Overview

overview

10

Static

static

1

5c004c361f...ad.exe

windows7-x64

10

5c004c361f...ad.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe

  • Size

    2.2MB

  • Sample

    240505-bh1ymshg31

  • MD5

    08cee68cb913dd71800f0283c49af6d3

  • SHA1

    eb4058134cd74c681445a1a81c31ef729c80a7ec

  • SHA256

    5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad

  • SHA512

    1052130474915e5256c1bcc95636489535e38ca23cfb615e6b0e8b6c37c6c6ba89aa793a9aac9321d843d0cd0c6f10c85a30b2b689531c457638ce26555276fc

  • SSDEEP

    49152:+8cRU4kwcctnR19Y1Iqdwc2EyEvh6Re14IIQ+cUznT9PuYXVWXCxzhm:+TXkw5RWlifE3vwVIB+cnYXkgm

Score
10/10
zgratransomwareratspywarestealer

Malware Config

Extracted

Path

C:\bQ8ODxIi2.README.txt

Ransom Note
~~~ AlphaCat ~~~ >>>> Your data are stolen and encrypted >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack worldwide and there is no dissatisfied victim after payment. >>>> You need contact us via email with srenshot of btc transaction and your personal DECRYPTION ID Contact via Email with your personal Decryption id !: [email protected] Send 400$ (0.006 BTC) at this address --> bc1qkr7wxuqwet9w6920vk94p7npkxh33fc7prv55q >>>> Your personal DECRYPTION ID: D53F15BF767167BCEBE9D549A5623EC6 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack repeatedly again!

Extracted

Path

C:\Users\Admin\bQ8ODxIi2.README.txt

Ransom Note
~~~ AlphaCat ~~~ >>>> Your data are stolen and encrypted >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack worldwide and there is no dissatisfied victim after payment. >>>> You need contact us via email with srenshot of btc transaction and your personal DECRYPTION ID Contact via Email with your personal Decryption id !: [email protected] Send 400$ (0.006 BTC) at this address --> bc1qkr7wxuqwet9w6920vk94p7npkxh33fc7prv55q >>>> Your personal DECRYPTION ID: D53F15BF767167BC1ADF744D4AE609C5 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack repeatedly again!

Targets

    • Target

      5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe

    • Size

      2.2MB

    • MD5

      08cee68cb913dd71800f0283c49af6d3

    • SHA1

      eb4058134cd74c681445a1a81c31ef729c80a7ec

    • SHA256

      5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad

    • SHA512

      1052130474915e5256c1bcc95636489535e38ca23cfb615e6b0e8b6c37c6c6ba89aa793a9aac9321d843d0cd0c6f10c85a30b2b689531c457638ce26555276fc

    • SSDEEP

      49152:+8cRU4kwcctnR19Y1Iqdwc2EyEvh6Re14IIQ+cUznT9PuYXVWXCxzhm:+TXkw5RWlifE3vwVIB+cnYXkgm

    Score
    10/10
    zgratransomwareratspywarestealer

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Renames multiple (334) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks