dharma

Sharing

General

Target

dsghdrdrdfhdfh.rar
Size

18.6MB
Sample

240326-veqhaaeg53
MD5

5cf63fe35f1e994c6b3f0a25c4b9f6ef
SHA1

482c6fbb6b70213376c40e1b2179484344915c02
SHA256

ee48174864ae0ef8c1e2da6b91b17c2f1df32195f69173adcc3013bf97c76ad5
SHA512

e178e5ea5609bd4636a8c464a36cffdb361d1d9c04f05477b153b2640142d914da8c7282fc610b3279dd1acfe521aec9cfb8d5dae8e4a70add244f61766a063d
SSDEEP

393216:sWeta0N6Fh4gSuTVGUYQW+GfB8a8lENPHeG7wW0rDEj/5TKPOB8:oNAz42/9GfBntHeG7wW0rDEj/FeOB8

Score

10^/10

dharma lockergoga sodinokibi 23 1306 adware banker bootkit discovery evasion persistence pyinstaller ransomware spyware stealer trojan upx

Malware Config

Extracted

Family

sodinokibi

Botnet

Campaign

1306

Decoy

richardkershawwines.co.za

itheroes.dk

medicalsupportco.com

bakingismyyoga.com

goodherbalhealth.com

computer-place.de

cp-bap.de

ahgarage.com

tramadolhealth.com

liepertgrafikweb.at

cascinarosa33.it

opt4cdi.com

spartamovers.com

iactechnologies.net

projektparkiet.pl

carolynfriedlander.com

galaniuklaw.com

lovetzuchia.com

enactusnhlstenden.com

watchsale.biz

Attributes

net
true
pid
23
prc
wordpa

synctime

onenote

excel

mydesktopqos

ocomm

msaccess

thebat

firefox

visio

steam

sql

isqlplussvc

dbeng50

winword

agntsvc

thunderbird

dbsnmp

ocssd

powerpnt

infopath

tbirdconfig

mspub

xfssvccon

oracle

encsvc

outlook

ocautoupds

mydesktopservice

sqbcoreservice
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
1306
svc
svc$

mepocs

vss

sophos

veeam

memtas

sql

backup

Extracted

Path

C:\Users\Admin\Documents\READ_THIS_TO_DECRYPT.html

Ransom Note

<html> <head> <title>-</title> <style> html {font-family:Consolas;font-size:20px;background-color:lightgrey;} div{ margin:0 auto 15px auto; border:1px solid; background-color:grey;} p,h3{ text-align:center; color:white; } #R{background-color:darkred;} button{padding:10px 15px; margin:15px;} </style> </head> <body> <div> <h3>YOU PERSONAL FILES HAS BEEN ENCRYPTED</h3> <p>-</p> <p>Your data (photos, documents, databases etc.) have been encrypted with a private and unique key generated for this computer. This means that you will not be able to access your files anymore until they are decrypted. The privete key is stored in our servers and the only way to receive your key to decrypt your files is making a payment.</p> </div> <div> <p>The payment has to be done in Bitcoin to a unique address that we generated for you. Bitcoins are the virtual currency to make online payments. If you don't know how to get Bitcoins, you can click the button "How to buy Bitcoins" below and follow the instructions. If you have problem with this task use internet.</p> <p><abbr style="color:red;background-color:black;">You have only 1 week to submit the payment.</abbr> When this time ends, the unique key will be destroyed and you won't be able to recover your files anymore.</p> </div> <div id="R"><h3>YOUR UNIQUE KEY WILL BE DESTROYED IN 1 WEEK FROM ENCRYPTION!</h3></div> <div> <p>To recover your files, you must send 0.1 Bitcoins ( ~$37 ) to the next Bitcoin address:</p> <p><abbr style="background-color:white;font-size:35px;color:black;">15F5FM7qMhLQ44RDxuozbKRwSbHKmq7N39</abbr></p> <a target="_blank" href="https://bitcoin.org/en/getting-started"><button>How to buy Bitcoins #1</button></a> <a target="_blank" href="https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)"><button>How to buy Bitcoins #2</button></a> </div> </body> </html>

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Emails

[email protected]

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All FILES ENCRYPTED "RSA1024" All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL [email protected] IN THE LETTER WRITE YOUR ID, YOUR ID 9653C218 IF YOU ARE NOT ANSWERED, WRITE TO EMAIL: [email protected] YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON'T PULL TIME, WAITING YOUR EMAIL FREE DECRYPTION FOR PROOF You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) DECRYPTION PROCESS: When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you: 1. Decryption program. 2. Detailed instruction for decryption. 3. And individual keys for decrypting your files. !WARNING! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Targets

- Target
  
  0383282038e4b6b1daa69a9b71bfff42b8091a4004bbe780c98239ada99f77bd.exe
- Size
  
  87KB
- MD5
  
  2f258b0a18c8ab5245ffbf8ba6e0087e
- SHA1
  
  aea8b95cd95d0b45721fe4f6bd4daff1feab8a57
- SHA256
  
  0383282038e4b6b1daa69a9b71bfff42b8091a4004bbe780c98239ada99f77bd
- SHA512
  
  ad25997e1acbc991c7cd95b99f2f854035f1f15aaa1eca84345ae78239deb6d02459318fdc7dd70049c6aae36bb762adfaa2d2c4d99ed29ae5eb5fdae9e06d6e
- SSDEEP
  
  1536:c9AvDKZdIoSYMYGvlpyORVjbiWPSt0odh6VgU75uzNrFVbKBbJaGxu2ksjrY:c9AvGZyo3MYmfxqOSjQVx4ZRoTaLaY
Score

7^/10

persistence
- Deletes itself
- Adds Run key to start application
  persistence
behavioral1
- Target
  
  082060e3320870d1d576083e0ee65c06a1104913ae866137f8ca45891c059a76.exe
- Size
  
  799KB
- MD5
  
  f6a8d7a4291c55020101d046371a8bda
- SHA1
  
  09b08e04ee85b26ba5297cf3156653909671da90
- SHA256
  
  082060e3320870d1d576083e0ee65c06a1104913ae866137f8ca45891c059a76
- SHA512
  
  547ad8ac404e494cce474209ebfbe33a40b69feb59f564215622f479e98dd93699794f4950b05d21225af271c55987da24c68d7c4c172f1d99ba7050b7063888
- SSDEEP
  
  24576:Fpfzmg0hsVxPJHnhxqj/jELyOpQR2dnCy:FpfCHKrPFnh4jEWOpQEdnCy
Score

10^/10

ransomware
- Drops startup file
behavioral2
- Target
  
  1035f1b289e6d88148431da56ed5fb3c3d251b51f38bfd498690537e57a3c8b8.exe
- Size
  
  504KB
- MD5
  
  175c2b3762da73b760ad22c807abb30e
- SHA1
  
  0496a10195a6902b0edd6702151e9d8168560dc9
- SHA256
  
  1035f1b289e6d88148431da56ed5fb3c3d251b51f38bfd498690537e57a3c8b8
- SHA512
  
  bec68fc1fffc7d0cf23e334cbbcdc8d50f7b7dc02e7642cdca7c43098c3f04053b5f9ef83f64c47873495f9bbe3d31a551bd93d9dddb510815e71d7f0f263bf8
- SSDEEP
  
  12288:lRhw8HEWVcLeRKJHNwTltsvPBApafDcWi5JOFRC:JrHVcLkKNNAtsnJfDclJOvC
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral3
- Target
  
  24592b881440b004bfcc51692deef734babdfc0cd5719826bd05ae678584bfb9.exe
- Size
  
  91KB
- MD5
  
  4585ab21cda2fe423663d798a52baf9b
- SHA1
  
  b5a9b0c35d25b6a7d1b5478da55f571aece5f2d8
- SHA256
  
  24592b881440b004bfcc51692deef734babdfc0cd5719826bd05ae678584bfb9
- SHA512
  
  b46abc2df4abbd015bf8f11d3969aba34b94a7c3ed237abc0d99be2009fea6446c6a63e0a788d8e7dbfb0445b332ec956b35941c5bb1aaa0e2aa5ffc155bc6e4
- SSDEEP
  
  1536:rX3F7wWqPyIMNt6+4aQQg3dTXVyaH8g6C2zzl:rXxwOlLQLGahl6
Score

3^/10
behavioral4
- Target
  
  31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe
- Size
  
  2.2MB
- MD5
  
  03d64ab4dcf9d9d0f3f24472d237aee9
- SHA1
  
  a2894cf1bd5ef7fa1380e9ee3c2bedfb5081f737
- SHA256
  
  31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2
- SHA512
  
  0451f87f2a91d693b3c2ccb69621f66c62b876185965071ea0998c3f76865fc32471d47fa042fd6aaf1adfbff84119ca4a8bed05389258875d40a3f0cfcf4c23
- SSDEEP
  
  49152:pySU2VbRPrGNWnTvtchcL6yUw4gZ2oe7yUF30kWc0vNa9:pyW3rE2FHL759caE
Score

10^/10

discovery persistence
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral5
- Target
  
  3216f3b1bf985c045c18f16e00abcec112149ce8ecad190c620500f5cefb59ae.exe
- Size
  
  59KB
- MD5
  
  a57a80c2652a1ac5552d22d92f568262
- SHA1
  
  f6b18c7dce9cbf8756a6b560efcdcaa724caccb8
- SHA256
  
  3216f3b1bf985c045c18f16e00abcec112149ce8ecad190c620500f5cefb59ae
- SHA512
  
  64576c1e390e217e6f17adb16ca1c9928e5bf415ed25ab8c5443cc15bfedcb2fa982273833255470724a5d6cb34f90e71bbbf0ce32b27fef480149dc997e77d1
- SSDEEP
  
  768:xMSbq5QPwmHyHlAYg2Nyg9F0bAVn0JX029+M1oXTjwcckibWU4btMRIJRS1TZpaD:Vbq5QSWYHiAB0JX3l9kcSSqfqZNxO
Score

1^/10
behavioral6
- Target
  
  43026556eaa76df4544dd37cc1f708eb3df18b7e33969042b343c2b8be4ff697.exe
- Size
  
  2KB
- MD5
  
  08e4257a3296bee5e99cda5dc55ec795
- SHA1
  
  74692d67a107153987756736a228ed85eb04dc5c
- SHA256
  
  43026556eaa76df4544dd37cc1f708eb3df18b7e33969042b343c2b8be4ff697
- SHA512
  
  6c7aa698d1b57f695a05074d0a93c0e68bd2ae4920662254fc1c44f0bf9a900a6f7d24accbe6a5a3abe9a41dfcb53d67c2eb27445e7907f24102c749a5519fed
Score

1^/10
behavioral7
- Target
  
  4499426b05f7f17b48d3aa805681c53aed09b5b48e25c9070c08dbfae464698b.exe
- Size
  
  73KB
- MD5
  
  2d5743583c728fbd8fb7ba4757bfa242
- SHA1
  
  1dcd28cae8261b32c8e395acd9979eb0286fefe0
- SHA256
  
  4499426b05f7f17b48d3aa805681c53aed09b5b48e25c9070c08dbfae464698b
- SHA512
  
  08ee4b4773de1e2c7fcd8f145358a4139c317b6d2cb36bdfdb6796c97aadc8390059a06213b47a37f8b8afe9817a9b4330ece66b9ee0267664e4a961b4f88c18
- SSDEEP
  
  1536:DuNDrexNkdfP7yaAxFDPyVqwzpzzzVOpN8sCDiP825lNA934:DYWk17yaAPbOqKVOMs+iP8SNM34
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral8
- Target
  
  79271d57c531c79536bc0be0d71e3a372bed9c10689257a7727475ab41e3e161.exe
- Size
  
  3.1MB
- MD5
  
  91e55c043a89444b7cdfb335d4e4a5ba
- SHA1
  
  d72203d462053c1636e20cf648669b040357d5db
- SHA256
  
  79271d57c531c79536bc0be0d71e3a372bed9c10689257a7727475ab41e3e161
- SHA512
  
  3f3efbb9928a8ffa683d2c528bc442545fb330fbf981ff639a581effc91569743258cbad88e9a2c8b6e66448e56af023213fc408ab66a6b53565a4e030a37777
- SSDEEP
  
  98304:DFkV34ua2ltBgzXU4Us1DgAtayHKlqo7/Whsg:Db0ltwzDtZHg7/Yx
Score

7^/10

bootkit persistence
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral9
- Target
  
  843cd39e4f5024ef36fdc142bf2eb9d9dcc05f0b8f7f812d49ddac8a2bf83f29.exe
- Size
  
  396KB
- MD5
  
  17fcffdacf61a1ca1ad653e8dde6f158
- SHA1
  
  e2ae48fdaa5e93d48d3d2e6423b590f980878ecf
- SHA256
  
  843cd39e4f5024ef36fdc142bf2eb9d9dcc05f0b8f7f812d49ddac8a2bf83f29
- SHA512
  
  fc9387e4b89709fabcae6c8ee1de20c76400b8f650f081c72a76357fc1f083d03c36676e3c6aaa7798940be29db9321c8db2ea1ff68a08b320c2e982f98e0a8f
- SSDEEP
  
  6144:f2r8QKg8T+jIkoQNOymUjbdlG2VNr4GAtVAVjOgBwJ+Cqs9cLYhOC4oNzquAFA:fNr76jd3V8GAtUKg7Xs9ckaoAuA+
Score

10^/10

discovery evasion persistence trojan
- Windows security bypass
  evasion trojan
- Disables taskbar notifications via registry modification
  evasion
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral10
- Target
  
  847001fe67b260c91fdc360297f6758598c41eb78fc4aae6adc4a4e2dd813b7e.exe
- Size
  
  108KB
- MD5
  
  eacdd9f959418d3f3e9be95de284d02a
- SHA1
  
  354fe59d35aef1dd07c3c1ef771b93a413f91e6b
- SHA256
  
  847001fe67b260c91fdc360297f6758598c41eb78fc4aae6adc4a4e2dd813b7e
- SHA512
  
  8e3770e6e0dd33e2ae54c9af0c5c01c5e0bd5d85e37ea5e4c9afadf297f9027e1b6b0b32d872ffa3b928478d7c0601b465fa5ea414dee10ddc51c8c83323d17a
- SSDEEP
  
  3072:ouvZ0rga0R246JaNR0r3PhVuCx9JNI22N:ouRIcVX2hEXFN
Score

1^/10
behavioral11
- Target
  
  902f0cb92e46d9d3028a9e5b52975f66142648ac90007032aafa9b1e2b5263ad.exe
- Size
  
  1.1MB
- MD5
  
  f5573049a6c06fdd4a36c605e57fc5f3
- SHA1
  
  92f53f1e87779527e630c597b372b77ca31d2bc7
- SHA256
  
  902f0cb92e46d9d3028a9e5b52975f66142648ac90007032aafa9b1e2b5263ad
- SHA512
  
  f910b65546e299ca632cddad23edd0996353e7ea75353ed4d4dd08fa63eede08acf482bdac82f236527d5deb379ae12666d3d9f8452862ae7969f3dac83fb13a
- SSDEEP
  
  24576:r96pOf9VtVLmZ3CJAt7xZdAUs2A8mtEv3mdBNSlhxg/SZbMehi9B4fJjAO3b/QEs:BSqvS1eZakbTytZid
Score

1^/10
behavioral12
- Target
  
  994d02364001319f2a3fd9318a2f760c79d7dcfddb177940e22cb60765992094.exe
- Size
  
  480KB
- MD5
  
  f82cff1f8a3de8a8f891d5ac74bf2ff7
- SHA1
  
  25cf77395ad767f7a960871b45ced08c3815bc00
- SHA256
  
  994d02364001319f2a3fd9318a2f760c79d7dcfddb177940e22cb60765992094
- SHA512
  
  3b40046214798f839331a823df55642112cd9a359fbd9ac3ba954175ec7bc4bb577448741ad6f119375dc336128901de1c60927e27aa0710c751896217bed4c3
- SSDEEP
  
  12288:vVJNnVy735dQvVxWMvzNlvbbr0oJC3gwN:N7ydQvV8OvvbbLC3g
Score

1^/10
behavioral13
- Target
  
  a006d20ea64758a5219d6a8833a593d99b47c2301e17be2e07593c1565de086b.exe
- Size
  
  604KB
- MD5
  
  f593184675ecb76af217a216138609e2
- SHA1
  
  999c45d495231ae4fb4b9768028759273e0e28b5
- SHA256
  
  a006d20ea64758a5219d6a8833a593d99b47c2301e17be2e07593c1565de086b
- SHA512
  
  3f4ea7ad5379f46a1517db38673159c02614ecff990c424f7e39156b908da3cd291a29971990349025416f6266792fb217376be37a90bdd79a78caf7a5249cfe
- SSDEEP
  
  12288:m8n+q7BpMZ5ztVYnLZj2Cr8Yo+JLya0fcn+Xh3pRz3aMNtziG9wX:JjiQLgCrXo+JL6C+RZVt5M
Score

3^/10
behavioral14
- Target
  
  aaf476e09142ae0b67a0696e3c5d202cda7081c9365f352cfb82068a80e265d5.exe
- Size
  
  460KB
- MD5
  
  e9b4b4f0f35d3757aff629ef0b55ea94
- SHA1
  
  c1bd6213615ddc18dbf62b78d3b408116e677bef
- SHA256
  
  aaf476e09142ae0b67a0696e3c5d202cda7081c9365f352cfb82068a80e265d5
- SHA512
  
  993e3177d9f5c82ce2d70e6bb71b92597eadfa28e0c81cb354427788d18fd15b82080b454da2ef5c2c539af796bf0be533c2d82f5666ecf6209963c34484fe07
- SSDEEP
  
  6144:AZHeftvB2cAVK0SWVfW5/fOflYvlBU1y0+ogBequWaj8vlLpy5NfW5fFckuzqwky:EHeftJmVKeKURgDuWG5NKNKk/q
Score

8^/10

evasion
- Disables Task Manager via registry modification
  evasion
behavioral15
- Target
  
  abb979296b15798893029044f06c97a2e98f4ec044c0c34ac27a0dd6bb0b0ff1.exe
- Size
  
  59KB
- MD5
  
  dc19a7e07efe444f97cb045e72492eaa
- SHA1
  
  3ed8226d1ec92c861d470477556f016a4f9d59e6
- SHA256
  
  abb979296b15798893029044f06c97a2e98f4ec044c0c34ac27a0dd6bb0b0ff1
- SHA512
  
  943c597fb766a3ad840975ed9197569cb8fcb27e8f7964f5e9f6b66ddf3653c316c9dd28ff5723e789aa8910f14185a0868da92e93bef4ebc36b098687518bf3
- SSDEEP
  
  1536:I0WP1ktawb9iV21ecrAYB3YuDBn1sYfI:IPcj+puDB1sYw
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral16
- Target
  
  b630f84b4573831a769170ce7efe73a107b7cd457f499d29fbb622db5c717086.exe
- Size
  
  152KB
- MD5
  
  1ac1e1a7ab3f8e707afe7144429cb601
- SHA1
  
  b97fed5590be56cf247c9ca17a0fcd9100b54cdc
- SHA256
  
  b630f84b4573831a769170ce7efe73a107b7cd457f499d29fbb622db5c717086
- SHA512
  
  f927474e1b25692a603c4c8c8ed354a6a3cd41f99af5bdb26454accd14260e3fa42c37d83ef54451af8e2bb01bdc4c5f70a29378faf0912a35ee31f5bc04eb8f
- SSDEEP
  
  3072:92DA1C344e9/4O1qRmcCBF8X3w0gH/4CMc8TBoIzmoAzSCzpLToYi:92YC3Re9/lymcCHLTH/Kc4BoJzhLD
Score

1^/10
behavioral17
- Target
  
  bd37f1c8f1a0b1333df616db123305e9c138eb3331c1fd66907d4e9df93a4a8e.exe
- Size
  
  356KB
- MD5
  
  4c6e0d9f6bf86311b01656b13b383e1c
- SHA1
  
  f69f1a80dbce8d1cfed654d22af8435240c23dd6
- SHA256
  
  bd37f1c8f1a0b1333df616db123305e9c138eb3331c1fd66907d4e9df93a4a8e
- SHA512
  
  7ccb67cd228fae172016c8e56a2f5193f7c4efbfe76b045dbafc3cc0fbc1892c2991c6f7acbe2201728b5a007058bfe32c5bb3761589fc5b96804e82bcb0e5ff
- SSDEEP
  
  6144:L1+5xWbgYAsrXqqULirNP1BX79FuOxij5GpuSkh9MmwNWfGy6AiDHN:L1/gYvprNPjLnxqs0twN7SEN
Score

1^/10
behavioral18
- Target
  
  c086172b03dbcdc6a782dfbbbf1b6b7f71551bc0d10e1044fcd3c7e880e83a77.exe
- Size
  
  392KB
- MD5
  
  5aa283477dee06012b7cf3272b3617d4
- SHA1
  
  a56749e2b405ba5f9539d785340fba1cee2dbbe9
- SHA256
  
  c086172b03dbcdc6a782dfbbbf1b6b7f71551bc0d10e1044fcd3c7e880e83a77
- SHA512
  
  a9233017351fe0757232cb7594d08300672ce3fa927cbdcf0ec5b1cef9425aa7b2e1fbf22239d1fc311d70994cf7cb3d3d13eef4d6a836af88e226f512e77222
- SSDEEP
  
  6144:O6ittMEfv0StbaV3jjb8TyD3cX5d+sF+TDa4ZUb5dR3vwxKO9jqs:OXsSMlXbQX5dT0DRE5T4x
Score

10^/10

discovery evasion persistence trojan
- Windows security bypass
  evasion trojan
- Disables taskbar notifications via registry modification
  evasion
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral19
- Target
  
  c2a620243b8c161336d68aaccbb7972f083b3e8e30e0fcfaaf9413e46bcbf1bb.exe
- Size
  
  2KB
- MD5
  
  043a425c7a4343ecdd5f2afa920186cd
- SHA1
  
  540aa408c1444b014a105a2afaea49999d92d5f6
- SHA256
  
  c2a620243b8c161336d68aaccbb7972f083b3e8e30e0fcfaaf9413e46bcbf1bb
- SHA512
  
  da6258e96e56b8af935a7098b52e357e2a50837ef53ac06619030eacef5a86fbe6f9e6747b7c4441690b42114ab0602df7fede33b5f2362f2b0e204694cc7197
Score

1^/10
behavioral20
- Target
  
  c3705bab837f5e68ab54a026bf6d23b454f9e6273c919f4d9c43db7c9c37a43b.exe
- Size
  
  695KB
- MD5
  
  400ba7e90298222949036c3e0fd12dd3
- SHA1
  
  6b9ee72e913a789737b9ef65e8d42b6b58828e79
- SHA256
  
  c3705bab837f5e68ab54a026bf6d23b454f9e6273c919f4d9c43db7c9c37a43b
- SHA512
  
  67d02601e7fe5f2c526eb6b25adddd2a4d8f4761d41bc467b441a3a50431960a59ed20226d319476f1488a4a80cc82a04036655f226c2a46363793011beab0ed
- SSDEEP
  
  12288:m8n+q7BpMZ5ztVYnLZj2Cr8Yo+JLya0fcn+Xh3pRz3aMNtziG9wnYMs:JjiQLgCrXo+JL6C+RZVt56YM
Score

1^/10
behavioral21
- Target
  
  c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15.exe
- Size
  
  1.2MB
- MD5
  
  e11502659f6b5c5bd9f78f534bc38fea
- SHA1
  
  b5fd5c913de8cbb8565d3c7c67c0fbaa4090122b
- SHA256
  
  c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15
- SHA512
  
  86c8d4556c9e0b7d60ccbfee430eb322388449506ab515549cb8d2785582671f2dc2d2a3bd9daded9853caa8bf94d9f92603a3bc527172a85dc7a83d701f7fd0
- SSDEEP
  
  24576:645Rt4El7fc/TFJzjJUgrrCq5sNIwQsUGy1q7a9DlIACTp+kqGslRG:Rjt4El7fc/TFJWstwQsPdSDuACTpqhG
Score

10^/10

lockergoga banker ransomware spyware stealer trojan
- LockerGoga
  LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
  trojan banker lockergoga
- Renames multiple (6678) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral22
- Target
  
  cad20feffc7b67e394cb667c56211449ccc9c474583e4feacb5c2461dd002c5d.exe
- Size
  
  267KB
- MD5
  
  54b101c34309faa7dd58dd249b1c8103
- SHA1
  
  c46268590157f04fbecf35db3c7b5a854fbc1536
- SHA256
  
  cad20feffc7b67e394cb667c56211449ccc9c474583e4feacb5c2461dd002c5d
- SHA512
  
  44d9291407177c429da7e0d5c8ffd7eb1040c1b666d951329edb1ad3c98d68bee62fa73c0374c296374362793c2f9334ff16ee0e040b7b99b11bdc283b2885e1
- SSDEEP
  
  3072:4vDNI+KjNTjuO8zYkS6P+pmjVItNz/jO71r06JvJiPn29D+55HSk99XJcTphigTe:023jNWspjNHSk7uXCRzl5R/ca
Score

5^/10
- Suspicious use of SetThreadContext
behavioral23
- Target
  
  d01b92a1d7e00f34549ee537989890699c7ac34c929ea381a4289e49e2d0e4c4.exe
- Size
  
  164KB
- MD5
  
  0801f10ec6451719bde73ad22de88d5a
- SHA1
  
  9bf9b111da0fdba83ce65a883248a0ea9e26a455
- SHA256
  
  d01b92a1d7e00f34549ee537989890699c7ac34c929ea381a4289e49e2d0e4c4
- SHA512
  
  10311c679c46dfe31815c63df41e6a06f04b03ce2050b3065675fd973e7af27d52dcbea7df74c2baa92344a8b2533c5799508926825a3ea3671097544efedee0
- SSDEEP
  
  1536:WvbSZWtDvM7wIjCEZQ5yyw1oDpP+pfICS4A++GbvF0qcX8opz25maL3SUtNDWyPB:1WhoCE3yw1oVj5DJtOicNDWEzZ9dckwK
Score

6^/10
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral24
- Target
  
  d2a120aa4a8aeb87408828d4e7e0da615cb83e32ca5fccc79eee70bca3ea4d78.exe
- Size
  
  190KB
- MD5
  
  0333e4014e84e0cd41a4be7fab09926b
- SHA1
  
  2e84153ec64edadca3ac7a9b847eb6c651396525
- SHA256
  
  d2a120aa4a8aeb87408828d4e7e0da615cb83e32ca5fccc79eee70bca3ea4d78
- SHA512
  
  d9838b90083625939c644a3b80ad820cbbc5991669ac499612f82e301c553f235743cfd35a2a87cd63e7b6bedf3f57b0bd42e88ef9d9450e9d868b95ec8e6c33
- SSDEEP
  
  3072:3bXCLlcSmk8NNFLehmqbayd4yCVY16YAaMDJvKqJHTwqlQNNJE5AkqA:3byLlcq8tYZbay6Y0YgDdKUHThKNI
Score

10^/10

dharma persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (317) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral25
- Target
  
  d9f7e34bf8a82e137d47849c6397b51a5c127af99c4a843f8f8223687a05daf1.exe
- Size
  
  347KB
- MD5
  
  42696d4882efdf06a79068d7c22eaa5b
- SHA1
  
  e66fde04247efae9e4c94b2eacfb504fba02c573
- SHA256
  
  d9f7e34bf8a82e137d47849c6397b51a5c127af99c4a843f8f8223687a05daf1
- SHA512
  
  226831e511a589a2a79a108aac7ef80696b831534c0b556f627b6be6ce7c1b445167b4b081e226967a13db97bee287edc02d623be9c6373027cba4cbc3f651d2
- SSDEEP
  
  3072:kLQBOJeFK/MtgYcjuwiBrqg0Q+KUYN3PSe57vsR1pEzm43vHeQXTHl:kskQK/JdRios/UOPSe570Szp3mQXx
Score

1^/10
behavioral26
- Target
  
  da45ff208be5e193a3da424f6025a3b257dff0c67fab84bd6a9028862fd5cb95.exe
- Size
  
  47KB
- MD5
  
  bd149d3a77edd144e2ce2a716bbe3a53
- SHA1
  
  fc80e031574033cd57127bec9089dfecfe56bf99
- SHA256
  
  da45ff208be5e193a3da424f6025a3b257dff0c67fab84bd6a9028862fd5cb95
- SHA512
  
  26d0a9684066746fc8e2232a460a1259659ad2cf7d9c491232c6609857a20e160143167155cab2acc74285a162daabd2fa35d9e6008d75083605f941ea98b249
- SSDEEP
  
  768:AMFk4Ow7hmjQsDSw/Xzqn7JmfCRQqK3KQe8AbE+KElIS4hEYgOcWSRsx8Db:AzB8sQ7w/qdbQ1aQE2OqELOcWssx
Score

7^/10

persistence upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral27
- Target
  
  dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe
- Size
  
  1.7MB
- MD5
  
  d4b12487470460653459a54769e974e2
- SHA1
  
  f879a01a2a5d337b97d14c31294e0384bc0ff649
- SHA256
  
  dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8
- SHA512
  
  cdf8f5810a3f8c379030bd4a1686afd9bd6adefefce642ff088c7f0330ee6434120fa1ee90070341c2b1b6990b56005134fd2a71bf0fc29559547bc08c38dbc5
- SSDEEP
  
  49152:nyZOP+5jUgyNvtchcL6yUw4gZ2oe7yUFqm:nyZO0CFHL7Y
Score

10^/10

discovery persistence
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral28
- Target
  
  e8ae1656c225e8de8e57983db87738630d70036aae6cf1c2b486084edb4aa4dc.exe
- Size
  
  180KB
- MD5
  
  fb30134f51e0558818038737ede9a1b0
- SHA1
  
  d364682050a1635182dc5abdfb1cc4174b8e333f
- SHA256
  
  e8ae1656c225e8de8e57983db87738630d70036aae6cf1c2b486084edb4aa4dc
- SHA512
  
  60db80ab100ed48f9764a560333bf19feb54232e4b4ebc2244f5eb32eb2092e97d61d912f7cc5b96c54ffbe40d1fd7b116b2724178f0f4e847ce2772e84e550f
- SSDEEP
  
  3072:qe3VbrfXktqKtl9CuglSCPTU15Y2Gh3hNyCd6U/5Nzc527JsM:qe3tGwuu6GVN/rQE7JsM
Score

5^/10
- Suspicious use of SetThreadContext
behavioral29
- Target
  
  ed09a020459f1b059bba72c76cd00520c119903b0f8b9fe316a83ced5d66ad0d.exe
- Size
  
  566KB
- MD5
  
  b1b840a11642b166ac97fe2aea762504
- SHA1
  
  8e52bd5c7455af60d04f123e05291cf7c73fe0fd
- SHA256
  
  ed09a020459f1b059bba72c76cd00520c119903b0f8b9fe316a83ced5d66ad0d
- SHA512
  
  4d64b1e8b5c7ed6ae818921384e79cc114e0413e8bb36d9f07c30fd85c92b6d1ffca3c31bd4ea2e9a07ef70e96af02ebfa30e4ba57541dd9de16eeafc534c14e
- SSDEEP
  
  12288:e8X3nehEBFf/Fv5gld3IUhghyUbaW41hD:eg32EPVgIGghyman1
Score

7^/10

adware stealer
- Loads dropped DLL
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
behavioral30
- Target
  
  f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
- Size
  
  7.0MB
- MD5
  
  3beee8d7f55cd8298fcb009aa6ef6aae
- SHA1
  
  672a992ea934a0cba07ca07b80b62493e95c584d
- SHA256
  
  f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6
- SHA512
  
  12bd64d10620c1952127c125e7beb21b3727d8afb6440d48058785267b227a534ee6112d84372749496481cb6edb5c90eeb159689b443fe0f10f4a9202a83a5f
- SSDEEP
  
  196608:gUWfTu5s5E6s6eLL1mkJ2Z9Jq5dOYo+SJVTXOD0ch:gUWfTuK5E6s6sBmKk9JMo5/eN
Score

9^/10

ransomware spyware stealer upx
- Renames multiple (60) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral31
- Target
  
  f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe
- Size
  
  127KB
- MD5
  
  8ad03e12a10e43d3876f369e9020a8ec
- SHA1
  
  f267d02e5ee3d5b164afeb38a98feed14e662272
- SHA256
  
  f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150
- SHA512
  
  670cfd2d600a1d2f7ea09893d8d89b46ec4acf80438c456bb18a097c335310ea2629493aeda2de7f832d37a19349cd3d4b785c28306bdab85bd9e281d6039d16
- SSDEEP
  
  3072:j3B9oal6OPHo2tQJz37JrwkFfzA2pg/w:j3oGLPvQhJckZzA/w
Score

8^/10

upx
- Drops file in Drivers directory
- Deletes itself
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral32