General
-
Target
a6594d9550d56ddeaac8b3140821e698eefb7163ba29f0119c2ef19beb6040b0
-
Size
484KB
-
Sample
240814-dfs65avhje
-
MD5
15bcd1b0665214657c87bdbd77f9cdb2
-
SHA1
131a00e07b72784461c859d75b40dd83bd0eeff3
-
SHA256
a6594d9550d56ddeaac8b3140821e698eefb7163ba29f0119c2ef19beb6040b0
-
SHA512
f11fce0a2c27cc1063f61250e6b0a45681107d0e137289e822364034958c4ca10079c60ca668dfc00a1240eca897ae13064c2fe74f50cfec4f734e979a9b5cb9
-
SSDEEP
6144:T0Kf3dwCiJOp5DzwQTSmKMuYREY4nLy95/YjVD+IyaFV/GCK7IfxB7f:r55QySNaEY4nW9sl+ja3/GCt
Static task
static1
Behavioral task
behavioral1
Sample
a6594d9550d56ddeaac8b3140821e698eefb7163ba29f0119c2ef19beb6040b0.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
a6594d9550d56ddeaac8b3140821e698eefb7163ba29f0119c2ef19beb6040b0.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
C:\$Recycle.Bin\HOW TO BACK FILES.txt
targetcompany
mallox.resurrection@onionmail.org
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Extracted
\Device\HarddiskVolume1\HOW TO BACK FILES.txt
targetcompany
mallox.resurrection@onionmail.org
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Targets
-
-
Target
a6594d9550d56ddeaac8b3140821e698eefb7163ba29f0119c2ef19beb6040b0
-
Size
484KB
-
MD5
15bcd1b0665214657c87bdbd77f9cdb2
-
SHA1
131a00e07b72784461c859d75b40dd83bd0eeff3
-
SHA256
a6594d9550d56ddeaac8b3140821e698eefb7163ba29f0119c2ef19beb6040b0
-
SHA512
f11fce0a2c27cc1063f61250e6b0a45681107d0e137289e822364034958c4ca10079c60ca668dfc00a1240eca897ae13064c2fe74f50cfec4f734e979a9b5cb9
-
SSDEEP
6144:T0Kf3dwCiJOp5DzwQTSmKMuYREY4nLy95/YjVD+IyaFV/GCK7IfxB7f:r55QySNaEY4nW9sl+ja3/GCt
Score10/10-
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (7279) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-