magniber | f104ab345da41762fa5a07302859289e162fe197c2b1270f8f5d12354a670b5e

General

Target

f1d9097da5a25704b82246e6a1530237_JaffaCakes118
Size

38KB
Sample

240415-y54z5she6y
MD5

f1d9097da5a25704b82246e6a1530237
SHA1

1a21d31df7941616cf6e2e3c7b790b2096ce3b4e
SHA256

f104ab345da41762fa5a07302859289e162fe197c2b1270f8f5d12354a670b5e
SHA512

d5f4ea9ad04dc7472c9ed1db54ff2ec570c89c53ea8374bf7da19f27ada0d7c766af457f953896d7fc62046d00a6df7a62d71ae36982b6939d75c34d2c6ae96d
SSDEEP

768:1Czs1U46clW4VbXoTS22idEzKfu/m+SyNtLrSSAcLCjXUZdr:eqsclW494TSr8EzKG/NdroU

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://da68cc1016a8b8d0a8inacxat.nvnt3l2aee6eejcmzq3w72d4dnkmeemljh5qroq2lrr2spgtnqpxdgad.onion/inacxat Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://da68cc1016a8b8d0a8inacxat.riddare.quest/inacxat http://da68cc1016a8b8d0a8inacxat.buyhas.space/inacxat http://da68cc1016a8b8d0a8inacxat.owedbad.uno/inacxat http://da68cc1016a8b8d0a8inacxat.tillnor.monster/inacxat Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://da68cc1016a8b8d0a8inacxat.nvnt3l2aee6eejcmzq3w72d4dnkmeemljh5qroq2lrr2spgtnqpxdgad.onion/inacxat

http://da68cc1016a8b8d0a8inacxat.riddare.quest/inacxat

http://da68cc1016a8b8d0a8inacxat.buyhas.space/inacxat

http://da68cc1016a8b8d0a8inacxat.owedbad.uno/inacxat

http://da68cc1016a8b8d0a8inacxat.tillnor.monster/inacxat

Targets

- Target
  
  f1d9097da5a25704b82246e6a1530237_JaffaCakes118
- Size
  
  38KB
- MD5
  
  f1d9097da5a25704b82246e6a1530237
- SHA1
  
  1a21d31df7941616cf6e2e3c7b790b2096ce3b4e
- SHA256
  
  f104ab345da41762fa5a07302859289e162fe197c2b1270f8f5d12354a670b5e
- SHA512
  
  d5f4ea9ad04dc7472c9ed1db54ff2ec570c89c53ea8374bf7da19f27ada0d7c766af457f953896d7fc62046d00a6df7a62d71ae36982b6939d75c34d2c6ae96d
- SSDEEP
  
  768:1Czs1U46clW4VbXoTS22idEzKfu/m+SyNtLrSSAcLCjXUZdr:eqsclW494TSr8EzKG/NdroU
Score

10^/10

magniber ransomware
- Detect magniber ransomware
- Magniber Ransomware
  Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
  ransomware magniber
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (71) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2