dharma

Resubmissions

18-04-2024 18:50

240418-xha8wabh29 10

01-01-2024 15:12

240101-slnwxsfeh4 10

Sharing

Copy URL

Twitter E-mail

General

Target

samples (2).zip
Size

120.4MB
Sample

240418-xha8wabh29
MD5

aec75f441aa8bee97dde00cf38aa20b7
SHA1

df50a2ff2d2f0892bd9212ca6ebec02c8753c265
SHA256

44ee695b532eb984e46de29569ce35854b37d409efaabb6bcf9f5316e2b0546d
SHA512

e6fc8544f3840cc9bc5778baf9294f2df086ed793acd014a354300615fb82effa27bc3c77320d44e9a67404fd1ac7d06bd029829b40936fc9a38deaa46c6ca44
SSDEEP

3145728:VLfH9HbbMDj02Cdpnge0LREc1Z4sJCwZ3lehMSA/nSMBTlrdG:xP9HbbM0P0LLb0wxchfA/nSMBhg

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\README-ISHTAR.txt

Ransom Note

# ---------------------------------------------------------------------------------------------------------------------------- # ДЛЯ PACШИФPOBКИ ФAЙЛOB OБPATИTECb HA ПOЧTy youneedmail@protonmail.com # ЛИБO HA # BM-NB29yqgNJsWrWJT5fQR1JC5uoz2EoAGV ИCПOЛbЗyЯ BITMESSAGE DESKTOP ИЛИ https://bitmsg.me/ # ---------------------------------------------------------------------------------------------------------------------------- # # БAЗOBЫE TEXHИЧECКИE ДETAЛИ: # > CTaHдapTHый пopядoк шифpoBaHия: AES 256 + RSA 2048. # > Для кaждoгo фaйлa coздaeTcя yHикaлbHый AES ключ. # > PacшифpoBкa HeBoзMoжHa бeз фaйлa ISHTAR.DATA (cM. диpeкTopию %APPDATA%). # # ---------------------------------------------------------------------------------------------------------------------------- # ---------------------------------------------------------------------------------------------------------------------------- # TO DECRYPT YOUR FILES PLEASE WRITE TO youneedmail@protonmail.com # OR TO # BM-NB29yqgNJsWrWJT5fQR1JC5uoz2EoAGV USING BITMESSAGE DESKTOP OR https://bitmsg.me/ # ---------------------------------------------------------------------------------------------------------------------------- # # BASIC TECHNICAL DETAILS: # > Standart encryption routine: AES 256 + RSA 2048. # > Every AES key is unique per file. # > Decryption is impossible without ISHTAR.DATA file (see %APPDATA% path). # # ----------------------------------------------------------------------------------------------------------------------------

Emails

youneedmail@protonmail.com

URLs

https://bitmsg.me/

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\read_it.txt

Ransom Note

YOUR PERSONAL INFORMATION IS NOW ENCRYPTED WITH MILITARY GRADE ENCRYPTION by BAAL RANSOMWARE All files on all affected machines and network have been encrypted with Baal Ransomware Encryption. What guarantees do we give to you? You can send 2 of any encrypted files to us to decrypt then send them back. Who is responsible for the Ransom Fee? The SARB & SA Mint Organization not its employees or assosiates will need to pay the fee to obtain the unique decryption code & tool that contains the private key linked to this specific ecryption. NOTE: All data is ecrypted (locked) not overitten hence can be decrypted with assossiated key only. You have only 6 (six) days to meet the Ransom fee in Bitcoin. Instructions: 1. Send 121 BTC (Bitcoins) to the following receiving address: bc1qvrqgycul7svc33hs0ejqn5p2ewewynjkea90h7gcednhdj2745tslla7z9 Note: All Bitcoin transactions need six confirmations in the blockchain from miners before being processed. In general sending Bitcoin can take anywhere from seconds to over 60 minutes. Typically, however, it will take 10 to 20 minutes In most cases, Bitcoin transactions need 1 to 1.5 hours to complete. 2. Send blockchain transaction id screenshot not link via to the email address: blackbastabaalransomware@protonmail.com 3. Once the transaction is be confirmed. We will email back the one-click decryption tool to fully decrypt and recover all your files and remove the randsomware on all your machines and network permantly. (No I.T. background required). 4. The decryption usually takes about a few minutes to an hour depending on the scale and size of the files and additional drives the Ransomware has spread onto the network. What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt then send them back. You have 6 days until the decryption keys are terminated and all data on affected machines and networks will never be recovered. We make use of Military Grade AES Encryptions. Without the linked decryption key you can just forgot about ever recovering encrypted data. ------------------------------------------------------------------------------------------------ 'Blessed are the strong for they shall inherit the Earth' - Codex Saerus

Emails

blackbastabaalransomware@protonmail.com

Extracted

Path

C:\Users\Admin\AppData\Local\FreeWorld-Contact.txt

Ransom Note

I encrypted your system with a vulnerability in your system. If you want your information, you must pay us. The ransomware project I use on your system is a completely private project. it cannot be broken. unsolvable. People who say they can help you often come to us and they ask us for help on your behalf . In this case, you have to pay more than what you normally pay. If you contact us directly, the fee you will pay will be lower. You may not trust us . but we are trying our best to help you. We can direct you to a company whose data we opened and helped within 48 hours. We want you to know that we have references all over the world. We do not work in a specific region or country. The company we will direct you to can be from any part of the world. We may also share various images and videos with you. We will open the encrypted data. this is our job. We get paid and we help. We cover your vulnerabilities. We ensure your safety and give advice. It is not just your data that you will buy from us. also your safety Our aim is to return the hacked systems back to you. But we want to be rewarded for our services. The most important thing we want from you. be quick . Respond quickly when communicating and quickly conclude the case. We don't want to waste time. We can prove to you that we can open encrypted data. You can send the sample file you want with .png ,jpg,avi,pdf file extensions that are not important to you. We will send the file back to you in working condition. Our file limit is 3 . we can't open more for you for free. You can send us your database files. After we have your database file working, we can send you a screenshot of the table you want. If you want to talk to us instantly, you can contact us via qtox. qtox program address: https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe My qtox address is: E12919AB09D54CB3F6903091580F0C4AADFB6396B1E6C7B8520D878275F56E7803D963E639AE Email address: freeworld7001@gmail.com Contact number : JIXNEcLEd_L6ScfTAS_qNCCv24RnCF6PTnA8uDRjvmQ*FreeWorldEncryption When you contact us, share your contact number with us.

Emails

freeworld7001@gmail.com

URLs

https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT

Ransom Note

Dear Management! We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 55 GB of your and your customers data, including: Accounting Marketing data Confidentional documents Copy of some mailboxes Databases backups We understand that if this information gets to your clients or to media directly, it will cause reputational and financial damage to your business, which we wouldn't want, therefore, for our part, we guarantee that information about what happened will not get into the media (but we cannot guarantee this if you decide to turn to third-party companies for help or ignore this message). Important! Do not try to decrypt the files yourself or using third-party utilities. The only program that can decrypt them is our decryptor, which you can request from the contacts below. Any other program will only damage files in such a way that it will be impossible to restore them. You can get all the necessary evidence, discuss with us possible solutions to this problem and request a decryptor by using the contacts below. Please be advised that if we don't receive a response from you within 3 days, we reserve the right to publish files to the public. Contact me: RichardSHibbs@seznam.cz or RichardSHibbs@protonmail.com Additional ways to communicate in tox chat https://tox.chat/ contact our tox id: 5BF6FF6E9633FDCF1441BF271CBE5DAE1B6B027FA5B85A6EE5704E8B7FEC8E50A323CD66F7D2

Emails

RichardSHibbs@seznam.cz

RichardSHibbs@protonmail.com

URLs

https://tox.chat/

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT

Ransom Note

We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 250 GB of your and your customers data, including: Accounting Confidential documents Personal data Copy of some mailboxes Databases backups Important! Do not try to decrypt the files yourself or using third-party utilities. The only program that can decrypt them is our decryptor. Any other program will only damage files in such a way that it will be impossible to restore them. You can get all the necessary evidence, discuss with us possible solutions to this problem and request a decryptor by using the contacts below. Please be advised that if we don't receive a response from you within 3 days, we reserve the right to publish files to the public. Contact us: funny385@swisscows.email or funny385@proton.me =========================================================== Customer service TOX ID: 0FF26770BFAEAD95194506E6970CC1C395B04159038D785DE316F05CE6DE67324C6038727A58 Only emergency! Use if support is not responding

Emails

funny385@swisscows.email

funny385@proton.me

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT

Ransom Note

We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 25 GB of your and your customers data, including: Accounting Confidential documents Personal data Copy of some mailboxes Databases backups Important! Do not try to decrypt the files yourself or using third-party utilities. The only program that can decrypt them is our decryptor, which you can request from the contacts below. Any other program will only damage files in such a way that it will be impossible to restore them. You can get all the necessary evidence, discuss with us possible solutions to this problem and request a decryptor by using the contacts below. Please be advised that if we don't receive a response from you within 3 days, we reserve the right to publish files to the public. Contact us: funny385@tutanota.com or funny385@swisscows.email =========================================================== Customer service TOX ID: 0FF26770BFAEAD95194506E6970CC1C395B04159038D785DE316F05CE6DE67324C6038727A58 Only emergency! Use if support is not responding

Emails

funny385@tutanota.com

funny385@swisscows.email

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR LQEPJHGJCZO FILES.TXT

Ransom Note

We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 100 GB of your data, including: Accounting Confidential documents Personal data Databases Clients files Important! Do not try to decrypt files yourself or using third-party utilities. The program that can decrypt them is our decryptor, which you can request from the contacts below. Any other program can only damage files. Please be aware that if we don't receive a response from you within 3 days, we reserve the right to publish your files. Contact us: franklin1328@gmx.com or protec5@onionmail.org

Emails

franklin1328@gmx.com

protec5@onionmail.org

Extracted

Path

C:\Program Files\Google\Chrome\Application\#NOBAD_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 InkognitoMan@tutamail.com\par InkognitoMan@firemail.cc\par empty\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 3327BD6FB3D94447\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b empty\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 3327BD6FB3D94447\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 4KiCYYNX\cf0\f1\fs32\lang1049\par \par }

Emails

InkognitoMan@tutamail.com\par

InkognitoMan@firemail.cc\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Blacklist@cock.li Write this ID in the title of your message 6DD7E5DC In case of no answer in 24 hours write us to theese e-mails: Blacklist@cock.li You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

Blacklist@cock.li

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR HGJZITLXE FILES.TXT

Ransom Note

THE ENTIRE NETWORK IS ENCRYPTED YOUR BUSINESS IS LOSING MONEY! Dear Management! We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 100GB of your data Personal data Marketing data Confidentional documents Accounting SQL Databases Copy of some mailboxes Important! Do not try to decrypt the files yourself or using third-party utilities. The only program that can decrypt them is our decryptor, which you can request from the contacts below. Any other program will only damage files in such a way that it will be impossible to restore them. Write to us directly, without resorting to intermediaries, they will deceive you. You can get all the necessary evidence, discuss with us possible solutions to this problem and request a decryptor by using the contacts below. Please be advised that if we don't receive a response from you within 3 days, we reserve the right to publish files to the public. Contact us: candice.wood@post.cz or candice.wood@swisscows.email Additional ways to communicate in tox chat tox id: 83E6E3CFEC0E4C8E7F7B6E01F6E86CF70AE8D4E75A59126A2C52FE9F568B4072CA78EF2B3C97

Emails

candice.wood@post.cz

candice.wood@swisscows.email

Targets

- Target
  
  04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9
- Size
  
  2.1MB
- MD5
  
  e4bf35b81bfaa0e789ad9461dbacb542
- SHA1
  
  dcf7b855b2c3516a6b88a410ef5b44a2c650f62d
- SHA256
  
  04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9
- SHA512
  
  6635342515a01acde48792cb362dc9e5bd7ffc4fe6a9b8b2fdb0d6c8758d79db847daf28e2fe700a898425214d95d2707337c900c695a47cfd9dada946adf64d
- SSDEEP
  
  49152:Iw80cTsjkWanAlfiebWlHcA+G6HYaqK3hUQrObmyPYjR+:Z8sjkrgWezG6lh73jR+
Score

10^/10

collection persistence ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  0ed3c87ce3ae58f3dcbf46fa022acd3cbbe0b96af2e9f7a47eee0dd50af88507
- Size
  
  2.9MB
- MD5
  
  ec2a8d8f7853397f86a4c96fdbe01b19
- SHA1
  
  daaeb314219acb7f10268512c8358a6941d53da3
- SHA256
  
  0ed3c87ce3ae58f3dcbf46fa022acd3cbbe0b96af2e9f7a47eee0dd50af88507
- SHA512
  
  f75ee827b41ff1783208f3116130b8c29c958059f589b8df4d423896bafa24f4aae5a19a990271a2caf98880772b23ad719c7c141b8e1ea6f0e1eda58f0a4e68
- SSDEEP
  
  49152:yKRy/NLHsvdoewagi6rndXTrKdRRzsdydWLToel51txKRy/N:yKRshsdo/PrndXTrKdRRwZLJl3KRs
Score

4^/10
behavioral2
- Target
  
  1ce291b079977e7a3f81c44b644fe1f63ae34a0a1a5c264e9f6085c184f7a1c9
- Size
  
  5.3MB
- MD5
  
  393247c068ff136a28c6ef99a0e004ad
- SHA1
  
  d1acbc1d3f796745de7fdb65fe290f2876bf38cd
- SHA256
  
  1ce291b079977e7a3f81c44b644fe1f63ae34a0a1a5c264e9f6085c184f7a1c9
- SHA512
  
  6bd2bf2f9c1e89e77d4365c73cb9e13782b2055dd7e5b6d54bc45265349e8d569fe7036c99f582ee47d9d6b8a41bc8eb02524baba8ed9c7d69975c27169b5afe
- SSDEEP
  
  98304:Puzw2CTViOip5X+MHsMgBXN2/H4QJP6u822wpXJun9TLrynQnI1:PuzITVb0OysM49vgPCMJwHy/
Score

7^/10

vmprotect
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral3
- Target
  
  30e66f95b46c8162c921648e31f8c4146ba3f0580f4e5aa3b4c4de18687f6a49
- Size
  
  1.2MB
- MD5
  
  9d43722941309d477e25b7d48b085d00
- SHA1
  
  79793205208d8679b1d1dfe06475a4e52c8b1846
- SHA256
  
  30e66f95b46c8162c921648e31f8c4146ba3f0580f4e5aa3b4c4de18687f6a49
- SHA512
  
  7f2e8a7c38776c1b3c2898b9c7367f51060b4a6ca1385314fd2da417cfe2d18a84f6891dfe18ef28e477037ed84eb2fbbecbeef294751cff0de52ea6c9566efd
- SSDEEP
  
  24576:K6FBigVov3pjeA+07ASgSl+YYxJuWMvV36/K+VLebSKLvBTyPj+dyqG2W0b1:7Bi53w3eqi+mfJujkyqG29x
Score

9^/10

evasion ransomware spyware stealer
- Renames multiple (683) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Manipulates Digital Signatures
  Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
- Modifies Windows Firewall
  evasion
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral4
- Target
  
  335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf
- Size
  
  3.7MB
- MD5
  
  9c7e90d7637277bb4f4985405eb0ace9
- SHA1
  
  5b0899d790eb4a37260e5d9b8a2ad3f2ada55b1d
- SHA256
  
  335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf
- SHA512
  
  7b57021edfa1108558c2d02df0600de55fd9338dfebc044c03dc677072975acc216a0374cff270d9d75f20e5b92b252f75b2ad3b94f603e7a09f69c14ca888d9
- SSDEEP
  
  98304:Pvqlou/EtfzJS+1S6+T9aLcNvvj5Pudln7QktFJLRyC2hVW13:w/Q7I+T8aLcNvvjQn7QkjFkDVW
Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx
- Matrix Ransomware
  Targeted ransomware with information collection and encryption functionality.
  ransomware matrix
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral5
- Target
  
  3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567
- Size
  
  3.1MB
- MD5
  
  3e24d064025ec20d6a8e8bae1d19ecdb
- SHA1
  
  aaf26fd22d5cab24dda2923b7ba6b131772b3a68
- SHA256
  
  3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567
- SHA512
  
  02eeddcb6d33dada9214503ab460d409ba429dfb00c756722188e2b7b9a65dd054a0bdacf45613ef3d6aa9524f256da155e33daf94eade384dc94f7716724896
- SSDEEP
  
  49152:yAqPm6R8fkBn5GSOsnvjXo2KzB931XYPy:0O6R8fklXo2KzBHX
Score

1^/10
behavioral6
- Target
  
  42dcc46f9d6e6e8efe3f95bc09dbdfb6206a52a4347dbb652f315cec483a2046
- Size
  
  1.2MB
- MD5
  
  85f7df557b52cfb4850dbdd5040417f6
- SHA1
  
  4773ecc3311a02f7a9851ef8721c2ab6e903ea78
- SHA256
  
  42dcc46f9d6e6e8efe3f95bc09dbdfb6206a52a4347dbb652f315cec483a2046
- SHA512
  
  ff2dc51db02259df61c70985140ae8f65690fc910ecc6161f65f71208a0ee0bacc7bd6df5dbc7802fa4cb4ce03968f52e3bf949c21b24a0fc543c6e473d686f1
- SSDEEP
  
  24576:f6FBigwov3pjeA+07ASgSl+YYxJuWMvV36/K+VLebSKLvBTyPj+dyqGYV0b1:YBiI3w3eqi+mfJujkyqGY2x
Score

9^/10

evasion ransomware spyware stealer
- Renames multiple (734) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Manipulates Digital Signatures
  Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
- Modifies Windows Firewall
  evasion
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral7
- Target
  
  4fcaca23e9cfb7e5448f41bb520c9c35c68fd795ac6b3707d0c64cf92738acf2
- Size
  
  4.7MB
- MD5
  
  e86893b92eca6e8dfbcfb9bbc08ee973
- SHA1
  
  acaf1392ea344a074cd4dd47faa6a7e1530747f3
- SHA256
  
  4fcaca23e9cfb7e5448f41bb520c9c35c68fd795ac6b3707d0c64cf92738acf2
- SHA512
  
  24f258fb7f088b9c139ef83dd90c63248eee3e85b871841406765386dad20e48d2b8cdd19a0e165e10ff5eeb4494bafd3c84989f3f73112c1273399f7b23f635
- SSDEEP
  
  98304:0s7ZE5JsxXe8NpqBjkZxHJMAM0hsEfIOC34SSPl0V1Eo7N3grvl0iqN+XW0FUlK0:0srXe8NEMMAZhsXOCYe3P7NuI4WHlK8
Score

10^/10

dharma persistence ransomware spyware stealer vmprotect
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (339) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral8
- Target
  
  5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7
- Size
  
  4.8MB
- MD5
  
  5a3c5576c359ce4f40b3274209db2e76
- SHA1
  
  8d38f1c0953013d623bea6d6f6f47d5a0c7027f9
- SHA256
  
  5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7
- SHA512
  
  a9780e15702531d22a7088bb1de49c083499244819732f07c7a1c22bea00aa3592231766adae42ea8f980896a659a46a51a58e4e366a35e327f9d788ff88e5eb
- SSDEEP
  
  49152:Dc2Ee3ScTnrb/T5vO90dL3BmAFd4A64nsfJG0CJZGSUeU/o/ZsPfNW7Ew5EzUgr0:73l8ZSUOyaEUVHB72INLu6SZJZ
Score

10^/10

evasion ransomware spyware stealer
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Stops running service(s)
  evasion
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral9
- Target
  
  627a5569d47d6c66be6888e4f68f0a50e491404a08da1a7d9242c2d29e3e8ee3
- Size
  
  31.9MB
- MD5
  
  446fb9d942879e16c30b4cdd4cfca25f
- SHA1
  
  15db57519b54475ca7961a558806c6c49df85d5a
- SHA256
  
  627a5569d47d6c66be6888e4f68f0a50e491404a08da1a7d9242c2d29e3e8ee3
- SHA512
  
  14ec30f91f678fe0ae4b3d681389f4f5a5a01ea2b0cfaf7835025206bde8589f78e3a3a1308089c3331d650ee539ed9dbe723ca7edc72cb3b1996ef7b1d0ad6f
- SSDEEP
  
  786432:k+yF8WWxUdUd1LRphkc3FphBWGlso5EYW8GUCUEDDu4Kucccd8:WF8WWxUUddRzFphBZd5E7UCpDfm
Score

7^/10
- Loads dropped DLL
behavioral10
- Target
  
  63fa775052a5c7258d44a00d9f2b4a9263f96fb7c61778cbb1ba9102fed2082f
- Size
  
  7.2MB
- MD5
  
  14d4bc13a12f8243383756de92529d6d
- SHA1
  
  54b8fc5de74856d90cad60da8cc41b98940e6a15
- SHA256
  
  63fa775052a5c7258d44a00d9f2b4a9263f96fb7c61778cbb1ba9102fed2082f
- SHA512
  
  bbf499f3c3c20d5fe4310995edff3955365398923e6131cb318ee3cd762e034cd798e826bae00a680053846ef2a50c5f153bdb4d2d8cbc93688b9f8a8cf5b55a
- SSDEEP
  
  98304:1VRCs/IYJ5dqZqbKW9oNV8xOerpA8sNqdKe+GCsJ+JjhLeA6dw3:1Vt/TqcbKLpea8s3XsJ+Jjd
Score

1^/10
behavioral11
- Target
  
  645b8dfe73255d9e5be6e778292f3dde84ff8c5918a044ae42bcace0fe9ca279
- Size
  
  2.4MB
- MD5
  
  38529ecca6f8857442331c40e1bd5f9d
- SHA1
  
  37fe11751277dd8cc889e0c05d7fde88b98aa67c
- SHA256
  
  645b8dfe73255d9e5be6e778292f3dde84ff8c5918a044ae42bcace0fe9ca279
- SHA512
  
  a837e6f5452c939f7a7dcf16613fab486bb584c20aeb3121748d1dae731c4161a19ea2f9863bf621dc8c61101860b3ebfb3c4a780c8f1c07bd1ad59c90540d4a
- SSDEEP
  
  49152:hxFNFf4ZjhxNdNGa5YLuOARYNdNXc0xI5mmswos1:hxF7Q3xDAa5qARYDS0xIg
Score

1^/10
behavioral12
- Target
  
  64862ec69991a7d454c3ea3a0c3a8f1cc9c80192078740b9c753abbf1b7bef1b
- Size
  
  1.7MB
- MD5
  
  2b34badcdfb0921ee43548475c0ec5bb
- SHA1
  
  2cfe28584ae7649e3fe0ae150bfe49f7eabc6cf9
- SHA256
  
  64862ec69991a7d454c3ea3a0c3a8f1cc9c80192078740b9c753abbf1b7bef1b
- SHA512
  
  c31ac862ac9211821332aa8fd03110ca3ef89304fead4a900d2190c4a3950d2d6e5704b06ab3edf2ea6c6d3b9c225e5220e62496dc42948ec6125618924f880c
- SSDEEP
  
  24576:++H1KCVkwjVSjdao2bwzUaSze1AeHm/gcgX+7waf7gm7yZADfBFdOgSeiseIK1S3:399byqze1I3o+rH+MFdOsZvShn9T
Score

10^/10

evasion persistence ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral13
- Target
  
  741d75a02d0c4974968f0738a8b67104e1c24a58143b73b5ed1c25ac023b695e
- Size
  
  2.4MB
- MD5
  
  675716e76d329c21fd1c8584c4bbf4e0
- SHA1
  
  3f31361a356346980a458f72639b167f8557d997
- SHA256
  
  741d75a02d0c4974968f0738a8b67104e1c24a58143b73b5ed1c25ac023b695e
- SHA512
  
  33990b75e05409956567e2c417c4af3cefed346d18b1c990651ba9ae55f4c41e448f48e708ebb3f0a47dd2f95a648d99fa49b1f53bd68275754a98662451b75e
- SSDEEP
  
  49152:T1qnoAYJ+dAyibulZllnhELJPA2GINhptUhwRVmif4lqKw1UWHgCw8SbdkYMy:pMoAYJlyi8WBAypSQVf4l21xw80ke
Score

10^/10

xorist evasion persistence ransomware spyware stealer themida trojan
- Detected Xorist Ransomware
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Renames multiple (2154) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
behavioral14
- Target
  
  7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d
- Size
  
  2.0MB
- MD5
  
  7d3d04681922c50a4d7e716ebc2fd3a6
- SHA1
  
  8cdf195cf57a871e13fd67a9a9ac6dd836b9e958
- SHA256
  
  7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d
- SHA512
  
  65846e9852a967cca13de0e62f2d6c4489c84bd0e4857d68dbcef48dc4db7326e8fd8252bfb6bdf9fd780ad6059ff559bfb6df69e741a75a22ad14da6bc0c803
- SSDEEP
  
  24576:XN+lSpYnaceEGmmgqPpcfiBKs7qN9zg5MFkXgMkBH1n1yr6hw1R0D+UlVkG0lC99:XsaQe9DhyVu4wZkTn1yp0D5sS1HpV9F
Score

7^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral15
- Target
  
  80bf2731a81c113432f061b397d70cac72d907c39102513abe0f2bae079373e4
- Size
  
  4.0MB
- MD5
  
  d59aa49740acb5e45ecb65da070035e3
- SHA1
  
  4086107b3fb71fb02361306da6099a85be97ae1d
- SHA256
  
  80bf2731a81c113432f061b397d70cac72d907c39102513abe0f2bae079373e4
- SHA512
  
  459805b020b78399fae8ac5e8ed439df1b8852519014029833794d2eaad1b1f2aecc3aaba99ae52a0881cf57987d4a60298acce04a9fa9299e9d21a832a335a5
- SSDEEP
  
  98304:4gwRDvguPP+oGPn58kcuf2ilfio/roYs30f2hi:4govYoGPn5/ui8hi
Score

10^/10

mimic evasion persistence ransomware spyware stealer trojan
- Detects Mimic ransomware
- Mimic
  Ransomware family was first exploited in the wild in 2022.
  ransomware mimic
- Modifies security service
  evasion
- UAC bypass
  evasion trojan
- Clears Windows event logs
  evasion ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (6574) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Sets file execution options in registry
  persistence
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral16
- Target
  
  8cc9f83e2ec4d36e50ec8407932ff3b8a7ad188a0cb95dad78028cce7921e492
- Size
  
  23.2MB
- MD5
  
  a3e60b4c3bbc4f5d00a21a22c8992716
- SHA1
  
  3aef215dedad59012597b4828b7e4ed1d41ad742
- SHA256
  
  8cc9f83e2ec4d36e50ec8407932ff3b8a7ad188a0cb95dad78028cce7921e492
- SHA512
  
  87acf16c9240caa1f48a4e4d377eb642474f19df656d9c53526358f0862c1d8f83fb32050a5918f669ead105296d9858f2120347e11bfd666fbe6f5ee4d5967c
- SSDEEP
  
  393216:MKfBJaxuIzEhbP7xl9GMToeL7QXy5SkmXZQjlf5alYftktB6FYNX9Mh9PVoXNRLI:MKZJaxl8bPDjLU7RXK6lYfCvyh5CYa0r
Score

7^/10
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral17
- Target
  
  9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795
- Size
  
  1.3MB
- MD5
  
  22a975eb038011095e8b9ff9a3078ffa
- SHA1
  
  f2762fb4a819dad55daf7ae3f9e96753f04df94c
- SHA256
  
  9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795
- SHA512
  
  6cecf00b511ac39acf1b5920996b920787e13c6fbc9cc3fe46526c044f0d6813da55ee88205b8138033b55915ae6fd31c1149bef07b3116cb2459de017334a52
- SSDEEP
  
  24576:qI0Clbs7Kjsbs0pwKR1aQ9qVLUOHkXzWsfI9mO35s8RI93VZ4+nnI6i207pCS1Rp:oClbs7Kjsbs0pdR199qVLUOHkDWsfimT
Score

9^/10

evasion ransomware spyware stealer
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral18
- Target
  
  de1793d8db7f58f0ef53bee7fb0942ef4c6c348e4a547b6cfeb74ffa8de56cdf
- Size
  
  9.8MB
- MD5
  
  d07e516fdc1272e4e942e34a87f80e62
- SHA1
  
  22505c7dd91d27defe4ca7e6d6dfcb5aa46a0ea6
- SHA256
  
  de1793d8db7f58f0ef53bee7fb0942ef4c6c348e4a547b6cfeb74ffa8de56cdf
- SHA512
  
  fcb35f419bd089d2e4002e3dbd57082612dda8fb6d9b782bcede5a29ee63f1bd94f83e8b757dd89bc5c2930b9a3ad7fccf648bb3b83c43a4203e087e76bdc53d
- SSDEEP
  
  196608:L7uz6d21DDBeEEPpFYwUL4wi1c9en8Odqsem32RrpcNFmRMA67raxE:L7u+mwEEoRLmZnqs63/SuE
Score

3^/10
behavioral19
- Target
  
  de6da70478e7f84cd06ace1a0934cc9d5732f35aa20e960dc121fd8cf2388d6e
- Size
  
  5.2MB
- MD5
  
  8bd7cd1eee4594ad4886ac3f1a05273b
- SHA1
  
  ad046bfa111a493619ca404909ef82cb0107f012
- SHA256
  
  de6da70478e7f84cd06ace1a0934cc9d5732f35aa20e960dc121fd8cf2388d6e
- SHA512
  
  62e0946dce24a8bd5c98470edd8665acf2a99eb4016936e937cec806b12ff7be1bef323e5f44225046a8a6b676873ce00c35a7a2f52b864d2709fd16a273c9af
- SSDEEP
  
  98304:YqFOH+gETpGHN/MC8gehPP8E4dJHDCkjpqLaINhm4PlVVEzY:YqtgEMkrVPiDCQUphmulnr
Score

1^/10
behavioral20
- Target
  
  dfef52ffdea9d5129cd6bf0b3df2997db40091a4bdb7f356f48feec5ac5ebcfe
- Size
  
  8.6MB
- MD5
  
  ef593e4713e733dbe75277f79f76ba01
- SHA1
  
  6ae75342e56ba64f5b8d4a86cd14beeb1b2ed1fd
- SHA256
  
  dfef52ffdea9d5129cd6bf0b3df2997db40091a4bdb7f356f48feec5ac5ebcfe
- SHA512
  
  566b2f292498c9cb0ba4f99a3ac658df8f31c7e5e79bc4773027461cdf77bb96922cd461223b47bc5a8d45b6408cd358a5b4135b48093ce75d6abed60c72aeb3
- SSDEEP
  
  196608:cVB3kHo8Nb2ga7OFQOurL3Vz8uZMb3ObpSzZTfurSu:mmIO2iQhlzBZMb3dzZfsS
Score

7^/10
- Loads dropped DLL
behavioral21
- Target
  
  f3c6dac2d21f7289e2807c0479a76105a5e8ed3a5c7ccbeae6d289e0b6e6880f
- Size
  
  3.9MB
- MD5
  
  e935daaad632a9539fcddcb2839a4413
- SHA1
  
  96f7794f17ce6d4f4bd34242b86035728612cd6d
- SHA256
  
  f3c6dac2d21f7289e2807c0479a76105a5e8ed3a5c7ccbeae6d289e0b6e6880f
- SHA512
  
  515fe24aa8203c83e58ba59621bc057da2b6f9f5529dd18fc11b5f3001503d10d06ec58d654f1446707113581c4d51d39e4144f47a7ab1a80fe609c89d8bf9c8
- SSDEEP
  
  49152:QqfUqBfTafqaa5Xa+Xyqr5LFZBUM2/x102UlJnI7mRkyMDiNZri3r8SZ:QqfHr+qF/C0rBN2Z/yMDiXgr
Score

10^/10

ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (7816) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral22
- Target
  
  f682e063bc2c822fbe3083507b0717b1f8bc244149ed9acd9a78566f5a79a140
- Size
  
  4.5MB
- MD5
  
  6dab3197c3332edd2b1d6eb9a362b407
- SHA1
  
  007aed90515d81779eae9b7a4b5676f158fc8d49
- SHA256
  
  f682e063bc2c822fbe3083507b0717b1f8bc244149ed9acd9a78566f5a79a140
- SHA512
  
  cc47a75c1189222dc1334c6773acfa2ee561f2df1a63553374e9997696b1fdf02ce3a6389e4690db6b9b0ec3ae73663f5aa1007e63ef91df43371e77a65b1157
- SSDEEP
  
  49152:p3Uc3/rb/TzvO90dL3BmAFd4A64nsfJ1e76Gn3oJymCTCCC5EigrabyP2NgIbgzI:F30MAJJ/Eg2uNT6nNbOC0DCZFOs
Score

10^/10

ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (7879) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral23
- Target
  
  f7537bf47cc039b9cda59c844faa90a75ba80f08148166fd83ff10a0bf55120b
- Size
  
  4.5MB
- MD5
  
  34ca54d0a320c9562508906a1cd5b3f7
- SHA1
  
  9bb0676124632562a65d3b09ca2cd884eb2a0123
- SHA256
  
  f7537bf47cc039b9cda59c844faa90a75ba80f08148166fd83ff10a0bf55120b
- SHA512
  
  9bf7c8a028d2cf55227c9967165b783ffe90aa8ae233fafe886197011322370121c43ecc33d411d426e502abd703e598fd89c85659f69de53d934d442a901044
- SSDEEP
  
  49152:9Yd/3Orb/TzvO90dL3BmAFd4A64nsfJiIdNqqsSn0uYTDCG5EWwgrabyP2NgIYdt:I3UobnTeEh2uN96nubOC0DCZFOs
Score

10^/10

ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (7896) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral24
- Target
  
  f89ee06ed27ff00fa5d8f6a5811a9e57063c72c9ec7d478321cdf2a2f018866f
- Size
  
  4.8MB
- MD5
  
  80c4eabe7ca7200a3735cafe4246e43b
- SHA1
  
  f19ea1ca4c8e0ac88c25d5d433dca3413d17d2f9
- SHA256
  
  f89ee06ed27ff00fa5d8f6a5811a9e57063c72c9ec7d478321cdf2a2f018866f
- SHA512
  
  d6db156fdf7b762295d03f8deb568e584c3d92952156142276f68d05e1a4c3bdaf541b2709ddd9630c6aee249e81d0537ad4e1fcc05f1170c2100cef83a3e11b
- SSDEEP
  
  49152:c5Yvom3XQQNrb/T5vO90dL3BmAFd4A64nsfJXL42r+S++UwP5VfvqmEw5EwHgrYD:F3ve2S+YBEqVHBCEhLRSm
Score

10^/10

evasion ransomware spyware stealer
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Stops running service(s)
  evasion
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral25