agenda | 99cb0f92c60d88aadbb3e821f277ab51f6d8861c202cc1e16bb9ff0da10348a9

Sharing

Copy URL

Twitter E-mail

General

Target

Desktop.zip
Size

14.2MB
Sample

240518-s8bvwaag9y
MD5

a5ecde14c94b30dea5ad15347b436243
SHA1

ecf42b21df9d3e240f4acb0f145ccd23d2b2a36f
SHA256

99cb0f92c60d88aadbb3e821f277ab51f6d8861c202cc1e16bb9ff0da10348a9
SHA512

e78dbfaf4fd23fe3d7811b884002fc19f380e4aa451ac389da5433621738ba89ecacff62c408fe82f07c1fe4edfafe785b890a55b67934dcf814f33df89f4678
SSDEEP

393216:84DICqy0qRoFk0fTyf7VdVcBIqs7BmT/3zu2C3WB:8Btnk0fWfZoBIq2B6HC3G

Score

10^/10

Malware Config

Extracted

Family

agenda

Attributes

company_id
gBBQsRxAcQ
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: gBBQsRxAcQ Domain: ru3q4ftbaqmpobhamqlnseorxywhhmqwhzx4pv4sqaacqz4m2ptleiid.onion login: 2200ffdb-68c4-43ed-83d8-52fe9d4d7a03 password:

rsa_pubkey.plain

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>EB0A2CB4-2378</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected] or [email protected]</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

class='mark'>[email protected]

[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>FB7A0894-2378</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected] or [email protected]</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

class='mark'>[email protected]

[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>815286C0-2378</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected] or [email protected]</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

class='mark'>[email protected]

[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>5D9C8428-2378</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected] or [email protected]</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

class='mark'>[email protected]

[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\README_TO_DECRYPT.html

Family

quantum

Ransom Note

<html> <head> <title>Quantum</title> </head> <body> <h1>Your ID:</h1> <b> <pre> f5de48b476c53833c47bc3b7c59442023fd9ae20de867e2ebdf3164bbef62940 </pre> </b> <hr/> This message contains an information how to fix the troubles you've got with your network.<br><br> Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content.<br> The only way to get files back is a decryption with Key, provided by the Quantum Locker.<br><br> During the period your network was under our control, we downloaded a huge volume of information.<br> Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data.<br> Publishing of such data will cause serious consequences and even business disruption.<br><br> It's not a threat, on the contrary - it's a manual how to get a way out.<br> Quantum team doesn't aim to damage your company, our goals are only financial.<br><br> After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points.<br> If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc.<br><br> To contact our support and start the negotiations, please visit our support chat.<br> It is simple, secure and you can set a password to avoid intervention of unauthorised persons.<br> <a href="http://lsxkornhwiuchwvtrm2ru2hr25rovmyvrurgej7kwv3vd6rvbznpdwid.onion/?cid=f5de48b476c53833c47bc3b7c59442023fd9ae20de867e2ebdf3164bbef62940">http://lsxkornhwiuchwvtrm2ru2hr25rovmyvrurgej7kwv3vd6rvbznpdwid.onion/?cid=f5de48b476c53833c47bc3b7c59442023fd9ae20de867e2ebdf3164bbef62940</a> <ul> <li>Password field should be blank for the first login. <li>Note that this server is available via Tor browser only. </ul> P.S. How to get TOR browser - see at https://www.torproject.org </body> </html>

Extracted

Path

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\README_TO_DECRYPT.html

Family

quantum

Ransom Note

<html> <head> <title>Quantum</title> </head> <body> <h1>Your ID:</h1> <b> <pre> f5de48b476c53833c47bc3b7c594420236ceb225ca847c34bdf3164bbef62959 </pre> </b> <hr/> This message contains an information how to fix the troubles you've got with your network.<br><br> Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content.<br> The only way to get files back is a decryption with Key, provided by the Quantum Locker.<br><br> During the period your network was under our control, we downloaded a huge volume of information.<br> Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data.<br> Publishing of such data will cause serious consequences and even business disruption.<br><br> It's not a threat, on the contrary - it's a manual how to get a way out.<br> Quantum team doesn't aim to damage your company, our goals are only financial.<br><br> After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points.<br> If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc.<br><br> To contact our support and start the negotiations, please visit our support chat.<br> It is simple, secure and you can set a password to avoid intervention of unauthorised persons.<br> <a href="http://lsxkornhwiuchwvtrm2ru2hr25rovmyvrurgej7kwv3vd6rvbznpdwid.onion/?cid=f5de48b476c53833c47bc3b7c594420236ceb225ca847c34bdf3164bbef62959">http://lsxkornhwiuchwvtrm2ru2hr25rovmyvrurgej7kwv3vd6rvbznpdwid.onion/?cid=f5de48b476c53833c47bc3b7c594420236ceb225ca847c34bdf3164bbef62959</a> <ul> <li>Password field should be blank for the first login. <li>Note that this server is available via Tor browser only. </ul> P.S. How to get TOR browser - see at https://www.torproject.org </body> </html>

Extracted

Path

C:\Users\Admin\3D Objects\README_TO_DECRYPT.html

Family

quantum

Ransom Note

<html> <head> <title>Quantum</title> </head> <body> <h1>Your ID:</h1> <b> <pre> f5de48b476c53833c47bc3b7c594420234d2b530d79f643ebdf3164bbef62965 </pre> </b> <hr/> This message contains an information how to fix the troubles you've got with your network.<br><br> Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content.<br> The only way to get files back is a decryption with Key, provided by the Quantum Locker.<br><br> During the period your network was under our control, we downloaded a huge volume of information.<br> Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data.<br> Publishing of such data will cause serious consequences and even business disruption.<br><br> It's not a threat, on the contrary - it's a manual how to get a way out.<br> Quantum team doesn't aim to damage your company, our goals are only financial.<br><br> After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points.<br> If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc.<br><br> To contact our support and start the negotiations, please visit our support chat.<br> It is simple, secure and you can set a password to avoid intervention of unauthorised persons.<br> <a href="http://lsxkornhwiuchwvtrm2ru2hr25rovmyvrurgej7kwv3vd6rvbznpdwid.onion/?cid=f5de48b476c53833c47bc3b7c594420234d2b530d79f643ebdf3164bbef62965">http://lsxkornhwiuchwvtrm2ru2hr25rovmyvrurgej7kwv3vd6rvbznpdwid.onion/?cid=f5de48b476c53833c47bc3b7c594420234d2b530d79f643ebdf3164bbef62965</a> <ul> <li>Password field should be blank for the first login. <li>Note that this server is available via Tor browser only. </ul> P.S. How to get TOR browser - see at https://www.torproject.org </body> </html>

Extracted

Path

C:\README_TO_DECRYPT.html

Family

quantum

Ransom Note

<html> <head> <title>Quantum</title> </head> <body> <h1>Your ID:</h1> <b> <pre> f5de48b476c53833c47bc3b7c594420220deb62cd09f6034bdf3164bbef62937 </pre> </b> <hr/> This message contains an information how to fix the troubles you've got with your network.<br><br> Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content.<br> The only way to get files back is a decryption with Key, provided by the Quantum Locker.<br><br> During the period your network was under our control, we downloaded a huge volume of information.<br> Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data.<br> Publishing of such data will cause serious consequences and even business disruption.<br><br> It's not a threat, on the contrary - it's a manual how to get a way out.<br> Quantum team doesn't aim to damage your company, our goals are only financial.<br><br> After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points.<br> If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc.<br><br> To contact our support and start the negotiations, please visit our support chat.<br> It is simple, secure and you can set a password to avoid intervention of unauthorised persons.<br> <a href="http://lsxkornhwiuchwvtrm2ru2hr25rovmyvrurgej7kwv3vd6rvbznpdwid.onion/?cid=f5de48b476c53833c47bc3b7c594420220deb62cd09f6034bdf3164bbef62937">http://lsxkornhwiuchwvtrm2ru2hr25rovmyvrurgej7kwv3vd6rvbznpdwid.onion/?cid=f5de48b476c53833c47bc3b7c594420220deb62cd09f6034bdf3164bbef62937</a> <ul> <li>Password field should be blank for the first login. <li>Note that this server is available via Tor browser only. </ul> P.S. How to get TOR browser - see at https://www.torproject.org </body> </html>

Targets

- Target
  
  0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224
- Size
  
  1.5MB
- MD5
  
  07563c3b4988c221314fdab4b0500d2f
- SHA1
  
  a5f53c9b0f7956790248607e4122db18ba2b8bd9
- SHA256
  
  0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224
- SHA512
  
  e0264bf772ba43377d1dcdc95dccdacc16ccafee28e8d91a9d532cf2383b0d1ad43625cd0b09555018583db796a59603ad12d568e2aea154594b5d02248d0ecb
- SSDEEP
  
  12288:+OFevZPYI+MbO7NkfWcIV8wZ9CeqFrOdS2KCwILo2bx9I5Nweb/yCdwO4Pzjzbf4:jFaoccQ7XUCdw1X32ekwVXeU+
Score

7^/10
- Loads dropped DLL
behavioral1 behavioral2 behavioral3 behavioral4
- Target
  
  05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f
- Size
  
  1.4MB
- MD5
  
  0ada88218b67a313a4f5ab0062fbc4e6
- SHA1
  
  15dfcef932d666fdc7501bcee357ec2aabfcfdee
- SHA256
  
  05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f
- SHA512
  
  0b217e5aa8b17d347dbb05507cb5cf179328aad593fb65a8083ca8c300de4901eb55e6c8e971ce3280f50ceefd327332cfafde0280e09044d8da1dc8e20a49ed
- SSDEEP
  
  24576:J6w15zVAFj5WEx9+22sHFXVYmLmYy+vz236ZSV8BGxon3sgGhzl1KsIVy:QsV85WU9+ElYmyZMz23sSyBGdgelIsj
Score

10^/10

defense_evasion evasion execution impact persistence ransomware trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (95) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Modifies WinLogon
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral5 behavioral6 behavioral7 behavioral8
- Target
  
  1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577
- Size
  
  9.3MB
- MD5
  
  f9481915373852640150ffe98e7218ab
- SHA1
  
  682fa27b596bab8fc5b7f2a0c002447e6e2f1f6b
- SHA256
  
  1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577
- SHA512
  
  71c8bb648323818529ef1de610c6d60ea9610407636a4d4305409451fa5591ec2d27b6e0acc573a0d08c20a454b69fed269b281f9319e5ff931d3fa465c22908
- SSDEEP
  
  98304:m39m4olnLynE2TIx7cEsnRIiTgQQwfZtqifsjEiwkA+DUg47V6pH/LZAtpla02dC:m39GlmjTzEsKmBttRiA+4GJtAZa088V
Score

1^/10
behavioral10 behavioral11 behavioral12 behavioral9
- Target
  
  20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352
- Size
  
  3.3MB
- MD5
  
  bc292d6f5c3ed8bf4165eb5b2c88fede
- SHA1
  
  acf5a996668cc5f90ca677c19587e568f41fbdfa
- SHA256
  
  20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352
- SHA512
  
  e66a5af265785031c3126ac13927101295b6b3e8024eef434004c8eb7ba05f38866a84282551c93a5b96e63cbcccd34623e9b28f9975a3ab68cf51ebb9727b69
- SSDEEP
  
  49152:F+qq5l3uaUp/rb/TuvO90dL3BmAFd4A64nsfJp9xTq91OmwwasZV45El0gPup6vb:M35yQcZvE4wY
Score

1^/10
behavioral13 behavioral14 behavioral15 behavioral16
- Target
  
  2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66
- Size
  
  55KB
- MD5
  
  9376f223d363e28054676bb6ef2c3e79
- SHA1
  
  aed68cfa282ec2b0f8a681153beaebe3a17d04ee
- SHA256
  
  2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66
- SHA512
  
  bcff01de14993db92551e661b34591860bc2bc4ffea5d79e337b1c2c4a43f42ffc872cd88414079b5792de031ac46a18e91c42195338314fcdb300831668a1bb
- SSDEEP
  
  1536:hNeRBl5PT/rx1mzwRMSTdLpJgL0UHg1tuP4ib:hQRrmzwR5JS0UA1Rib
Score

10^/10

phobos defense_evasion evasion execution impact persistence ransomware spyware stealer
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (444) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral17 behavioral18 behavioral19 behavioral20
- Target
  
  2cbb3497bfa28d9966c1feeae96d452d
- Size
  
  1.6MB
- MD5
  
  2cbb3497bfa28d9966c1feeae96d452d
- SHA1
  
  9ef94c7d3fedc71bb3ed1abf542dfc7ec692883d
- SHA256
  
  85c3b718090144dadeb8035ac287d46b9d3458f9de409229217d42a475f42868
- SHA512
  
  eed7b210655030b3855f7a20f3bc7aecf8b927a33dfdaefe1d769fa42cbf7c88b1e8ab625f7258a79d2625e06005d25b03691fe911330876ae9e7f916ab2fe4c
- SSDEEP
  
  24576:KlQyNmMnq70NDxLOd0+UU1Thef1HrmP1D2:KlQyNmMq70NDROd0+UU1ThoHrA
Score

10^/10

quantum ransomware spyware stealer
- Quantum Ransomware
  A rebrand of the MountLocker ransomware first seen in August 2021.
  ransomware quantum
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral21 behavioral22 behavioral23 behavioral24
- Target
  
  37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6
- Size
  
  1.6MB
- MD5
  
  14dec91fdcaab96f51382a43adb84016
- SHA1
  
  a85d9d2a3913011cd282abc7d9711b2346c23899
- SHA256
  
  37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6
- SHA512
  
  ee1b721bc6b6ade20544274cc56896d1b39126351be630807adc398c1fa68cd8612acd743caecb2abbef9c0aaaddfe2a3af111d9bc93e8ef3fc4a8d4d0cfb565
- SSDEEP
  
  24576:7BzG7bSK2rgyik2VZGiOYnSadiUm6M551SaJkqFYUe3xHj96khbkyITnoXlIEvXX:746Rvik2VUKnzhQ4tkWXUy
Score

10^/10

agenda ransomware
- Agenda Ransomware
  A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
  ransomware agenda
behavioral25 behavioral26 behavioral27 behavioral28
- Target
  
  49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d
- Size
  
  389KB
- MD5
  
  ba95a2f1f1f39a24687ebe3a7a7f7295
- SHA1
  
  b4da6af343b27594fee7109a02ef699ba52f6e46
- SHA256
  
  49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d
- SHA512
  
  4611ac65840c3ecee27f8821705f378de09ddbf1130476517f857abf3b1cf0f169ca618c82cc905d56f224019dbb01795ca458453a64cc51e100f7bbfc2781ee
- SSDEEP
  
  6144:SKmb+LOzyGKPCVqlea2MqxOnsAOK1RUa+jE6S3qVFvxTn:SfaLQyGK6kAa2XgsA1RUa+jE6S3qRT
Score

1^/10
behavioral29 behavioral30 behavioral31 behavioral32