zeppelin | e424e3ac235b4bdc894157a32a057aef20ed23600cbf68c205afaaf6d97eb965

General

Target

240816-rstv3sk633_pw_infected.zip
Size

92KB
Sample

240819-brx84szbrq
MD5

e3f2aabc5b61d7dc60915fa71eca81b3
SHA1

a591d3c06de042826c5fc607e89c1a500dd4f601
SHA256

e424e3ac235b4bdc894157a32a057aef20ed23600cbf68c205afaaf6d97eb965
SHA512

4ef7d0150a24d7b3e1ea52d3d07dacbed3fb3c70b9c96f8fef4513de328b24729ab8f26a30e8c0669ceb4f695a5fee29ab4b05d25d25d289d36160f593f2553e
SSDEEP

1536:QkfdHaUdUY8dkOT6bd/ox/GGfN8x3npM31c7whkzPvhFzLt23mQXZe6lWjaUPUO3:bdHaU4qI8d/ox+GF8x97whGvl25Ze6Hy

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\ ATTENTION! ALL YOUR FILES ARE ENCRYPTED!.TXT

Ransom Note

ATTENTION! All your important files are encrypted with our "RDanger Ransomware". Don't worry, you can return all your files! The only one method of recovering files for you is to purchase decrypt tool and unique key. This software will decrypt all your encrypted files after your payment in cryptocurrency. What guarantees do you have? You can send one of your encrypted files from your PC and we will decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Discount 50% available if you contact us by email first 72 hours. Be sure that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 24 hours. Write to email: myEmailThere Our reserved email: 2myEmailThere Your personal ID: F05-FC7-6C7

Extracted

Path

C:\Program Files\Crashpad\ ATTENTION! ALL YOUR FILES ARE ENCRYPTED!.TXT

Ransom Note

ATTENTION! All your important files are encrypted with our "RDanger Ransomware". Don't worry, you can return all your files! The only one method of recovering files for you is to purchase decrypt tool and unique key. This software will decrypt all your encrypted files after your payment in cryptocurrency. What guarantees do you have? You can send one of your encrypted files from your PC and we will decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Discount 50% available if you contact us by email first 72 hours. Be sure that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 24 hours. Write to email: myEmailThere Our reserved email: 2myEmailThere Your personal ID: CA5-DD3-670

Targets

- Target
  
  d601d4e08bf2fd6e275b93ed87cb05846b0d914263aeeae35bf0bb0d0f353bcc
- Size
  
  94KB
- MD5
  
  002a5619993588ab6b47990c7a4a237f
- SHA1
  
  7d9aefdfdc745a196e29ec879d774d46d6194291
- SHA256
  
  d601d4e08bf2fd6e275b93ed87cb05846b0d914263aeeae35bf0bb0d0f353bcc
- SHA512
  
  4d964cb86e6cf5164ef0f514ff65346aa5680e7574e0b2d3501801295d66fcc5407999f86e915c624678e78e1602425432697d1cb523b5900feb9c127858b892
- SSDEEP
  
  1536:rG39cG5yGQE0yRAo4CBsleM4Xu5Z/N/I+e7d/Cdjzr0MKwqlenOu7A/YcHT:m5xQEizCOeM4XClJI+WwUxJlenbC
Score

10^/10

zeppelin defense_evasion discovery execution impact ransomware
- Detects Zeppelin payload
- Zeppelin Ransomware
  Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
  ransomware zeppelin
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (7405) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2