General
-
Target
2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe
-
Size
376KB
-
Sample
240601-yarfkacg3s
-
MD5
120c6ddfc24274b6e2e3a1ba7dc519ab
-
SHA1
29936b1aa952a89905bf0f7b7053515fd72d8c5c
-
SHA256
2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8
-
SHA512
dd9b2fb6cd5f6f044daa80ef634078849032ebbdbd1d293bb7bcb0270aa8b7360c39addb0826c7a3ddc8714b559bf8828e8e506ac91bcb4702a72f4c8ec4850a
-
SSDEEP
6144:KFtgKBIxGS/bbWGGJK8PpzR1WpOJOQMeEBwhUg5bBDNPbsP/qrscpyj4CVKSkn:+tgKIxfbbezR1WpOJJMjihU030/qRMra
Static task
static1
Behavioral task
behavioral1
Sample
2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
F:\HOW TO BACK FILES.txt
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Extracted
C:\Users\Admin\3D Objects\HOW TO BACK FILES.txt
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Targets
-
-
Target
2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe
-
Size
376KB
-
MD5
120c6ddfc24274b6e2e3a1ba7dc519ab
-
SHA1
29936b1aa952a89905bf0f7b7053515fd72d8c5c
-
SHA256
2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8
-
SHA512
dd9b2fb6cd5f6f044daa80ef634078849032ebbdbd1d293bb7bcb0270aa8b7360c39addb0826c7a3ddc8714b559bf8828e8e506ac91bcb4702a72f4c8ec4850a
-
SSDEEP
6144:KFtgKBIxGS/bbWGGJK8PpzR1WpOJOQMeEBwhUg5bBDNPbsP/qrscpyj4CVKSkn:+tgKIxfbbezR1WpOJJMjihU030/qRMra
-
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (7255) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-