j9//k//IcV4h
Score

1^/10
behavioral9
- Target
  
  675e7e38d969e9c0af164337a180b2941d4a676b7e0c345da1de1b2d42ed31a8.exe
- Size
  
  1.3MB
- MD5
  
  d30cc3d50062b47585d8e9216f5974c4
- SHA1
  
  86ab16232bdff82807eb09e9dae5ae7dec26685f
- SHA256
  
  675e7e38d969e9c0af164337a180b2941d4a676b7e0c345da1de1b2d42ed31a8
- SHA512
  
  8fa7e529f58deb6c2b89c3bf3ceb04ca036e00ac694767b64625258fe39d3911d42ae9d5baf0d0089e06c936458fcacd0e6e56b8a7cba4a91084d66a5717bce6
- SSDEEP
  
  24576:bk70TrcblhbE+twWvKItnEi9RlyjACUxar1BjjxhXQdT6lRDmkTyi:bkQTAMGwAFv9yjJZrYURDdH
Score

9^/10

persistence ransomware spyware stealer
- Renames multiple (18637) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral10
- Target
  
  6b4df381119ee2beac0fb75184addb6cdd045ddd5e0fa09365a51331a484cd7a.exe
- Size
  
  697KB
- MD5
  
  91bb19ac797d238209b681a872b90dfb
- SHA1
  
  c817513d79e95e78969fd7db001197058a43dbb8
- SHA256
  
  6b4df381119ee2beac0fb75184addb6cdd045ddd5e0fa09365a51331a484cd7a
- SHA512
  
  71eab624027b40a141800b9e4d242d52bb1613e2e7fef083bf742034639434c369dffe648b9d0728c09d91aec121cc8acf861fecd248f6529a396766cbd905de
- SSDEEP
  
  12288:K1C9axRKZndwSrZvQH0dy05EQB4RpwxKxOl5/xVvuY6lMwWFQw1ybgRRBo/tPamR:QC9YRgdwSBk0dy05jBmuS4DmYBSoP94a
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral11
- Target
  
  6b4f6a820d415a88ee156607b13450cbe0bedad4eb05961c55f5926f86262296.exe
- Size
  
  27KB
- MD5
  
  4b95790314f5e5e7ab6027f3afed48ae
- SHA1
  
  1bbbc30e0fdc7190d8948716ca8d373788c90ce4
- SHA256
  
  6b4f6a820d415a88ee156607b13450cbe0bedad4eb05961c55f5926f86262296
- SHA512
  
  380a9bfd525ad558964f444220cf5ac4a9d3add159abd5c0451ca2b1d8bf57d2acf6d0eb8a1ec4b1451b28db10574b2fb66bda0e2f8ed066d4d5aac0dd9c8a2c
- SSDEEP
  
  768:ZtVdJkn3Iwk9qg47OxpySkH/U3ITmcemeZFFtbwN4ykQo:ZtBk3I7LhB3PcedFtMOykQo
Score

1^/10
behavioral12
- Target
  
  721ccbb780b308c6c40817749b6764ad06cd2e56389bba1618a0dadc362d6429.exe
- Size
  
  556KB
- MD5
  
  4a8228f5109bc509936eb5286d86322a
- SHA1
  
  36f1b50c1df1249e816944d0288604336d2b7a1e
- SHA256
  
  721ccbb780b308c6c40817749b6764ad06cd2e56389bba1618a0dadc362d6429
- SHA512
  
  6013d5daaef69c99d61afb30aa273413eebe9b5b8fe0055d879ee236817d3cb4a9d3bdb82553c8cd3f6e725bd99a076389a94a8ec8d6b0da66fc17b0fb7a1164
- SSDEEP
  
  6144:f5bnFDjbS20Bbdh1bBbp20Btedh16IqDAYQ+:fTDwicAYp
Score

3^/10
behavioral13
- Target
  
  75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
- Size
  
  306KB
- MD5
  
  1eac69691e05297182ea6642746d53f6
- SHA1
  
  749f19b262849158df6d29f26043e1a845da102e
- SHA256
  
  75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d
- SHA512
  
  8ac6625fa10b3d2126a6498af2790a52bb626fef74b4abf05ce869f0e3b2d41fa78915b469529c67531937093e6385634985e792f4c04edac5f0b69a489d5c39
- SSDEEP
  
  3072:J86Kas04uVswV5Him+xfleiJfz/4B7zspXGwtI57T+YG4tGSGbwySvB5KpzeLrqK:ChatLSeoQ7Rwu57C0bNyKgpGR
Score

10^/10

dharma persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (319) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral14
- Target
  
  79271d57c531c79536bc0be0d71e3a372bed9c10689257a7727475ab41e3e161.exe
- Size
  
  3.1MB
- MD5
  
  91e55c043a89444b7cdfb335d4e4a5ba
- SHA1
  
  d72203d462053c1636e20cf648669b040357d5db
- SHA256
  
  79271d57c531c79536bc0be0d71e3a372bed9c10689257a7727475ab41e3e161
- SHA512
  
  3f3efbb9928a8ffa683d2c528bc442545fb330fbf981ff639a581effc91569743258cbad88e9a2c8b6e66448e56af023213fc408ab66a6b53565a4e030a37777
- SSDEEP
  
  98304:DFkV34ua2ltBgzXU4Us1DgAtayHKlqo7/Whsg:Db0ltwzDtZHg7/Yx
Score

7^/10

bootkit persistence
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral15
- Target
  
  *.*/update.exe
- Size
  
  744KB
- MD5
  
  288ad7c14b2e9cbfc8432d3d41d62164
- SHA1
  
  2138ba33796ed343fb01c03f4abfdbed30bfe151
- SHA256
  
  7e24716b753efa564cf6ace4abbe687a2ede68180140e4aaab8279b3328ababe
- SHA512
  
  6f045adea1a9d4c1a0ec414a77c1611687a7ec4ed23ffc1fda426a396ca4244f5b212a1189dc6fb804268a5d29cec3226ccd6d3418e7e5a9923cb0733caac70c
- SSDEEP
  
  12288:Yzki5f8eM8n7X0tYAY4+5684WFh5ecvSrW3yNdkeemwtuS9:OkE8eJnL02AYw84Wj5evNl0u
Score

6^/10

bootkit persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral16
- Target
  
  *.*/˫ǩ.bat
- Size
  
  100B
- MD5
  
  b2c8d1f31c73f52c275393f231e3843e
- SHA1
  
  debbc8e818ab2acc8f12b08930315c894e7efde8
- SHA256
  
  77badaf1d085e90578b76cd1fafb252e13d4074f643b7d43cbee38580d7dee24
- SHA512
  
  0268085427d632fe4fec8e7702da5b7715a2ecc13f9ddda86f02f965c3745872e53325d12cb48ab7797bebce4b76203e3edc2631c6dacf3417a91a6c00841de6
Score

1^/10
behavioral17
- Target
  
  847001fe67b260c91fdc360297f6758598c41eb78fc4aae6adc4a4e2dd813b7e.exe
- Size
  
  108KB
- MD5
  
  eacdd9f959418d3f3e9be95de284d02a
- SHA1
  
  354fe59d35aef1dd07c3c1ef771b93a413f91e6b
- SHA256
  
  847001fe67b260c91fdc360297f6758598c41eb78fc4aae6adc4a4e2dd813b7e
- SHA512
  
  8e3770e6e0dd33e2ae54c9af0c5c01c5e0bd5d85e37ea5e4c9afadf297f9027e1b6b0b32d872ffa3b928478d7c0601b465fa5ea414dee10ddc51c8c83323d17a
- SSDEEP
  
  3072:ouvZ0rga0R246JaNR0r3PhVuCx9JNI22N:ouRIcVX2hEXFN
Score

1^/10
behavioral18
- Target
  
  97d846563e9c5da173d27fd11a6f182709c665dba0cb3f85a882c7b3e9cd9a3b.exe
- Size
  
  36KB
- MD5
  
  01856e8de8d99253aabe0c1ccf925b08
- SHA1
  
  217d1d9c07dd817bb39a000943f27991cbe5aab9
- SHA256
  
  97d846563e9c5da173d27fd11a6f182709c665dba0cb3f85a882c7b3e9cd9a3b
- SHA512
  
  03ff6abdb978d749467a24a63b21dd1e6e77cffcdd7bccf86516a66d7e053d13f76ab19179e9a331f85d32d9405f14ab8a19b756aff4c642a4ca0c7d4402d21d
- SSDEEP
  
  768:0gi4r/1iRHq5pTV6xo/SIx+637kc/+ZKWb57zlARngZy:0vZQ/6xo/SIxL7T+Z5KgZy
Score

1^/10
behavioral19
- Target
  
  9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
- Size
  
  314KB
- MD5
  
  f93ecc98e4c4659023b81397578201e3
- SHA1
  
  8c6ce5195b39239d219da8de3b4e757204f75f07
- SHA256
  
  9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a
- SHA512
  
  6835d190e85fa196e325d5b9e9833f88b22348b5e7dad7fe10aa2b065c66e61342cbf31fb8a4c1b5761a9f72b2f55d7eaeab9f8ee411ade6090327268a85a039
- SSDEEP
  
  6144:N/ox45SkZNudlSP7VeJCaYAbjJF7UjWDvtlP8A2KoGFn6NHCcWITEYlxHt9Nqw:NgScC03SPxSlYMF7UjWDvzPh2eFnDcWg
Score

10^/10

discovery evasion ransomware upx
- Blocklisted process makes network request
- Contacts a large (1091) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral20
- Target
  
  9da42140cab695b77cde560dd1109d2b96d263e25c21bba0e70604f0717bf270.exe
- Size
  
  616KB
- MD5
  
  41b91df596878223773cdc49bbee2324
- SHA1
  
  48d0647e2e29256d8969dbb7d8edb03297d01ada
- SHA256
  
  9da42140cab695b77cde560dd1109d2b96d263e25c21bba0e70604f0717bf270
- SHA512
  
  ff555049812608cb33cd7dcacf1102a920f531281aa60d36e8463f9c48023c856bf0243c25671ac709d8a5dfac5ab1a421606dd3f576472b4ec145b647fae30c
- SSDEEP
  
  12288:bnE+Yfz3OlZUW+7xsvceR0KtjYx1xS0v:bEBr3qZlCxarj8xS0v
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral21
- Target
  
  ac7da11c38cce3b21137e629d76614f6350cbc96db41bede9029c83d9dfa98e2.exe
- Size
  
  211KB
- MD5
  
  ef8ab6db9a96b461f429f9f15b573164
- SHA1
  
  ac600bb15b21910c0fb6618825358ed6c60c037f
- SHA256
  
  ac7da11c38cce3b21137e629d76614f6350cbc96db41bede9029c83d9dfa98e2
- SHA512
  
  14a3b15ceef007915a558b48740f98a7a6335d42cfcc6498b2fb3ee40ff2e15496d4fdec0351f48cee36947e1ec981190721a877b8406a10456709d21be07a3e
- SSDEEP
  
  3072:b0WFcoAWykGuyF9ImZNI9UkwvYxzqea5KC7s7TJ:bfLXyL5F9XZNIsvYv
Score

10^/10

dharma persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (317) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral22
- Target
  
  b3489810af4e4d0d953eb438e3550ace5d52a5c8818a6cae7af6d30ba5482e5f.exe
- Size
  
  24KB
- MD5
  
  b6d25a5629221041e857266b9188ea3b
- SHA1
  
  6df3a7a3ed5c6a6349a791b72783b32c460c8417
- SHA256
  
  b3489810af4e4d0d953eb438e3550ace5d52a5c8818a6cae7af6d30ba5482e5f
- SHA512
  
  bd40d5683d78d21a296677915c3417713134414059efd6865a23d8fe83465c813c696ca2d1b94e8e1ea03c7740c176e77f7b0c7c5b523eddedd43149cdc295a2
- SSDEEP
  
  768:rAOGBmheJi070Y2DJ/Zpu6WYcFIl0XeF2lG+eJ6eygjaPbpUvdykQo:bo7KJOCOfGj6eaPbpUFykQo
Score

1^/10
behavioral23
- Target
  
  bf11915a5a5f8e1de827676250505e7f503c0744da757f8290f077d3d5d81655.exe
- Size
  
  28KB
- MD5
  
  180ad8f1024b334c7966180afa953266
- SHA1
  
  7680011d67a7a7299ade6878255b1f7883a50cd9
- SHA256
  
  bf11915a5a5f8e1de827676250505e7f503c0744da757f8290f077d3d5d81655
- SHA512
  
  a661e2489775e08fc3a433e722fa014e85517ab87645ea9fa3d72c405b81d05a40dc3c02ed10579e8996e20bd4e22da936b02a846e2ea8c1d88621fbfcc7655e
- SSDEEP
  
  192:7h89oTi6J4SaQPlRgspuml9+qQ/1/wzJvZvdW9+2Cp92xR4KyAzeMg/Qq7t/u/N:18EheSaQtRgWl9+qQ/1/ZMyeMm/O
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral24
- Target
  
  c453aa991f1fb96ec3aebf334f8d9f5a5256dcdf90e697a007575771705be23e.exe
- Size
  
  28KB
- MD5
  
  7fc30b3540428adc624a060b9005d575
- SHA1
  
  8a08667b8c0bceb82502e55848ca4e4f69326217
- SHA256
  
  c453aa991f1fb96ec3aebf334f8d9f5a5256dcdf90e697a007575771705be23e
- SHA512
  
  6fb43ccd2c6698dc027c48cf61d7b40b9faccbaa717c14eef207d4312ab9eb9497af6ae70191021bf3166d6bf703a248d509b327d4b05b126449e87a0cae7cc2
- SSDEEP
  
  384:NZMO4CXWoRNt7oAbiKuWiO9fjQ/1/ZMzUFeM/Dd:NJ4CGoRNPGG8/96UUcDd
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral25
- Target
  
  c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15.exe
- Size
  
  1.2MB
- MD5
  
  e11502659f6b5c5bd9f78f534bc38fea
- SHA1
  
  b5fd5c913de8cbb8565d3c7c67c0fbaa4090122b
- SHA256
  
  c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15
- SHA512
  
  86c8d4556c9e0b7d60ccbfee430eb322388449506ab515549cb8d2785582671f2dc2d2a3bd9daded9853caa8bf94d9f92603a3bc527172a85dc7a83d701f7fd0
- SSDEEP
  
  24576:645Rt4El7fc/TFJzjJUgrrCq5sNIwQsUGy1q7a9DlIACTp+kqGslRG:Rjt4El7fc/TFJWstwQsPdSDuACTpqhG
Score

10^/10

lockergoga banker ransomware spyware stealer trojan
- LockerGoga
  LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
  trojan banker lockergoga
- Renames multiple (3721) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral26
- Target
  
  cfe55dc501afeb1e83c683ec596be33878597e8d318f8e9739557af1f208b348.exe
- Size
  
  48KB
- MD5
  
  84ff01e9ca8fec60ba0c7715ca378336
- SHA1
  
  8bafa6673b762145b008496467a9ad8cfc18e4b9
- SHA256
  
  cfe55dc501afeb1e83c683ec596be33878597e8d318f8e9739557af1f208b348
- SHA512
  
  668be10b19fd0f47a0409ab0d46b5d078122eeb602452c37bee27970495ec9b8ae20e598b4a4d530a976dc80948be0f6d50e6fec78303941f4bf40df180e4ed6
- SSDEEP
  
  768:NZ/MQ+jmgyuQY6y4ViNpc3ayjctUp79Glm:N5MUo4qK3wlm
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral27
- Target
  
  d2a120aa4a8aeb87408828d4e7e0da615cb83e32ca5fccc79eee70bca3ea4d78.exe
- Size
  
  190KB
- MD5
  
  0333e4014e84e0cd41a4be7fab09926b
- SHA1
  
  2e84153ec64edadca3ac7a9b847eb6c651396525
- SHA256
  
  d2a120aa4a8aeb87408828d4e7e0da615cb83e32ca5fccc79eee70bca3ea4d78
- SHA512
  
  d9838b90083625939c644a3b80ad820cbbc5991669ac499612f82e301c553f235743cfd35a2a87cd63e7b6bedf3f57b0bd42e88ef9d9450e9d868b95ec8e6c33
- SSDEEP
  
  3072:3bXCLlcSmk8NNFLehmqbayd4yCVY16YAaMDJvKqJHTwqlQNNJE5AkqA:3byLlcq8tYZbay6Y0YgDdKUHThKNI
Score

10^/10

dharma persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (317) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral28
- Target
  
  db97db6b0367434c2170eb34f828ec6b99032a4722ea55dc14a72883d8af1c1b.exe
- Size
  
  28KB
- MD5
  
  af62cca39cdf2faa1a3e9b422afee8b9
- SHA1
  
  5714a48c24d79cf820c98ec3575ef4f0b7b7c921
- SHA256
  
  db97db6b0367434c2170eb34f828ec6b99032a4722ea55dc14a72883d8af1c1b
- SHA512
  
  c7ad2ef82f1f1a23ffa5ebcba8efca1dc8aa788847cab8d2693cf082f85e2e87979b92c559c69e60bc119929912c105e40c00aa9fe2f09d1cf8ad9e8fc3c4d13
- SSDEEP
  
  192:0P9IGUkZxXgGEmqnpbXf206LF9+qQ/1nwzJvZvdW9+2Cp92xR4qVeMNazlQF9gR:nGlJEmqx2029+qQ/1nZM2eMNazWm
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral29
- Target
  
  dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe
- Size
  
  478KB
- MD5
  
  1575ea1792ec080b7825066f02a5dddc
- SHA1
  
  e647358f934f78866d1f97079f66c46448efd2f0
- SHA256
  
  dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf
- SHA512
  
  1e492379bea54ccc2db48b1bd2ded0d77470ae960a6f78e681647526b29152a4a1ca27acca9c7181477af3c19a4e4eac0182a259fd32893b33b33f40fe14e120
- SSDEEP
  
  12288:RDVeMVRoTGavS3bRmuAyEzHU4tmo1BaKBiNr:pVeMVRo/W9mu3EzHU4co1BaKc
Score

10^/10

buran evasion persistence ransomware
- Buran
  Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
  ransomware buran
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (7242) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral30
- Target
  
  e714a8c576d7e04c2a8c6f4f8aa6627543524e61f4e3fc402a24d6981bad03a4.exe
- Size
  
  44KB
- MD5
  
  f385069ebb01e0bbcff4abdbbe5e6a8e
- SHA1
  
  f2b48673e4c70e72e1f34cd88614cc0d5594fa94
- SHA256
  
  e714a8c576d7e04c2a8c6f4f8aa6627543524e61f4e3fc402a24d6981bad03a4
- SHA512
  
  d814e8112c283fa9e3fc33f54db2dc2d80e19b448d1e0d012a2838505a7af75d0814f9199462cb5a51e9fc055f30762af8830a730907f32ec66f9403b2c968d3
- SSDEEP
  
  768:cKLuj2C0bJjtAgLHL3GUME2ctbTn/YcaPC:eQtAqe2TnuK
Score

1^/10
behavioral31
- Target
  
  f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
- Size
  
  7.0MB
- MD5
  
  3beee8d7f55cd8298fcb009aa6ef6aae
- SHA1
  
  672a992ea934a0cba07ca07b80b62493e95c584d
- SHA256
  
  f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6
- SHA512
  
  12bd64d10620c1952127c125e7beb21b3727d8afb6440d48058785267b227a534ee6112d84372749496481cb6edb5c90eeb159689b443fe0f10f4a9202a83a5f
- SSDEEP
  
  196608:gUWfTu5s5E6s6eLL1mkJ2Z9Jq5dOYo+SJVTXOD0ch:gUWfTuK5E6s6sBmKk9JMo5/eN
Score

7^/10

spyware stealer upx
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral32