chaos

Sharing

Copy URL

Twitter E-mail

General

Target

222.7z
Size

3.3MB
Sample

240716-ktw89sxcla
MD5

c19d8c566494f5414ccaa717ae98d17b
SHA1

2abe430ad6ff8e274d612f642345e0f7ff5ea394
SHA256

e566ee2189f830504af1cb787279111b7b2f3817a61a85bad8d9810701dd4877
SHA512

76c3daeba66a7ac87081d289d23e98caa86d8c65f860141741435578d55f27a65f8a4785f8d40441e8da9c486253933bf7176731b9e8d32f2936b7e2355ea847
SSDEEP

98304:2DDsqKIhamEzIdlesj2f8UUTyFSI5h6NdOaHd5/Yizrl+jT/:yD5KIMpIdlB2f8bTyFjhaHHd5wisX/

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$xdRGohAYigx9tD2UUlFVu./KzqHpE6XtxVJxJi5bkv/BRYCNLN7i6

Campaign

3472

Decoy

simpliza.com

quickyfunds.com

gasbarre.com

fiscalsort.com

analiticapublica.es

global-kids.info

irinaverwer.com

dw-css.de

pier40forall.org

crowd-patch.co.uk

psnacademy.in

triggi.de

narcert.com

hkr-reise.de

gastsicht.de

xn--fnsterputssollentuna-39b.se

mardenherefordshire-pc.gov.uk

bauertree.com

selfoutlet.com

antiaginghealthbenefits.com

Attributes

net
true
pid
$2a$10$xdRGohAYigx9tD2UUlFVu./KzqHpE6XtxVJxJi5bkv/BRYCNLN7i6
prc
dbeng50

onenote

firefox

tbirdconfig

synctime

infopath

thebat

sqbcoreservice

outlook

powerpnt

isqlplussvc

mydesktopservice

msaccess

oracle

steam

mspub

winword

ocautoupds

ocomm

agntsvc

thunderbird

excel

dbsnmp

ocssd

visio

wordpad

mydesktopqos

encsvc

xfssvccon

sql
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
3472
svc
backup

sophos

memtas

svc$

mepocs

vss

sql

veeam

Extracted

Family

sodinokibi

Botnet

$2a$10$mKbuAybjn4W3ipQCt6E7ROYxmL5SSZgUbPuA7PKUsPqJU10KB4bma

Campaign

7114

Decoy

withahmed.com

scenepublique.net

aglend.com.au

jyzdesign.com

nsec.se

cirugiauretra.es

gopackapp.com

tinyagency.com

crediacces.com

xn--rumung-bua.online

bowengroup.com.au

mastertechengineering.com

kmbshipping.co.uk

homng.net

fitnessingbyjessica.com

oldschoolfun.net

roygolden.com

sotsioloogia.ee

real-estate-experts.com

mir-na-iznanku.com

Attributes

net
false
pid
$2a$10$mKbuAybjn4W3ipQCt6E7ROYxmL5SSZgUbPuA7PKUsPqJU10KB4bma
prc
oracle

klnagent

mydesktopqos

infopath

BackupExtender

powerpnt

outlook

BackupAgent

Smc

sql

ccSvcHst

BackupUpdater

Rtvscan

winword

kavfsscs

ocssd

isqlplussvc

visio

ShadowProtectSvc

tbirdconfig

TSSchBkpService

dbeng50

ccSetMgr

agntsvc

Sage.NA.AT_AU.SysTray

dbsnmp

thebat

onenote

AmitiAvSrv

wordpad

msaccess

avgadmsv

thunderbird

BackupMaint

Microsoft.exchange.store.worker.exe

CarboniteUI

excel

SPBBCSvc

LogmeInBackupService

encsvc

ocomm

sqbcoreservice

NSCTOP

mydesktopservice

kavfs

kavfswp

ocautoupds

mspub

xfssvccon

DLOAdminSvcu

synctime

lmibackupvssservice

firefox

steam

dlomaintsvcu
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). =========Attention!!!========= Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. ============================== [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
7114
svc
Telemetryserver

"Sophos AutoUpdate Service"

sophos

Altaro.Agent.exe

mysqld

MSSQL$MSGPMR

"SophosFIM"

"Sophos Web Control Service"

SQLWriter

svcGenericHost

AltiBack

"SQLServer Analysis Services (MSSQLSERVER)"

BackupExecAgentAccelerator

"StorageCraft ImageReady"

SQLTELEMETRY

AzureADConnectAuthenticationAgent

ntrtscan

ds_notifier

TeamViewer

"StorageCraft Raw Agent"

"StorageCraft Shadow Copy Provider"

SQLTELEMETRY$SQLEXPRESS

VeeamHvIntegrationSvc

AltiCTProxy

MsDtsServer130

ViprePPLSvc

McAfeeFramework

MSSQL$QM

"swi_service"

"ThreadLocker"

ofcservice

AUService

sophossps

AzureADConnectHealthSyncMonitor

Altaro.OffsiteServer.UI.Service.exe

"SAVAdminService"

ds_monitor

ALTIVRM

SSASTELEMETRY

TmCCSF

MsDtsServer110

"Sophos MCS Client"

TMBMServer

SBAMSvc

mfewc

"Sophos System Protection Service"

MSSQLFDLauncher$TESTBACKUP02DEV

VeeamDeploymentService

masvc

backup

MSSQL$SQLEXPRESS

AltiPhoneServ

MSSQLServerOLAPService

SSISTELEMETRY130

VeeamEndpointBackupSvc

mepocs

Altaro.UI.Service.exe

"ds_agent"

HuntressUpdater

MSSQLFDLauncher

"Sophos File Scanner Service"

SQLAgent$MSGPMR

ADSync

KaseyaAgent

ReportServer

MSSQLFDLauncher$SQLEXPRESS

MSSQL$HPWJA

KaseyaAgentEndpoint

VeeamTransportSvc

"ds_monitor"

mfevtp

MSSQLTESTBACKUP02DEV

SQLTELEMETRY$MSGPMR

ThreadLocker

MSSQLServerADHelper100

veeam

tmlisten

AzureADConnectHealthSyncInsights

"swi_filter"

MsDtsServer120

ProtectedStorage

VeeamDeploySvc

memtas

ds_agent

VeeamMountSvc

HuntressAgent

SQLAgent$SQLEXPRESS

bedbg

MSSQLSERVER

"ofcservice"

VipreAAPSvc

"Sophos Endpoint Defense Service"

KACHIPS906995744173948

DsSvc

MSSQLLaunchpad$SQLEXPRESS

msseces

macmnsvc

LTService

Code42Service

Altaro.HyperV.WAN.RemoteService.exe

LTSvcMon

MSSQL$SQLEXPRESSADV

"SAVService"

Altaro.OffsiteServer.Service.exe

"Sage 100cloud Advanced 2020 (9920)"

Altaro.SubAgent.exe

mfemms

"TeamViewer"

"SQLServer Reporting Services (MSSQLSERVER)"

VSS

sql

Altaro.SubAgent.N2.exe

"SQLServer Integration Services 12.0"

SQLSERVERAGENT

vss

"Sophos Safestore Service"

klnagent

"Sage.NA.AT_AU.Service"

MBAMService

"Sophos Health Service"

SQLBrowser

MySQL

"ProtectedStorage"

"Sophos Clean Service"

"Sage 100c Advanced 2017 (9917)"

"SntpService"

VeeamNFSSvc

KAVFS

SQLEXPRESSADV

KAENDCHIPS906995744173948

sppsvc

Amsp

psqlWGE

Microsoft.exchange.store.worker.exe

kavfsscs

"Amsp"

sqlservr

Altaro.DedupService.exe

svc$

"ds_notifier"

"Sophos Device Control Service"

AzureADConnectAgentUpdater

AltiFTPUploader

"Sophos MCS Agent"

Extracted

Family

sodinokibi

Botnet

$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

Campaign

8254

Decoy

boisehosting.net

fotoideaymedia.es

dubnew.com

stallbyggen.se

koken-voor-baby.nl

juneauopioidworkgroup.org

vancouver-print.ca

zewatchers.com

bouquet-de-roses.com

seevilla-dr-sturm.at

olejack.ru

i-trust.dk

wasmachtmeinfonds.at

appsformacpc.com

friendsandbrgrs.com

thenewrejuveme.com

xn--singlebrsen-vergleich-nec.com

sabel-bf.com

seminoc.com

ceres.org.au

Attributes

net
false
pid
$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq
prc
encsvc

powerpnt

ocssd

steam

isqlplussvc

outlook

sql

ocomm

agntsvc

mspub

onenote

winword

thebat

excel

mydesktopqos

ocautoupds

thunderbird

synctime

infopath

mydesktopservice

firefox

oracle

sqbcoreservice

dbeng50

tbirdconfig

msaccess

visio

dbsnmp

wordpad

xfssvccon
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
8254
svc
veeam

memtas

sql

backup

vss

sophos

svc$

mepocs

Extracted

Family

sodinokibi

Botnet

$2a$10$PRliCdjvILpWha0dXt26COEfG3S.LFJG/H9fqsY0uepzhaO43cC36

Campaign

3665

Decoy

1kbk.com.ua

kalkulator-oszczednosci.pl

creative-waves.co.uk

mirkoreisser.de

fotoideaymedia.es

abogados-en-alicante.es

liikelataamo.fi

klusbeter.nl

jameskibbie.com

marathonerpaolo.com

milestoneshows.com

live-con-arte.de

tinyagency.com

beautychance.se

slwgs.org

midmohandyman.com

herbayupro.com

panelsandwichmadrid.es

baronloan.org

izzi360.com

Attributes

net
false
pid
$2a$10$PRliCdjvILpWha0dXt26COEfG3S.LFJG/H9fqsY0uepzhaO43cC36
prc
visio

CagService

VeeamTransportSvc

dbsnmp

msaccess

bedbh

DellSystemDetect

encsvc

VeeamDeploymentSvc

steam

mydesktopqos

sqbcoreservice

dbeng50

mydesktopservice

firefox

outlook

tbirdconfig

raw_agent_svc

ocomm

pvlsvr

isqlplussvc

sql

ocautoupds

thunderbird

excel

synctime

EnterpriseClient

wordpad

bengien

vsnapvss

benetns

vxmon

oracle

VeeamNFSSvc

onenote

xfssvccon

winword

beserver

ocssd

mspub

infopath

thebat

powerpnt

agntsvc
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome Massive Prints. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
3665
svc
MSSQL

VeeamTransportSvc

CAARCUpdateSvc

AcrSch2Svc

bedbg

stc_raw_agent

sophos

BackupExecDiveciMediaService

BackupExecVSSProvider

VeeamNFSSvc

CASAD2DWebSvc

BackupExecAgentAccelerator

veeam

vss

MSSQL$

MSExchange

sql

PDVFSService

VSNAPVSS

MVarmor64

AcronisAgent

ARSM

BackupExecRPCService

VeeamDeploymentService

svc$

BackupExecAgentBrowser

MVArmor

MSExchange$

BackupExecJobEngine

mepocs

BackupExecManagementService

memtas

backup

WSBExchange

Extracted

Path

C:\cHpfiXA9s.README.txt

Ransom Note

~~~ XeqtR Ransomeware The world's fastest ransomware ~~~ >>>> Your data is now stolen and encrypted, pleaes read the following carefully, as it is in your best interest. We are sorry to inform you that a Ransomware Virus has taken control of your computer. ALL of your important files and folders on your computer have been encrypted with a military grade encryption algorithm. Your documents, videos, images and every other forms of data are now inaccessible and completely locked, and cannot be unlocked without the sole decryption key, in which we are the ONLY ones in possession of this key. This key is currently being stored on a remote server. To acquire this key and have all files restored, transfer the amount of 500 USD in the cryptocurrency BITCOIN to the below specified bitcoin wallet address before the time runs out. Once you have read this you now have 36 hours until your files are lost forever. If you fail to take action within this time window, the decryption key will be destroyed and access to your files will be permanently lost. If you are not familiar with cryptocurrency and bitcoin, just do a google search, visit bitcoin.org, go on your mobile to Cash App, or pretty much just ask someone and most likely they can explain it. Once again, 500 USD in the form of Bitcoin to this wallet address bc1q8wqyacjzzvrn57d2g7aj35lnr5r8fqv0dn0394 The second you have sent the bitcoin and the transaction verifies another text file will appear on your desktop with the website to get your key, and the simple instructions on how to use it to get your files back. 36 hours starts now, we suggest you do not waste time. For any reason you should need customer service, email [email protected]

Emails

[email protected]

Extracted

Path

C:\Users\ez6061-readme.txt

Ransom Note

---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ez6061. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/654E6A57B456D094 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/654E6A57B456D094 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: UeYKMcWD8XdU8G60h+VDnvW4Sges2PQ205MmibFAj4d4I+lNA4btJcZw+h/hkrYm mDpvs8bW2/9tJnwo0x0kDAHH5auigGJg0e8m+OpHRlu2oCPtMhTof8KxnHJ+agbV MllpFZzF4am3zipsD0sr08AAauUDJ9Wqy7MJ/Yw/q7g+h/SCw0n1eNbv04OiqL92 tMKbsMSvYDL0GvyQIMOM+HsSPAXUX9fXXLYjg7D+fNG9Enu4F1Y/QebbIOhLGgsG R5+tXBA68+VYLQoSF2uo1dOtV/sr6Nu/PmXVh56ZIvxYnObCR9g9jF93Vw+AlOgq FYs+rzgCoym0UOeqXsBMaHcd4xSHyBPXlJlJIr3SkE2dkN3p25WtWNm8KPvVvRnx UWu8pZtWsU6PpXseFtnOEXNPvDBBuqgqliEeW2OAm0zMY1/WtBTQI4D8fdHV1egU W2XShl+Pt6yNERWNAaTOln2ELEE+DmVYNGZVIU7VRWi+/Vkdv334XqhiSEHgFkp9 jSTrIeb+a7AfHk1lkPLZoX2ZJoksczHHem1VeEX6DIJdtauNzoVV4fryw4YrGBJp eImLu9u5WIZVyXcfxU9uJZPIvG3uyU3ql0L2GElhmTJ9XGowuBLoBNMhiCV0UWd5 AgMC/Jgs1CGgg47dzcrrKchFzPtjQ5FQPzf/xZnk7dzhCUHzw73KgMwNbFZqXfJg xLzIHa96hIgAlfTLupMBDy4zA72Oe79QRWeiUFacFBk6rhzTinzkznX4D2SKSWqg cy2GVqxF1p/9Tv2Z2h7jrvN+uNZwW/V0TvWzuw1zaYLP+rZYPUZ96s9k1/9qx3OH suprEnJcez8aCgiKimJvtJCxyk1tSAXH+DpU1pDQeD2bwXngoIst8W/ZhFVzjfls PojwiB9P5yba5c97SROmn8h2zLvi/LMq2BLADmxMioYxOKHF5o7A69o2qDYc/2FS UgU3g0iSHa6TpJYZEzGagrw39ZudZafduKpO8vbQ0gX+lxA2KmouS21HfwLKS0/v ehW1IIOBYA2uqw44TSnqrGTmvRAjJY/OalmsLKdWr5DyVX/1bvGCh03S71GxsPNR Ns20Rb6zNpeQoAGrLA72bTtPVETxv1frTwZwz0Zs34m4jyai15DcQV9hHg5wGBht szpEtCOr4cKV1+7pfeGCp1IeGHberDXP6+cDaihZUaaZrQVLiHYuboSSTd7gFhQx bvKdLjbSsGq4FkBDKZzrsqOHpJ4T/uUD0vKtYCvvitmj0C5poMUYLBPIhzAPcDgL npTC67lRz1UgOB3axUwX9uDNt9n7mrXwjpjaHVHvXbje88evcIrSyfGOTH5ctHNa ykbuiioyMszzn7VeveRJYCx3wkW5mA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/654E6A57B456D094

http://decoder.re/654E6A57B456D094

Extracted

Path

C:\0YiWGiIoC.README.txt

Ransom Note

Note the time. You're already falling behind. The race is already underway. To recover your encrypted data, you must purchase a decryptor from us. Bitcoin (BTC) payment must be sent to: 1CnvpuszJsuMfzJpTrBx4ZQhK7byzt3XCC If you pay within 12 hours, then you only have to pay 0.008 BTC. If you pay within 24 hours, then you only have to pay 0.08 BTC. If you pay within 48 hours, then you must pay 0.8 BTC. If you pay within 96 hours, then you must pay 8 BTC. If you pay within 192 hours, then you must pay 80 BTC. If you pay within 384 hours, then you must pay 800 BTC. -OR- Monero (XMR) payment must be sent to: 88dfUQ7fydN8gDw7ajQyY52KHE6fpdXabRUr3C2tAjK14GBprRcoRpL5vwuT8DKQgSZ8TgNSewHuSLJ5zX9keJgCMxrS3fh If you pay within 12 hours, then you only have to pay 1 XMR. If you pay within 24 hours, then you only have to pay 10 XMR. If you pay within 48 hours, then you must pay 100 XMR. If you pay within 96 hours, then you must pay 1000 XMR. If you pay within 192 hours, then you must pay 10000 XMR. If you pay within 384 hours, then you must pay 100000 BTC. After 384 hours your data will be unrecoverable. The race is over. If you cooperate with us, then you will recover your data. If you change or rename your files, or if you attempt to recover the data yourself, then your data will be locked forever. The decryptor uses a unique key and will not work if you modify anything. To receive the decryptor to recover your data, carefully follow these instructions: 1. Send BTC or XMR in one transaction, not multiple transactions. 2. Copy and paste the BTC or XMR address. Do NOT type it by hand. Double check it is the correct address. Pay in full. Any lesser amount will be ignored. 3. Email us at [email protected] 4. At the beginning of your email, include the transaction hash/TXID of your BTC payment OR the TxKEY and TxID of your XMR payment, so we know it is really from you and you receive the correct key. 5. Emails without this information will be ignored. The race began when you first received communication from us. It will when we receive payment. Timestamps matter. 6. Use your regular email address. Suspicious email addresses will be ignored. Be patient. We check email often but not every second. 7. If our email is broken, bounces back, or is compromised, then you may instead email us at: [email protected] 8. After 1 confirmation on the blockchain, of the correct amount according to the timetable, only then will we reply with the decryptor. 9. You may need to check your spam folder for our reply. The decryptor will include full instructions and the key to fully recover your data. If you're smart enough to understand WHY you're racing, then tell is in your email, and we'll refund you in full and send the decryptor for free. We don't think you're that clever, but we hope to be surprised. We are not joking. If you're dumb enough to think you can recover your data without our help, then not even the decryptor can save you. WE WILL NOT REPLY UNTIL PAYMENT IS RECEIVED. WE WILL NOT SEND THE DECRYPTOR IF YOU ATTEMPT TO IDENTIFY US OR STOP US. WE WILL NOT SEND THE DECRYPTOR IF YOU DO NOT FOLLOW THE INSTRUCTIONS EXACTLY. IF YOU COMPLY AND PAY, YOUR DATA CAN BE RECOVERED IN LESS THAN A DAY. DO NOT BLAME US IF YOU DEVIATE FROM THE RULES OF THE RACE. IF YOU WANT YOUR DATA, THEN YOU KNOW WHAT TO DO. IF YOU HAVE BACKUPS AND DO NOT NEED THE DECRYPTOR, THEN CONGRATULATIONS. YOU ALREADY WON.

Emails

[email protected]

Wallets

1CnvpuszJsuMfzJpTrBx4ZQhK7byzt3XCC

Extracted

Path

C:\Users\Admin\Documents\ENCRYPTED!!!!

Family

chaos

Ransom Note

----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Targets

- Target
  
  0715240d1af82c1cea262cde2a286b8b400805dc1f35f49422c7ee39e00f93ce.exe
- Size
  
  131KB
- MD5
  
  b2fe08274cd765d5c3269bf6d560b5a2
- SHA1
  
  faa12ea8137072476ab6646f06cd74c1e0ced5be
- SHA256
  
  0715240d1af82c1cea262cde2a286b8b400805dc1f35f49422c7ee39e00f93ce
- SHA512
  
  c0cf56c0aa36b6bdd0bdb63e2c8175d5a4c1cec0de560b8e8f7a97aea01568b3393183c049a8702ed0c4ff96428e6811221a92c963e60f0ad879820210653339
- SSDEEP
  
  3072:ECmzzdcTtDRgEorpwbVLuP4HWV1oqCgQfBUnPy8L2VBBh:EbOTttgTrayP4HWV1oqCgQfBUPy8L2Vh
Score

9^/10

defense_evasion execution impact persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1
- Target
  
  07fec2205cbbf2900ede2f6a1d9a5c428ef314c1dda559c632833a9c1d121542.exe
- Size
  
  139KB
- MD5
  
  e8d60f0ce1aa1ff49f609b36772cd4fa
- SHA1
  
  87f5046e42d592eda4e0a2f04eae011cdf54a84a
- SHA256
  
  07fec2205cbbf2900ede2f6a1d9a5c428ef314c1dda559c632833a9c1d121542
- SHA512
  
  5f2a5979b3308e709e640442cbe0510309ea49e2f968862b68f067483f896a6413ddd1fddcb0fe5abfa0b1f7abaae400f7adbf5d5badbe89b5c2f70242eaa59f
- SSDEEP
  
  3072:hgMLiar9d8Wgu+tAcrbFAJc+RsUi1aVDkOvhJjvJ:FFr9dErtMsQB
Score

10^/10

chaos defense_evasion evasion execution impact ransomware
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (99) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
behavioral2
- Target
  
  10dc6e128c7e5e7088f487ba9b22c1a836f50a552bc93fcce748d7e1c8f76fc0.exe
- Size
  
  155KB
- MD5
  
  cd7be52f7de09e277fc532a3b7006ec7
- SHA1
  
  ed9a3809734da6769abd52bdc7c83aa210522adf
- SHA256
  
  10dc6e128c7e5e7088f487ba9b22c1a836f50a552bc93fcce748d7e1c8f76fc0
- SHA512
  
  b0560990fbca4e7747c44b07ff509c1a942425b4f38ee32e87a5e7a3c8862220bd0c5192defadd66fb0e812d64a05e6f2f332df72dc5c786b95738383c364ccf
- SSDEEP
  
  3072:l5K/B0toLwSNJ5lZHQsozTS+SMqqDL2/TrKDtG:lcytwNr1yTS+xqqDL6HKE
Score

3^/10
behavioral3
- Target
  
  133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
- Size
  
  114KB
- MD5
  
  77be32b91561d1ac5e36464766b7b0a7
- SHA1
  
  9c72fe9c8e24b5c0bde50c71d74fb2586c4201ce
- SHA256
  
  133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de
- SHA512
  
  c8d0d6d15322172631b184acf5df86851dff7d8f15fde9cee7d0b7e4919433ec5b096f4079b5acba78d27dcfc42bfc2bcd3f184cb0a54c13b71aeb40f8ea4152
- SSDEEP
  
  1536:FApx/1k2jbVnO3c+FpR5Q9JzY02pTmZ0ICS4AtebOMZzqFTj5vel1KkK3I:ck2X8M+Fp4vY06A2roFTj5vYc
Score

10^/10

sodinokibi persistence ransomware
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral4
- Target
  
  139a8bb2c5537190e747d2f651b423147018fd9a9a21bb36281d4ce1c61727c1.exe
- Size
  
  178KB
- MD5
  
  8d27d0c897ce21f1036bf659fc663cf2
- SHA1
  
  afe3d0fb48092aeca4dcd3989a076e87fdbe69b2
- SHA256
  
  139a8bb2c5537190e747d2f651b423147018fd9a9a21bb36281d4ce1c61727c1
- SHA512
  
  531873e8faaf801a447f70848969865750f41fd5ff15bd8c47015e766a9bb8cc1fbb8dcae16ddbf1e4f9dbc5750af593ef8fdcf94cd1a61efa00c7790cda4374
- SSDEEP
  
  3072:/gq2DKdMbv1S/n6rHBJK3V9LBSLrKa+HQXvMES/D3Yw7yZyYpEaI:/84X/19LUPMcMEw3kTI
Score

10^/10

ransomware spyware stealer
- Renames multiple (7981) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral5
- Target
  
  19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe
- Size
  
  959KB
- MD5
  
  fec0ba68b3118f490dbee9dc5cc382d4
- SHA1
  
  c5a76c237314d970fb5acfc118c1f1109d012704
- SHA256
  
  19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0
- SHA512
  
  4c202c11503607baa0fccc23223933eaf1ffe052607f46f3d596520ced90359d1bcf1369ce335d4b63de9c221cf137d6354ce88fead6e3164c54903c8e20f81c
- SSDEEP
  
  24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdMF:Ujrc2So1Ff+B3k796W
Score

10^/10

lockbit defense_evasion discovery evasion execution impact persistence ransomware
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral6
- Target
  
  2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe
- Size
  
  120KB
- MD5
  
  af94ccb62f97700115a219c4b7626d22
- SHA1
  
  bb67edcfe4e5b6fe09ee96e5b8ace7a4cfe39eb7
- SHA256
  
  2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c
- SHA512
  
  08c05f8dc98aba168734732d043c3e403f531522e0ec0ec64484d15375f353aa23f9654852ad2c54a3e6b2a9344f4ffb553cac24455f62bb65b55800e311c12a
- SSDEEP
  
  1536:J8A4krBJLarHZZd/M4PI8iwplAXpzK88ICS4Aer9DIPcG5zXbwMcClFyFfjRto2C:+/LPrlAZZE0cOzbwMflEBPo
Score

10^/10

sodinokibi persistence ransomware spyware stealer
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral7
- Target
  
  2d301697ff72986171c0b2ccc979ab8e93671d640de6abad57de7d4e146b70f4.exe
- Size
  
  1.2MB
- MD5
  
  8815964ed6c37a423f6019b2b69e7967
- SHA1
  
  2565eefb2c6b04f20cc89e4008e910cc5b71efe9
- SHA256
  
  2d301697ff72986171c0b2ccc979ab8e93671d640de6abad57de7d4e146b70f4
- SHA512
  
  706e31ae96edc753ae6b99ec7f7e5a8096e1af86e9a6544c421b5e1e9905de5b1657affe2fba40c3cc2fbf95e2558ca020de48d55a18f78fcb80c5ca972f85fa
- SSDEEP
  
  24576:ZBUIKn/vwOXGUXAjCymYZiVtElVIBT2roqnTSSxWeT/WRPOO8xojUq7:F0dwAYZt6C31WeTuRPOhx8Uq7
Score

1^/10
behavioral8
- Target
  
  3337576503c3e2d8876f50191ae8995b04a4536f816025c543d0e20250598fd8.exe
- Size
  
  1.3MB
- MD5
  
  ecfd401cd766ca07f2028dffff5bcf7e
- SHA1
  
  7161cef8cb4dd89e0214cc20fba5a26e53b5bff0
- SHA256
  
  3337576503c3e2d8876f50191ae8995b04a4536f816025c543d0e20250598fd8
- SHA512
  
  635f7b64635424244ce8fab604c770b088bec0ee63ad2da22ed2bacd8950c2cb74f9019c7b4941738f52f75cf492530b7cee6bd3875702f20650360c443cd03c
- SSDEEP
  
  24576:irENpo0asV/m03AKXWEDJ5oUbuM1PWkXzxM:i4Ni0asg01X1dyUbuMAkjxM
Score

3^/10
behavioral9
- Target
  
  3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
- Size
  
  153KB
- MD5
  
  35560fff8fc990948a9252bf20cfc8f5
- SHA1
  
  66163cb283c8792ac32c0e2361adc7143d8d319d
- SHA256
  
  3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1
- SHA512
  
  9bf7b5aeec71b74012fa36d2af4dc4704e859a564cfbf3b35e44b1af8195a9885292c22a9297b691903c3245a6fae85746590988706e6a4d5dab29937ac13d77
- SSDEEP
  
  3072:j6glyuxE4GsUPnliByocWepvdHFdjFpZ/fgyVF0djk:j6gDBGpvEByocWetdHZ/fgKF0
Score

10^/10

ransomware spyware stealer
- Renames multiple (9361) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10
- Target
  
  3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe
- Size
  
  126KB
- MD5
  
  ff1f6956f07e700a86b5986b63ea12db
- SHA1
  
  a8d88813f2691cf71e8d6790e473593644c913ed
- SHA256
  
  3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545
- SHA512
  
  04f4d29f37079ef04e2b1be812d20d89dca82e4fffff28047de435425a18573cc3edfd5b148e0aded71d652583785e82585c708e0fc38b5dbda61962cbb1f927
- SSDEEP
  
  1536:YxOUyl20w8bVZQ40iMSO1fY+iUyQs2r8t5p1ySotICS4A6QdZls8XzUXiWr4X5Fg:YMhQNDEtb3A2ZHjUyWr4X5FTDUA
Score

10^/10

evasion persistence privilege_escalation ransomware
- Modifies Windows Firewall
  evasion
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral11
- Target
  
  3f7458e658401c15b675db78a2e9871ca3eeff3c6e299c4545515e56b66466df.exe
- Size
  
  329KB
- MD5
  
  66ec0f1426042dfc88bd922956428c9e
- SHA1
  
  1524ceb090b9b40273a38cee2e3566d2e9631ce8
- SHA256
  
  3f7458e658401c15b675db78a2e9871ca3eeff3c6e299c4545515e56b66466df
- SHA512
  
  d4c2e65d2b4a83c3b383ba9ea5c59059b6ae2bc090710b1290ad54c68b403ada372262271b06586632f4ecca5fe2685f3060c8c11ea8ed80cba8bddeb7ddec9e
- SSDEEP
  
  6144:DSoywCFI00FkyFQkjmkeOcbhdO0OR3rROCdP/gTfEb/hurQhq+17:DSoFCm5NDGdoRfifEbYrrE
Score

1^/10
behavioral12
- Target
  
  434ea9832e6d11d614905e3eb31c333289429095b76573f1ceb38fd10608bc27.exe
- Size
  
  88KB
- MD5
  
  85e06406f5dfd6d96d6185a781b29f75
- SHA1
  
  7b331b808505affee442042f81214360eddf53fc
- SHA256
  
  434ea9832e6d11d614905e3eb31c333289429095b76573f1ceb38fd10608bc27
- SHA512
  
  d6a3464437f0bab899eea250f638b95aaea298e4be8cd8fcddc9fd5b7c2888f51c5e99a9df8ff1eeb8b8e66f810eef2a1338610b893502a58672b917a980cd38
- SSDEEP
  
  768:Cqo2J0wpBxARr9WVFe32SU2Ip4jBqltCF0AxEjenoB69+Fx:5o2icARr9WK32SFHBWAxEjc+
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral13
- Target
  
  47792144c9b440b3d2fbd422f68a23a8a8dfc16466d2a7430fc283a9d382826f.exe
- Size
  
  420KB
- MD5
  
  4c441e0f43f6ea1edf515e4a25ffcd24
- SHA1
  
  ca5021d2161664853eb3900a1d8c9874672c03f2
- SHA256
  
  47792144c9b440b3d2fbd422f68a23a8a8dfc16466d2a7430fc283a9d382826f
- SHA512
  
  488166165f653f6d16c3d4bbd1ddeb547345396f38918481d72cc74da322d363782c6e5024a65b3193c7fe7102200aa76f7f699e3995ba1a0fbd5ca74290237f
- SSDEEP
  
  6144:Lq4/ZdjqF1Tov7yuTlb5251VnHgv+BrlkaWI0wQA:mIre+bQ5jnNlw5
Score

10^/10

modiloader trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- ModiLoader Second Stage
behavioral14
- Target
  
  5114aae6e86c7eedfbf181110e4fddfad88fe296ec590390705e00272121e48c.exe
- Size
  
  301KB
- MD5
  
  be8859e72a538589970efcbd1c198876
- SHA1
  
  5d2a73e2de793c081ccb782fdd1ef319dbd7d8e7
- SHA256
  
  5114aae6e86c7eedfbf181110e4fddfad88fe296ec590390705e00272121e48c
- SHA512
  
  acefe94eeaf7c20714c21d4ef52b33950b8caeae06e24a81c732757251888d504cf98ab958fc82542749421ef5c74655d6f03f4fdf7257159c4cb89367cd8de3
- SSDEEP
  
  3072:uqJogYkcSNm9VE84DATVPHNtQAtZfkE44iNsTc:uq2kc4m9i8PBPQAzfk14K
Score

10^/10

ransomware spyware stealer
- Renames multiple (318) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral15
- Target
  
  537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe
- Size
  
  803KB
- MD5
  
  99885a3cd64212e5d210c9db4bcae5b1
- SHA1
  
  806d2c572e6b247a6d899ad4af840ecbf1f968f6
- SHA256
  
  537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba
- SHA512
  
  f6b5ad9d4bd9c797a1b27c6c078d2a605cd24be6fbcb30016a0b81d00081d6695b29b0ab4bc9e66438eb3769c51df9920d9da8d6260cbc45c52cfb140fea0ab0
- SSDEEP
  
  12288:bDCpAivL03RuebsXkA4uHP/LoyP2VNp6DHpeH+vJxbLWXKy1ypdQhjE+FwSoh:n2ghuebsYuHP/syP+WpeH+zLuBhQSoh
Score

3^/10
behavioral16
- Target
  
  55754358ddd26b3c56ca27780dcc408711f8a9fc42b1c9d305d1045146f40f1c.exe
- Size
  
  1.1MB
- MD5
  
  8671949e88bc1ea76daf4fe896eb4c63
- SHA1
  
  be4aaeee532c884086bed8d93cf0118ea0869042
- SHA256
  
  55754358ddd26b3c56ca27780dcc408711f8a9fc42b1c9d305d1045146f40f1c
- SHA512
  
  32c47ed7534522e5eed62b36ad02655acf9619e124ea14a3d579e0e87dc1c2e459c632ac0935261a110269961d23a741c5b05f6cd2aad40de057c1587d22cb9f
- SSDEEP
  
  12288:ZuSBJp7R7ns6RPHCAjP1CenKui47xLHGKdFPH3h/H6U7W:ZuQJlRo6BHLj8eKuiIxLmKPPH3paUS
Score

1^/10
behavioral17
- Target
  
  5b1caa9bec8d7d7833b0e25f3e4256975c38a22c2901f8e4d99fb164dfde13c1.exe
- Size
  
  362KB
- MD5
  
  e67fc78b86ff068b103fef676f8a74fb
- SHA1
  
  893cadabba49f33b6cf6cc5f09041166cf3ad354
- SHA256
  
  5b1caa9bec8d7d7833b0e25f3e4256975c38a22c2901f8e4d99fb164dfde13c1
- SHA512
  
  64838e84617b89908190a4f64fa2b4c3b96aba94a7fa2a97a917036387f7e9c064e3ea453521ad91684543a011c03973021d6915005c65c66b05c068abbf3b38
- SSDEEP
  
  6144:I2+UbpiyxntHajQkrZ+ci4K9RZ+EXFhTBAd8/AwP9zpNyWQNqW9P:5+qpptVCl6R3XrrP9z2WH8
Score

1^/10
behavioral18
- Target
  
  60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
- Size
  
  138KB
- MD5
  
  7c055e203155b749a047987736400bfc
- SHA1
  
  17f48b45920e1f3e6581e60b0ed346b5770e8363
- SHA256
  
  60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21
- SHA512
  
  8bccbac3f0e761ef19c7a97e7474ac9dc68ac58d4bdfbe095a4778400d2655b2a98d70c301c47f7cb072e77b3e3fde07a0c9a39c151908be5f7c47e1d5f24cb7
- SSDEEP
  
  3072:UPgv1uTga8za7/aApO6fCR6kMgNjTX8jI8VD/dJJO04aN5uvvmRE7xIxT62Br09Q:oKZTMPVDdzR1N5sAxBN9dRd
Score

9^/10

defense_evasion execution impact ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (9394) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral19
- Target
  
  63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
- Size
  
  114KB
- MD5
  
  0af2e477464520e3599dc58deaef2741
- SHA1
  
  eff20e476c1f05198297f61df9013cc02aa8016b
- SHA256
  
  63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc
- SHA512
  
  83fea75f8038942571f177ceabac360d802692af704ecc6a2f9cb8436340be40d0a543c62dee3d61a2fc3ec656b68e8e68d7e60c5d757dcf60626f585fef6398
- SSDEEP
  
  1536:tV4aLxvCy9nFI8EuD6O9+CIWFyKy/awv2I8zEc+n1g5sWjcdnKPltJGDc/Nb92ba:Ey3bJ+Crn48cpnKNtJqcFZ6a
Score

9^/10

defense_evasion execution impact persistence ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (8635) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral20
- Target
  
  78d4fce0c253356bf72cf72f260f27a3f0f3cf0a904a3618f3011cbe0b4e882e.exe
- Size
  
  254KB
- MD5
  
  310b02e1da6639192d8611927027d8cc
- SHA1
  
  ba5c0be3c0742a8119f701490f3f01b3b6abf49b
- SHA256
  
  78d4fce0c253356bf72cf72f260f27a3f0f3cf0a904a3618f3011cbe0b4e882e
- SHA512
  
  7e11857a8ffcd7c237c426d6502937c707f09918231af43e37cfeed4e23465042e4b6967e58d4d4520ec69da02128b1470236a0dca01879e9745568186f78608
- SSDEEP
  
  3072:DLhtgSlZAeKoNhb64VzKRJWpLXOe/TYUAk/M2lH0+6m6MU0NTMnr+rtnd9mTRp4r:PsxWp9TYUzX6Zm6MU0NNgX4r
Score

3^/10
behavioral21
- Target
  
  7c27b9fef6e94e99092fb628716ae9114385d4d5753f72bff1221bad2eb54933.exe
- Size
  
  152KB
- MD5
  
  1e9d3cd135fa559a7a0ce633bcd3d350
- SHA1
  
  682c5009fa589fe0966c4ee928c5b601a0c17001
- SHA256
  
  7c27b9fef6e94e99092fb628716ae9114385d4d5753f72bff1221bad2eb54933
- SHA512
  
  493fd8fc3f8611adadaeb007d9e9c888cd2ddd16e630a8f0a08e81eed88799eb5681521230c9c8b186335f62e55e50dad625861b985615d9ce51a75c25d42a7a
- SSDEEP
  
  3072:y6ztbyumA/clGXyJA4ZKKaP02oryuFbgaztlY27VqmSVzyqYvd0bRPp24dfG+2yG:ycb6AUymArKQHstlY27VqmSVzyqYvd0y
Score

3^/10
behavioral22
- Target
  
  81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe
- Size
  
  115KB
- MD5
  
  7e18b037a068c56417fb8e56aa7e49e8
- SHA1
  
  f6739569a24358c8c060d7131be70712f70f36e0
- SHA256
  
  81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed
- SHA512
  
  d6188e5536b6e0b5c49d572e35155d633c11fd30bc8d4bf4ea87fea7196ae2f67bca364a0afaeed8209e5d4b2be0b98d81c49293d3fed95c70c8388b8387899d
- SSDEEP
  
  1536:AkdeUcaK8Qz4PQIUnq5WMrAmyopACC9ICS4A0vh4NKwTNA28V5/Ogsck:mlnXEXyk7yvh4NKwTNF8V8v
Score

10^/10

sodinokibi ransomware
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral23
- Target
  
  995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
- Size
  
  1.2MB
- MD5
  
  43cdea90bfe02953539194cc2612df96
- SHA1
  
  47028bc1510dca41b888db92f6f14d3a3c342f7a
- SHA256
  
  995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555
- SHA512
  
  2b68f4a9f6150dfe524507213e2bf974de8a1eaaa6bbde65ffce8384432732266af24abe4bd2f877e27061b6bd381a792673a55a0073737103b7d694511a9ef0
- SSDEEP
  
  24576:C2ALmtTEQcN3ALfxdkST1750WKRuTx/0OjuSIMxMgWIMz/IPBZMIGaVp:YLSyN3ALQK14RuTxruCMIMz/sBZMIGar
Score

10^/10

defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer trojan
- UAC bypass
  evasion trojan
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
behavioral24
- Target
  
  9d90421b2e7afff3634a9b1590a165c07995d9e4f171e143c131d540147ec556.exe
- Size
  
  1.2MB
- MD5
  
  058df3567926ad6520a249a3050e8936
- SHA1
  
  6cc228fb8a77e57e597e80c8db8b935724276ff3
- SHA256
  
  9d90421b2e7afff3634a9b1590a165c07995d9e4f171e143c131d540147ec556
- SHA512
  
  15d5faffb166f4b51c9f90b7f1e9710985f00173a57a64eaf8aeda729e551850e7a2ec4638c7b4cb8f2854813dc38c67bb4e9c7b008cda31868b2bd5aa9518a4
- SSDEEP
  
  24576:R2ALmtTEYcN3ALfxdkST1750WKRuTx/0OjuSIMxMgWIMz/8vB0MIGaVp:NLSaN3ALQK14RuTxruCMIMz/IB0MIGar
Score

10^/10

defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer trojan
- UAC bypass
  evasion trojan
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
behavioral25
- Target
  
  a597d34bc2464c3ace48ac04f6653f65ac4822ea8e4a5717ba9e4909b8c62240.exe
- Size
  
  396KB
- MD5
  
  de74e1eb8ca5494496632da478851ade
- SHA1
  
  99f22f4fa9a0619b9f09e15afc6446160ae6541e
- SHA256
  
  a597d34bc2464c3ace48ac04f6653f65ac4822ea8e4a5717ba9e4909b8c62240
- SHA512
  
  3f4daf1ed4e877b8afc746784ce697beea7cdd19b220b7a8535ba378906ebd7d9bd7c0ecdc11a7e952e050ffc31b7fa9cced324b33a45a8df682dd2f7f0519d2
- SSDEEP
  
  6144:JE9yDzN5oqKVsJAC328uO6s1wQW877buWxjy/qj+aA/H4:+EDJ5ofs9BuOB1wQW87XuWxM
Score

10^/10

modiloader trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- ModiLoader Second Stage
behavioral26
- Target
  
  a5e6df754a4d3bb72f4d5c91d6b582e7e2c2f87ca838f5d976bc82384a5ad2d1.exe
- Size
  
  159KB
- MD5
  
  aa067ea48161558df3279ad6ad514088
- SHA1
  
  e4e8c9580c5eed71050105373612c5a298428262
- SHA256
  
  a5e6df754a4d3bb72f4d5c91d6b582e7e2c2f87ca838f5d976bc82384a5ad2d1
- SHA512
  
  abd076196fd64a1415f97080bcb9257c067c09b1909213ae698e32becfdbcb9c12ada134164f8a48ae06e14ded03a23d4e905369a49c12533e0dd9d7e4f74798
- SSDEEP
  
  3072:juJ9OlKolUa1U197bzhVsmftsryL7ujxTJNeorTE:jufj0zi1dNVsmftRel/lnE
Score

10^/10

lockbit ransomware
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral27
- Target
  
  add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
- Size
  
  678KB
- MD5
  
  168447d837fc71deeee9f6c15e22d4f4
- SHA1
  
  80ad29680cb8cecf58d870ee675b155fc616097f
- SHA256
  
  add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b
- SHA512
  
  f8e123b601b5df3e89109fcc2e215e014b0d99b382d7cfb1a8cfd55790525c4e5504ee668ac30108c1bebf32e312e0c33edb5737c7ae166b59f791269bd66112
- SSDEEP
  
  12288:cPJ4U1TYQivI2qZ7aSgLwkFVpzUvest4ZEbjJLuDJVoM7:J6TYVQ2qZ7aSgLwuVfstRJLIYM
Score

10^/10

medusalocker defense_evasion evasion execution impact ransomware spyware stealer trojan
- MedusaLocker
  Ransomware with several variants first seen in September 2019.
  ransomware medusalocker
- MedusaLocker payload
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (215) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral28
- Target
  
  b098486c49a73591ca003f20276f1ca33605618a7167407d9f3f096bc7ec930d.exe
- Size
  
  374KB
- MD5
  
  730f2f4f1c26912b59156d062af8de6f
- SHA1
  
  3d32f7e5e0ef9424c4d309109d3c765d3fb95091
- SHA256
  
  b098486c49a73591ca003f20276f1ca33605618a7167407d9f3f096bc7ec930d
- SHA512
  
  c2e7f694c1c28724ad98abe8b5493cb4b8270406652d32d0d0c3e20a14dff19e12e815ef9bd0f1fd11aecc9bd4220c6cdaff39233a48338c7dd6d986764692fe
- SSDEEP
  
  6144:1bW9jEAJfeSrTr2MC9LDOTPRM1rOEt26k5M6y6Om+4EgYYnLOPrlzpLHDD6:1qE+lrTrC9LDOTPRMpOc26k549v4EnGP
Score

10^/10

chaos defense_evasion evasion execution impact persistence ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (291) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral29
- Target
  
  b923f1d2ece074dabe58bb6a603ed5d49e8d62044a1293a37e8afbcac029dded.exe
- Size
  
  146KB
- MD5
  
  a96ac42f9ccc7d11663f2741d5dfe930
- SHA1
  
  3ff257bcb32b3862d4eb08c73949e1aa930a2384
- SHA256
  
  b923f1d2ece074dabe58bb6a603ed5d49e8d62044a1293a37e8afbcac029dded
- SHA512
  
  0021067adc17831733b267893639e034db928583acb5a2c18221213772ae7e85fd52bfdf7f90377cee63495d5ba05ce4bd706af302f81357f41fabde9fe29409
- SSDEEP
  
  3072:q6glyuxE4GsUPnliByocWepqzYq7G9HkRgeXCDy8MD5:q6gDBGpvEByocWe4Y7pkRgeS28MD5
Score

10^/10

ransomware spyware stealer
- Renames multiple (355) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral30
- Target
  
  bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe
- Size
  
  720KB
- MD5
  
  163e651162f292028ca9a8d7f1ed7340
- SHA1
  
  a85ff9091f298ea2d6823a7b0053daa08b237423
- SHA256
  
  bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b
- SHA512
  
  f1cd02b07219d40d489b8000a92e20fca0c3e536a7dde25b98b7be0ce54a46349dcea9e66bef8f7fbd895ce7e5b22e3f3a46fbb9c7dcea4185b3937384f1649f
- SSDEEP
  
  12288:A+2ZzbQ32UC1pC0q1oJn2OR9YA/SnHaetVkiIGjltRztp:A+4OECVCn2OR9r/kaetNIOtZ
Score

9^/10

defense_evasion execution impact ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral31
- Target
  
  c3fb821138d38ef9a2b0c77a4a3572ca38499b2dac3530c4a5faf2f789d57fc1.exe
- Size
  
  911KB
- MD5
  
  728eaa91a4c3490b977370c86afcf3a6
- SHA1
  
  aaa32b7462f838a53e2966a308f4ce2a298211ff
- SHA256
  
  c3fb821138d38ef9a2b0c77a4a3572ca38499b2dac3530c4a5faf2f789d57fc1
- SHA512
  
  77cfdf44235c1d44da3f2550fdf2e720a6cdea6bed7faaf55e55c8c5fe5e4abcb03f55a35175633a532051f1b68bd790cfabffece844f31db8b6abd9bd2371b3
- SSDEEP
  
  12288:s07Fv5p+s9GIOiiGuu2NERWwjcgimpDLjNmS0fvxc38/YAX1:B5KsbWwjcgimNLRmS0f5U1AF
Score

9^/10

defense_evasion execution impact persistence ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (9648) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral32