Overview

overview

10

Static

static

3

43a500e327...92.exe

windows7-x64

10

43a500e327...92.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792

  • Size

    350KB

  • Sample

    240531-g87f1aag77

  • MD5

    2ca90a883f3db6d96bc5722be2fb8bc2

  • SHA1

    0e8c787283fa2c046f388ef0c5fa215541a97043

  • SHA256

    43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792

  • SHA512

    c87f815182108f62fffd502d590284ae3f0f4c6dabc823271da87dbe5f54c843eb65cc690314e0ac10188b3e43c258ace549567fe7380b4d217c2befbcde3c74

  • SSDEEP

    6144:9yAIPCuAZOXWUVg1XN5MC81xSNmG+f0bwu/WekQTp4Aum1:9MPCuAZOXRu1zMd1xaH+f0bn/Wexp4AJ

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\iHpE7aGA3.README.txt

Ransom Note
~~~ ############################################~~~ YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER: 9ZBmWdet8f1JlGuD6wXnVL7YEzCpFk5QoIScRsh4KgvNqUPy3TM02Oxjbai AHrYzBOCDmMiT9SdByUHVnikJS8i3JN83X5wzhTArBh59XFkyhocrfLLJOM 4PF6jRhHv3PCAj9dH0qWwLbBerVrYVKKsqFs2WTAicFxaxi05fJyUPRpZXgG p7mWr6RgYgXEbUXYldb26gl9CDAdzifhk5IMFRHR1yZk00U2tGTG3oyzZo3s UuC96xy0ulnU4yjd6ahHB5KWGl9sozpjo6OWitVD1ZaIF0ID1o0ILJih6ptPGB CONTACT US BY MAIL: [email protected] CONTACT US BY MAIL 2: [email protected] CONTACT US BY UTOX ID: 34BA12E4BE532885BAD25BDC4EFA0BCC4145B76B58A90E0C4E2A80D37A5A9F30E03477050899 Download link UTOX: https://github.com/uTox/uTox/releases/download/v0.18.1/utox_x86_64.exe How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
URLs

https://github.com/uTox/uTox/releases/download/v0.18.1/utox_x86_64.exe

Targets

    • Target

      43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792

    • Size

      350KB

    • MD5

      2ca90a883f3db6d96bc5722be2fb8bc2

    • SHA1

      0e8c787283fa2c046f388ef0c5fa215541a97043

    • SHA256

      43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792

    • SHA512

      c87f815182108f62fffd502d590284ae3f0f4c6dabc823271da87dbe5f54c843eb65cc690314e0ac10188b3e43c258ace549567fe7380b4d217c2befbcde3c74

    • SSDEEP

      6144:9yAIPCuAZOXWUVg1XN5MC81xSNmG+f0bwu/WekQTp4Aum1:9MPCuAZOXRu1zMd1xaH+f0bn/Wexp4AJ

    Score
    10/10
    ransomwarespywarestealer

    • Renames multiple (336) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks