General
-
Target
45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d
-
Size
478KB
-
Sample
240531-hcy1esab3t
-
MD5
71efe7a21da183c407682261612afc0f
-
SHA1
0f1aea2cf0c9f2de55d2b920618a5948c5e5e119
-
SHA256
45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d
-
SHA512
3cff597dbd7f0d5ab45b04e3c3731e38626b7b082a0ede7ab9a7826921848edb3c033f640da2cb13916febf84164f7415ca9ac50c3d927f04d9b61fcadb7801c
-
SSDEEP
6144:W0wmbI4/Z4SHvrxw6zaIST1w9wEPDasWxxsBhS37b8o6XCFyPwCMa6qnXxq/y:7zv66zaISTW9asWxxAh4IlXC4PUqBq/
Static task
static1
Behavioral task
behavioral1
Sample
45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d.exe
Resource
win11-20240426-en
Malware Config
Extracted
\Device\HarddiskVolume1\HOW TO BACK FILES.txt
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Extracted
\Device\HarddiskVolume1\HOW TO BACK FILES.txt
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Targets
-
-
Target
45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d
-
Size
478KB
-
MD5
71efe7a21da183c407682261612afc0f
-
SHA1
0f1aea2cf0c9f2de55d2b920618a5948c5e5e119
-
SHA256
45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d
-
SHA512
3cff597dbd7f0d5ab45b04e3c3731e38626b7b082a0ede7ab9a7826921848edb3c033f640da2cb13916febf84164f7415ca9ac50c3d927f04d9b61fcadb7801c
-
SSDEEP
6144:W0wmbI4/Z4SHvrxw6zaIST1w9wEPDasWxxsBhS37b8o6XCFyPwCMa6qnXxq/y:7zv66zaISTW9asWxxAh4IlXC4PUqBq/
Score10/10-
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (6533) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-