b187c5a1450f1cd356c98973d8f5447a66ca4d3fba9a2452fbd3467cf108ff69

General

Target

b187c5a1450f1cd356c98973d8f5447a66ca4d3fba9a2452fbd3467cf108ff69
Size

1.2MB
Sample

240612-dayveszakk
MD5

8e6449ffc8d525909adc506f97eec4ef
SHA1

118bdbcd547d93d56308d482f87f358be39ad776
SHA256

b187c5a1450f1cd356c98973d8f5447a66ca4d3fba9a2452fbd3467cf108ff69
SHA512

3c9e3acbd0450b802b74a291786310ffe6421f6764729fde39df2e30a0c3075317c7d5dca0455a0f5585952412b3c04cc70e22e42ed3ef5ea63654c5f6a34276
SSDEEP

12288:ejUJ0ixiYuFAnyKKzqj9uLucMDiPDmcMdsx/3Ot3s8fjVOJ/i6h62G0Go01x4Coa:eQvxiYuFA2ej9ekiP9xA8M

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+tjrba.txt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: * http://t54ndnku456ngkwsudqer.wallymac.com/1631E88DB389198B * http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/1631E88DB389198B * http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/1631E88DB389198B If for some reasons the addresses are not available, follow these steps 1 Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 After a successful installation, run the browser 3 Type in the address bar: xlowfznrg4wf7dli.onion/1631E88DB389198B 4 Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://t54ndnku456ngkwsudqer.wallymac.com/1631E88DB389198B http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/1631E88DB389198B http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/1631E88DB389198B Your personal pages TOR Browser xlowfznrg4wf7dli. onion/1631E88DB389198B

URLs

http://t54ndnku456ngkwsudqer.wallymac.com/1631E88DB389198B

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/1631E88DB389198B

http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/1631E88DB389198B

http://xlowfznrg4wf7dli.onion/1631E88DB389198B

Targets

- Target
  
  b187c5a1450f1cd356c98973d8f5447a66ca4d3fba9a2452fbd3467cf108ff69
- Size
  
  1.2MB
- MD5
  
  8e6449ffc8d525909adc506f97eec4ef
- SHA1
  
  118bdbcd547d93d56308d482f87f358be39ad776
- SHA256
  
  b187c5a1450f1cd356c98973d8f5447a66ca4d3fba9a2452fbd3467cf108ff69
- SHA512
  
  3c9e3acbd0450b802b74a291786310ffe6421f6764729fde39df2e30a0c3075317c7d5dca0455a0f5585952412b3c04cc70e22e42ed3ef5ea63654c5f6a34276
- SSDEEP
  
  12288:ejUJ0ixiYuFAnyKKzqj9uLucMDiPDmcMdsx/3Ot3s8fjVOJ/i6h62G0Go01x4Coa:eQvxiYuFA2ej9ekiP9xA8M
Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (425) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1 behavioral2