Overview

overview

10

Static

static

1

RNSM00486.7z

windows10-2004-x64

10

Resubmissions

10-09-2024 18:03

240910-wnbk6axblq 10

10-09-2024 17:52

240910-wf31faxgqb 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00486.7z

  • Size

    117.8MB

  • Sample

    240910-wnbk6axblq

  • MD5

    9cad20cac5e7a2828d978175bb888a8d

  • SHA1

    d7253644d5b0c999adef488892b0b34115576d53

  • SHA256

    4b4567580aa77913f8b2845b322a1fa43010c5210f791fbbe780ec75934a4f23

  • SHA512

    271023ad2f017c2a89e81ebe67725ad3ef5e4114bd0249505fa1fff6ca102a314b93ef3ac7463f816b187b1cc11f521465138dbfcff8a08d32e1ce3ac0855b87

  • SSDEEP

    3145728:4AORmmLuCgOX0cXsvmpqt8t2ed+Uv81oz+tHTQY:lmym0HvmZdZZszQY

Score
10/10
avoslockerdjvunjrathackedlimediscoveryevasionexecutionpersistenceransomwaretrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://cdn.discordapp.com/attachments/880265796767608892/881902176195186728/New_Text_Document.txt

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    010203040506

Extracted

Path

F:\GET_YOUR_FILES_BACK.txt

Ransom Note
AvosLocker Attention! Your systems have been encrypted, and your confidential documents were downloaded. In order to restore your data, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner have their data leaked in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion Additional notes from attackers responsible: Hello, All your data in the company is encrypted and your important company data is backed up. I do not need money, I receive payments from many companies every day and I deal with the encryption of many companies every day. More important than money is time for me. For this reason, I have time to inflate the number and bargain like other friends who do this business. The offer I have made for your company is very reasonable and not a big deal for you. If you do not pay, the data of the company that we have backed up after 7 days will be shared publicly on the internet and you will not be able to recover any of your encrypted data. Your ID: 8c7a9b681dfa1b2b87ea459caddf2adf9413dc76664fb74063fb264116897023
URLs

http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion

http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

Extracted

Family

djvu

C2

http://rlrz.org/fhsgtsspen6/get.php

Attributes
  • extension

    .maql

  • offline_id

    xcdIdDNFh62dy3iJsba1COhcfDENsbjPHQQ2Eht1

  • payload_url

    http://znpst.top/dl/build2.exe

    http://rlrz.org/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-pk3SGFlmek Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0340gSd743d

rsa_pubkey.plain

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

C2

127.0.0.1:1528

Mutex

Client.exe

Attributes
  • reg_key

    Client.exe

  • splitter

    AZERTY

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

Mutex

6987755f146a62fa584d2a8a43dc9fe3

Attributes
  • reg_key

    6987755f146a62fa584d2a8a43dc9fe3

  • splitter

    |'|'|

Targets

    • Target

      RNSM00486.7z

    • Size

      117.8MB

    • MD5

      9cad20cac5e7a2828d978175bb888a8d

    • SHA1

      d7253644d5b0c999adef488892b0b34115576d53

    • SHA256

      4b4567580aa77913f8b2845b322a1fa43010c5210f791fbbe780ec75934a4f23

    • SHA512

      271023ad2f017c2a89e81ebe67725ad3ef5e4114bd0249505fa1fff6ca102a314b93ef3ac7463f816b187b1cc11f521465138dbfcff8a08d32e1ce3ac0855b87

    • SSDEEP

      3145728:4AORmmLuCgOX0cXsvmpqt8t2ed+Uv81oz+tHTQY:lmym0HvmZdZZszQY

    Score
    10/10
    avoslockerdjvunjrathackedlimediscoveryevasionexecutionpersistenceransomwaretrojanupx

    • Avoslocker Ransomware

      Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

      ransomwareavoslocker

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Renames multiple (141) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

File and Directory Permissions Modification

1
T1222

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Proxy

1
T1090

Web Service

1
T1102

Exfiltration

Impact

Tasks