Overview

overview

10

Static

static

3

68430c6b95...ce.exe

windows7-x64

10

68430c6b95...ce.exe

windows10-2004-x64

10

Resubmissions

24-04-2024 03:52

240424-efbgraef5w 10

24-04-2024 03:51

240424-eegblsef43 7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    16819576831.zip

  • Size

    258KB

  • Sample

    240424-efbgraef5w

  • MD5

    e1cb33520f6a08fc9bce7e18478efde8

  • SHA1

    c78ae7436a57fffcf4027fe813b985af674a589d

  • SHA256

    d7359087273f249cce6c01e7a0fb0a80f296b33b112841061534670211d69c37

  • SHA512

    e32768ca8a99b6d71933bec499c070000147bcd569ab8d0b04c54f657c16dedfe7d08d8984382ae0d5d8becc4a77ef9e9a9f40f1481b244a31e3b965899cf705

  • SSDEEP

    6144:YokWFVc4JZjNwT3aKo+95cbjedZWIIASpIDgJ7p///2KRlr5/ugC4F17lnJRzttX:YoLfXKjR9+bqdZ92FeKRlr5/ugCGdltB

Score
10/10
targetcompanydiscoveryevasionransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\FILE RECOVERY.txt

Family

targetcompany

Ransom Note
Hello Your files are encrypted and can not be used We have downloaded your confidential data and are ready to publish it on our blog To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: D97B9F75CF75EECDF538AB81 5) You will see payment information and we can make free test decryption here 6)After payment, you will receive a tool for decrypting files, and we will delete the data that was taken from you Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�
URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Extracted

Path

C:\Program Files\7-Zip\FILE RECOVERY.txt

Family

targetcompany

Ransom Note
Hello Your files are encrypted and can not be used We have downloaded your confidential data and are ready to publish it on our blog To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 2D74B21BF9B723858980BBCF 5) You will see payment information and we can make free test decryption here 6)After payment, you will receive a tool for decrypting files, and we will delete the data that was taken from you Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�
URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Targets

    • Target

      68430c6b95cc97d1966b7d01bfb775d9e4441517218022b10beaccb503fbb2ce

    • Size

      353KB

    • MD5

      2853535ed2edfdb3ad9e483a03c8c571

    • SHA1

      8c734ea52b0157f2870f48709ce296adb6a2cb91

    • SHA256

      68430c6b95cc97d1966b7d01bfb775d9e4441517218022b10beaccb503fbb2ce

    • SHA512

      2661cb2c77aa73e4526f556744ecaacd477020cb82f54aee53370e68a092d6d90f3d963fb67863cf8731ac34c74a5979e7d9fe35d8823034448ea2a7a3504a06

    • SSDEEP

      6144:LUyAMK8QlV6x+SN+B23sY7PAJT4N6DyHRbIuptrinxKvNFgRPlBuVnkOZO:LUyzN++7PaQxrqxUgRPlwVkO

    Score
    10/10
    targetcompanydiscoveryevasionransomware

    • TargetCompany,Mallox

      TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.

      ransomwaretargetcompany

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (6360) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks