avoslocker | 4aeb68c64e5569df9948d6406af74f572366a856682d5642737ebf4f5466bd73

General

Target

RNSM00484.7z
Size

39.8MB
Sample

240913-we7x1azcpj
MD5

545ebcd86c258f0f668d7566ff18981d
SHA1

2ddc937720ea4186d2808f7ca964ea0cad94259c
SHA256

4aeb68c64e5569df9948d6406af74f572366a856682d5642737ebf4f5466bd73
SHA512

99ab06d5014c7c3afc198e09f20a08d8b3855d99661bfb5c1b35b999f6869a7b18c7eac7cee05eac004d22d896acee620efc22fd3683d097fbd9760a27cdacec
SSDEEP

786432:mYRsUB/xhmcQQdUY5GhoYMkPi8kWbia3+uoLiFde04XlT9OBhDoZBOTLSNw:mYRsiQ4coFuFbHODLgdeHluDoZBOTLN

Score

10^/10

Malware Config

Extracted

Family

djvu

C2

http://securebiz.org/fhsgtsspen6/get.php

Attributes

extension
.tisc
offline_id
uFHwN7bjwCkJEeUg8JHISzLqrwudidH8XsPzHDt1
payload_url
http://znpst.top/dl/build2.exe

http://securebiz.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-1JwFK5rT39 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0336gSd743d

rsa_pubkey.plain

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\UWBIN-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .UWBIN The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/33f96287eca8a047 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAFeW5a83sZRfRaI3K+HjfSMrNBCWsM0DpZuaVpQAnmMZGHixTN5NQU/z+jXYsHA+GQ3zhWkJ4OpWAQnrDRE4mho2eYCfe6U0mYS7pLui/ATDE4FGMCKktlLd4ZaI60PLJlesLx9kapMPIp3v6JwGOVSmzZT0nq85OQByV5PyzyP8Lggdxno94YmKnZN6YO8vsDnqBd6XH2y7UkFFWW2XOBKCDGqYW1J9+a26+d5uvVFrs+3sOmhXD1QvTaovdnaYoMbRUaGbflTE8cjr0GBkAz2YHqhRcD9FcugwrgcY0q/IvU/RgFHVUZkSwes9bdBbLvNL4NXIFPq45wkb3emERYlHmtEjQ2Cat/Aw9lW+/yS2z7C9reoGDvxdym5Z1bAJemT0VxTBIZeuDaSCX2dsYFH6cf+0S0L+jsPdVpxQAoOyMB0LkWCzLau9yooB5liBLBpoYowXCnD4qITzj/9ipms551vd1BQ4Ki5hZCivgqjyHUdcmDljL+PfnjmObz12b0OYNJn/8zp7arhGQdlOyMswGz9pqL5sJZ5L2bTxDkl2v0ytUc8DjMYHPn7I8dHJvc2xszX4nUrtPxtRpxACvX/4bW9HOZkqk9UJyMZgUf32s6scc6O25wbu9+KPk9ZMjBGmyYpu8rvsVgRmQ8McZa/JBlhj6WvC+TwkqkMA+rB24pEvb7dN1AacfIzeSGCOKd4Rr8elQdDtikLOxRS802Rp1SzAvgtPMqsK9jEVbJAfiEeB02RxFxf+6O3NR6764VFDe0OUIo5HvCxl/I2N0aeUzsZRz/IvmzhvMYSpEBXZ1HzEQbDRL/gZ66fIiOzW1/GlJ/qPkqWs7Iy1mIVkoazKZcJzrmRkv5HVa/oF8LJlBe7xvQ7hEm56CFWE6bXrGdOOJgmiNGBRuyAaEzusksbDWWZ/kbSw038AfqOvGNTnu5bl4vyG5vuCNrQnLGrPtOeTuPPQfiY3jCY9ikZNKXIr6RLLblBuK6HeOBE2DVf0PDmvazrB57pE0AKmlmINKGG1RsRy2G4ZCje2Qpjz/TucrhZrTVnv8iaEKILzm/iSZoW9lJmErnF2yei0k5ORXpRM6crlpDEKAGY/PzLZhMAQB+tAYmV1KLX5DLB3fyccDxnjlD4tu29dyBlyVXVLVSnfk81qiMzPMJumraiuw718NRZupfeXiAhB9VQAF9YOpaAH4/hC+dXcq7u+8slPTay8xt4pt3tuwmQajrUOvqHEeiXHCZjHmo+RqvaxFUx3ViVlYV2W4a2U4opGFq1izmFWNjvsq6pz3hFGmPExn1ICZBaXOIKG156r8XzWN4XcyW0y2OdQxvqo9AbVPEP+AJKGldSnjdOKQbL6658Ynj7ztycjKnBghp/8I66WqfX12F1Vwbj9fARvlcl9Vf5rTNvpATrKmhM2m7ZFnDPt7nvpSE6xsj3rw+1Q3W3wjp6EgrcdjyBZH5mJJnu6fZg7q3j96YyJlUSkM42zjiCrOUFhNK9ctZVyvbtJxiOKoTSOm5R5SMmmACasLYiOjWDxm3mr3wIFn3iSVL7+L/qRegwLIlOr9Ap4g1p/TdzXbtMYBQHdrO32mDRPUkAeQ+11GXli/v27SL5DwzU4bfpMygcbxZeKA3+kGCEQnbb8txue6bmOFD57B1BhUI9xS3MDFuFVZz48Q8bS/IPvLoWIRU5VkPLHcGvABCLXOe+4DsS09B7OHIJseWOEAIU4xcpeWsYPlaMEGoVOCCRzio1IyA/RIOT6J8t5CbWr2D29pHQMgx2UA9Cp0LY1Zvz/cD9+w+FfMJKZn5Iw/xiw3KhwvmaF6XUaRNNfZkLvTQFSuywybyRPacN5S/ZXlkjcOsprF75+CpzZYFZXz7qZnK+4GobaeJnJ5GlP4mN5fKExS2CCXg8iCMDky3QFmZ/SXwgLgj17BTh0zBW7Jz6FG7MagJK0iNFlUzZwO08xj0OcSMy/vRDJFDb8ogZbSAtlWFKE6IA+vWNlgxFwOaSOxUwP0LR50mmBl7GYrPaSi2Pk5depyqXOZEfFnmpXB038fqAEgXWu3qP6vtS6MPHEkIQbh0gcUd8sRCKJrRzFoRcShNkdXwpzB81vqbNr/C2EWs1vGqZdgs4+YKZ/jG0VBCITVmTSbFtcrciH95XnDe5g9GY1Yws8AMHkPVfhk+dPZrLYpkNAvOVmg0NaNx/nGMXd7Y4bo73I5qzORdkskVLgomIa2wXFeLcDkXSl8yZkStoFvpLJNSo= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZSToVRtnYO7nJWs7fMTHCHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB4+Kn/zA2GOsgGtlYZFqEBnLt/hGHEdEb8CcS4t24PKb3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pARFN3vfLMOah1wUZN3QeRlWKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9eQ3bC26ZEEuDtLEisBZ9MNJGhHpcOfb/LRc8P54k7V/HuibORzJL9NXYEh8sz/ewORahtHP+ZbmbW4eJPXp1eNtQ19EJhJFLZ2qhgw2mJLRMzwAtbfjn5E2ENiW4EkrJfTw== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/33f96287eca8a047

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Targets

- Target
  
  RNSM00484.7z
- Size
  
  39.8MB
- MD5
  
  545ebcd86c258f0f668d7566ff18981d
- SHA1
  
  2ddc937720ea4186d2808f7ca964ea0cad94259c
- SHA256
  
  4aeb68c64e5569df9948d6406af74f572366a856682d5642737ebf4f5466bd73
- SHA512
  
  99ab06d5014c7c3afc198e09f20a08d8b3855d99661bfb5c1b35b999f6869a7b18c7eac7cee05eac004d22d896acee620efc22fd3683d097fbd9760a27cdacec
- SSDEEP
  
  786432:mYRsUB/xhmcQQdUY5GhoYMkPi8kWbia3+uoLiFde04XlT9OBhDoZBOTLSNw:mYRsiQ4coFuFbHODLgdeHluDoZBOTLN
Score

10^/10

avoslocker djvu gandcrab modiloader urelas aspackv2 backdoor defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware trojan upx
- Avoslocker Ransomware
  Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
  ransomware avoslocker
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- UAC bypass
  evasion trojan
- Urelas
  Urelas is a trojan targeting card games.
  trojan urelas
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- ModiLoader Second Stage
- Renames multiple (159) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Uses Tor communications
  Malware can proxy its traffic through Tor for more anonymity.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1