Resubmissions

28-07-2024 16:38

240728-t5tryssgmm 10

07-07-2024 14:07

240707-rfgd8atekm 10

07-07-2024 14:07

240707-re689awdpe 10

13-09-2022 17:54

220913-wg1lpsgbg7 10

General

  • Target

    RS.7z

  • Size

    20.5MB

  • MD5

    2e40472330409ed96f91e8e0bb796eb4

  • SHA1

    8fd90404184de1a627068a93482313449dbbec91

  • SHA256

    c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

  • SHA512

    b11720cb8519fc6838161ba8bf696681b242b0789ffd5c442efbb50161d511fd65229ca88a347c856e8ff91501c077f5de7714b09e29d4400f595bfe7829189d

  • SSDEEP

    393216:NkDF1XseDcJIrXeSG0b5mKZ1F0gvpdO8GPnqzHLP3iN5M0CptgNpAcklC0CN:GDjXseDcSra45mKt0gvT0PnMbzkNpAc/

Malware Config

Extracted

Family

blackmatter

Version

1.2

Botnet

512478c08dada2af19e49808fbda5b0b

Credentials
C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

mespinoza

Attributes
  • ransomnote

    Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] [email protected] [email protected] Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://wqmfzni2nvbbpk25.onion/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.

Extracted

Family

sodinokibi

Botnet

$2a$10$kmb3nsvQXC.93GYNCGKy/uq9hYHivf0e3HcajFIifr8Hf3fmnofgm

Campaign

7258

Decoy

gasbarre.com

all-turtles.com

rksbusiness.com

christ-michael.net

mardenherefordshire-pc.gov.uk

erstatningsadvokaterne.dk

marchand-sloboda.com

unim.su

bauertree.com

faronics.com

moveonnews.com

autopfand24.de

mountsoul.de

beaconhealthsystem.org

cerebralforce.net

aprepol.com

kaotikkustomz.com

dubnew.com

simulatebrain.com

alvinschwartz.wordpress.com

Attributes
  • net

    true

  • pid

    $2a$10$kmb3nsvQXC.93GYNCGKy/uq9hYHivf0e3HcajFIifr8Hf3fmnofgm

  • prc

    outlook

    agntsvc

    infopath

    sqbcoreservice

    steam

    firefox

    ocomm

    ocssd

    mydesktopqos

    oracle

    powerpnt

    wordpad

    synctime

    sql

    thebat

    onenote

    excel

    visio

    encsvc

    winword

    mydesktopservice

    dbsnmp

    isqlplussvc

    tbirdconfig

    mspub

    msaccess

    thunderbird

    ocautoupds

    xfssvccon

    dbeng50

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Data leak [+] First of all we have uploaded more then 70 GB archived data from your file server and SQL server Example of data: - Accounting - Finance - Personal Data - Banking data - Confidential files And more other... Our blog: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/ Read what happens to those who do not pay. We are ready: - To provide you the evidence of stolen data - To give you universal decrypting tool for all encrypted files. - To delete all the stolen data. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7258

  • svc

    svc$

    vss

    sophos

    mepocs

    backup

    sql

    memtas

    veeam

Extracted

Family

sodinokibi

Botnet

$2a$10$dfjpLrXuDytfF.kmYtQ1ROgsXjTJEe8EmQT65ftxlTpJtXPZrhsAq

Campaign

7178

Decoy

kamahouse.net

bridgeloanslenders.com

abitur-undwieweiter.de

live-your-life.jp

xn--rumung-bua.online

anteniti.com

marcuswhitten.site

ostheimer.at

joseconstela.com

deepsouthclothingcompany.com

dr-seleznev.com

ecpmedia.vn

aunexis.ch

anthonystreetrimming.com

pocket-opera.de

mooreslawngarden.com

osterberg.fi

extraordinaryoutdoors.com

kamienny-dywan24.pl

fitovitaforum.com

Attributes
  • net

    false

  • pid

    $2a$10$dfjpLrXuDytfF.kmYtQ1ROgsXjTJEe8EmQT65ftxlTpJtXPZrhsAq

  • prc

    avgadmsv

    BackupUpdater

    ocautoupds

    synctime

    thebat

    excel

    isqlplussvc

    ccSetMgr

    SPBBCSvc

    Sage.NA.AT_AU.SysTray

    lmibackupvssservice

    CarboniteUI

    powerpnt

    BackupMaint

    onenote

    klnagent

    sql

    Rtvscan

    xfssvccon

    Smc

    mspub

    encsvc

    LogmeInBackupService

    kavfsscs

    ccSvcHst

    BackupExtender

    NSCTOP

    outlook

    dbsnmp

    mydesktopservice

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Attention!!! [+] Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7178

  • svc

    ssistelemetry

    adsync

    svc$

    msseces

    mbamservice

    ssastelemetry

    altaro

    sbamsvc

    ds_notifier

    ntrtscan

    ofcservice

    code42service

    macmnsvc

    memtas

    auservice

    telemetryserver

    tmccsf

    psqlwge

    sppsvc

    viprepplsvc

    azurea

    ds_monitor

    swi_filter

    protectedstorage

    mfemms

    mfevtp

    kaseyaagentendpoint

    ltservice

    dssvc

    altiback

Signatures

  • Blackmatter family
  • MedusaLocker payload 1 IoCs
  • Medusalocker family
  • Mespinoza family
  • Sodinokibi family
  • CryptOne packer 2 IoCs

    Detects CryptOne packer defined in NCC blogpost.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Detects Pyinstaller 1 IoCs
  • Unsigned PE 32 IoCs

    Checks for missing Authenticode signature.

  • NSIS installer 2 IoCs

Files

  • RS.7z
    .7z
  • RansomwareSamples/AidaCryst.PNG
    .png
  • RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
    .exe windows:6 windows x86 arch:x86

    1156e59d43883136ef73eee451e94e3d


    Headers

    Imports

    Sections

  • RansomwareSamples/Avos_18_07_2021_403KB.exe
    .exe windows:6 windows x86 arch:x86

    a24c2b5bf84a5465eb75f1e6aa8c1eec


    Headers

    Imports

    Sections

  • RansomwareSamples/Babik_04_01_2021_31KB.exe
    .exe windows:6 windows x86 arch:x86

    a07d82bc384cbae972c1524ff6fb5cc1


    Headers

    Imports

    Sections

  • RansomwareSamples/Babuk_20_04_2021_79KB.exe
    .exe windows:6 windows x86 arch:x86

    202fa14f574c71c2f95878e40a79322d


    Headers

    Imports

    Sections

  • RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
    .exe windows:5 windows x64 arch:x64

    08c12a4e8a6a5e4388e0bc669ebc661c


    Headers

    Imports

    Sections

  • 0xfff.pyc
  • RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
    .exe windows:5 windows x86 arch:x86

    c94b1566bf307396953c849ef18f9857


    Headers

    Imports

    Sections

  • RansomwareSamples/Conti_22_12_2020_186KB.exe
    .exe windows:5 windows x86 arch:x86

    5a02193e843512ee9c9808884c6abd23


    Headers

    Imports

    Sections

  • RansomwareSamples/Cuba_08_03_2021_1130KB.exe
    .exe windows:5 windows x86 arch:x86

    56bf04b1246e7bd71ba0bddbd47cd745


    Headers

    Imports

    Sections

  • RansomwareSamples/DarkSide_01_05_2021_30KB.exe
    .exe windows:5 windows x86 arch:x86


    Headers

    Sections

  • out.upx
    .exe windows:5 windows x86 arch:x86


    Headers

    Sections

  • RansomwareSamples/DarkSide_16_01_2021_59KB.exe
    .exe windows:5 windows x86 arch:x86

    17a4bd9c95f2898add97f309fc6f9bcd


    Headers

    Imports

    Sections

  • RansomwareSamples/DarkSide_18_11_2020_17KB.exe
    .exe windows:5 windows x86 arch:x86


    Headers

    Sections

  • out.upx
    .exe windows:5 windows x86 arch:x86


    Headers

    Sections

  • RansomwareSamples/DearCry_13_03_2021_1292KB.exe
    .exe windows:5 windows x86 arch:x86

    f8b8e20e844ccd50a8eb73c2fca3626d


    Headers

    Imports

    Sections

  • RansomwareSamples/Hades_29_03_2021_1909KB.exe
    .exe windows:5 windows x64 arch:x64

    7bb84c055e762f3b23509e70313814ed


    Headers

    Imports

    Sections

  • RansomwareSamples/Hive_17_07_2021_808KB.exe
    .exe windows:6 windows x64 arch:x64


    Headers

    Sections

  • RansomwareSamples/LockBit_14_02_2021_146KB.exe
    .exe windows:5 windows x86 arch:x86

    e9f710b579880d1b6ff748176eb620f1


    Headers

    Imports

    Sections

  • RansomwareSamples/MAKOP_27_10_2020_115KB.exe
    .exe windows:4 windows x86 arch:x86

    ced282d9b261d1462772017fe2f6972b


    Headers

    Imports

    Sections

  • $PLUGINSDIR/System.dll
    .dll windows:4 windows x86 arch:x86

    8c8a576201f68de1a3f26fc723b9f30f


    Headers

    Imports

    Exports

    Sections

  • 779389082
  • RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
    .exe windows:6 windows x86 arch:x86

    7646b22cc6ac64de1e2378e6cd44d3a6


    Headers

    Imports

    Sections

  • RansomwareSamples/MountLocker_20_11_2020_200KB.exe
    .exe windows:4 windows x86 arch:x86

    737cadd72b188399430b9cb1969015f4


    Headers

    Imports

    Sections

  • RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
    .exe windows:4 windows x64 arch:x64

    96c44fa1eee2c4e9b9e77d7bf42d59e6


    Code Sign

    Headers

    Imports

    Sections

  • RansomwareSamples/Nemty_03_02_2021_124KB.exe
    .exe windows:6 windows x86 arch:x86

    d304e79034f5fbf7623eda468ccb7f1d


    Code Sign

    Headers

    Imports

    Sections

  • RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
    .ps1
  • RansomwareSamples/Phoenix_29_03_2021_1930KB.exe
    .exe windows:5 windows x64 arch:x64

    5d2ddf9bb9051294e17ea7cb876c77e2


    Code Sign

    Headers

    Imports

    Sections

  • RansomwareSamples/PwndLocker_04_03_2020_17KB.exe
    .exe windows:1 windows x86 arch:x86

    77e20d42da8acdf51b54c64c30f78c5d


    Headers

    Imports

    Sections

  • RansomwareSamples/Pysa_08_04_2021_500KB.exe
    .exe windows:5 windows x86 arch:x86

    b5e8bd2552848bb7bf2f28228d014742


    Headers

    Imports

    Sections

  • RansomwareSamples/REvil_07_04_2021_121KB.exe
    .exe windows:5 windows x86 arch:x86

    b321b6896e18906d7c1d33f3e88fe16b


    Headers

    Imports

    Sections

  • RansomwareSamples/REvil_08_04_2021_121KB.exe
    .exe windows:5 windows x86 arch:x86

    b321b6896e18906d7c1d33f3e88fe16b


    Headers

    Imports

    Sections

  • RansomwareSamples/Ragnar_11_02_2020_40KB.exe
    .exe windows:5 windows x86 arch:x86

    6a3e7314bd4201552084c30fb976959e


    Headers

    Imports

    Sections

  • RansomwareSamples/RansomEXX_14_12_2020_156KB.exe
    .exe windows:5 windows x86 arch:x86

    93736e6ffcbf0a539a73e55e921de1cb


    Headers

    Imports

    Exports

    Sections

  • RansomwareSamples/Ranzy_20_11_2020_138KB.exe
    .exe windows:6 windows x86 arch:x86

    258ea5f7e1ec660f7ee58471add0cfab


    Headers

    Imports

    Sections

  • RansomwareSamples/Ryuk_21_03_2021_274KB.exe
    .exe windows:4 windows x86 arch:x86


    Code Sign

    Headers

    Sections

  • RansomwareSamples/Sekhmet_30_03_2020_364KB.msi
    .msi
  • RansomwareSamples/Sodinokibi_04_07_2019_253KB.exe
    .exe windows:5 windows x86 arch:x86


    Headers

    Sections

  • out.upx
    .exe windows:5 windows x86 arch:x86


    Headers

    Sections

  • RansomwareSamples/SunCrypt_26_01_2021_1422KB.ps1
    .ps1
  • RansomwareSamples/Thanos_23_03_2021_91KB.exe
    .exe windows:4 windows x86 arch:x86

    f34d5f2d4577ed6d9ceec516c1f5a744


    Headers

    Imports

    Sections

  • RansomwareSamples/Zeppelin_08_03_2021_813KB.exe
    .exe windows:4 windows x86 arch:x86


    Headers

    Sections