General
-
Target
ed258fab2d66d0d6e37b6239cac18d06f47ae7d5d399e03207882fdd48249f6e
-
Size
336KB
-
Sample
240421-eyd1laah97
-
MD5
7e74488cbfc49c0c7bc44d1267f36242
-
SHA1
8ee411e1f34acfab88e77e9a3dc21f385d1d36c2
-
SHA256
ed258fab2d66d0d6e37b6239cac18d06f47ae7d5d399e03207882fdd48249f6e
-
SHA512
d6f09b84b319febfb4012ba2bb6e1853fb397a78bdac8b209e4e2ea0f74fca688f86f28491818a8556cbceff2cec712d818fcd0e4298a67e26be4cd358fa8c8f
-
SSDEEP
6144:mI0Ibcg48HwB4XPhEjEuLRcPOQZnW3I40hTB47B/a6p:F0IF4swB4XPhinRcL43Yhe/a6p
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+btjhh.txt
http://rbg4hfbilrf7to452p89hrfq.boonmower.com/14B4F0FED2BEA6A3
http://irhng84nfaslbv243ljtblwqjrb.pinnafaon.at/14B4F0FED2BEA6A3
http://t54ndnku456ngkwsudqer.wallymac.com/14B4F0FED2BEA6A3
http://xlowfznrg4wf7dli.onion/14B4F0FED2BEA6A3
Targets
-
-
Target
ed258fab2d66d0d6e37b6239cac18d06f47ae7d5d399e03207882fdd48249f6e
-
Size
336KB
-
MD5
7e74488cbfc49c0c7bc44d1267f36242
-
SHA1
8ee411e1f34acfab88e77e9a3dc21f385d1d36c2
-
SHA256
ed258fab2d66d0d6e37b6239cac18d06f47ae7d5d399e03207882fdd48249f6e
-
SHA512
d6f09b84b319febfb4012ba2bb6e1853fb397a78bdac8b209e4e2ea0f74fca688f86f28491818a8556cbceff2cec712d818fcd0e4298a67e26be4cd358fa8c8f
-
SSDEEP
6144:mI0Ibcg48HwB4XPhEjEuLRcPOQZnW3I40hTB47B/a6p:F0IF4swB4XPhinRcL43Yhe/a6p
Score10/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (430) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-