avoslocker | 75f2278a58d14d126c9bce4e31b527cd258bf00ff36ea128374a5f2bf0f86e5c

General

Target

RNSM00483.7z
Size

47.3MB
Sample

240914-q4nmrsxakp
MD5

089cee221e08d8edad93795d4a0ddacf
SHA1

56c1ef11b308e8def30e19a8cd2b5d908eb20c78
SHA256

75f2278a58d14d126c9bce4e31b527cd258bf00ff36ea128374a5f2bf0f86e5c
SHA512

ea2f9f01ca0681e73d27c03b609a0c3ecdc9cc78d4eda03d88e844961a267ba63d81caa6e5f3cd6ce122a243b8dcef5fa5c600ac1b410aede0a8f1dd4ed0db17
SSDEEP

786432:4g8X+Ijnxcyzew9udeAhP5XltZehEExusKZhdINIsLyVhm08ek9GLEUUSccH0I:4FuMxZeL0YrzE3qdMLyVh7orUUSh

Score

10^/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\KRAB-DECRYPT.txt

Ransom Note

---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/f0598199c13cc0e6 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAP8IQQnUGzKMREq2JRBv/RWkzDFS7kzdF/9EB1rJXT086BxC8U+a2XqeSDNfIZML4ZP3lJXqGFj2aBSXNrcN8RAwpxad+S0IiMG2lDBgzcBsH7TC+wkTeUSUDcWaFFObhRhgEh5oZhH8ADaom9zSqSpqjdfN0OjXjwFMvYiuQDGapj0QSRnEqdhG6okqK25xD3DItTVOilDZ5J16Dxd86Y+QHF5V1c48bD1m451huTkuOIg7iVY8NUMgWdysTcM0CroY4iHFbXlD17Z4AH02X4bNQNGDk6jHZXUzuGMhdEiDc373bJeu8b/9tRqePlZ+xg5aTFEUn7zRzrdhnAXli5OuykihvHoVlNJfUkohTwZZn3IlgpNbsvDwuD6ZY6ktXQidrY1aDhaRAdqTkUfwnxvANtM6bPCQf/dif5Kh1IW+5fhCK2FGaO5TMISi/1qzch/Azbfyw3iG0o2O6r4V1+Jm2Z4KIpm6N36/ji2qsqnZ43jVJsrCU2ONiltRFjSLhNzhNdht0/D3HWIlN56xNuy8iTrfYmlczvMtW3JEePS3upH5qQM5yLC4YgIGJVsbSPzN05d4YSoIH/OM5VcNt4Vhx+qrW5Ukhro70DRI2SovYWu4ZWRLfJ7JAi6pcwu+mn6uY4/uPLw0eEcPqZivBSW/MrY+Qrs3IHTE48vt0rQutL10qM9cPaIiRihS/r0jA28TlA7fo+u4zFKjiJ7WUSbcdzKVAPdSGUV+UqG5MvgigAHPjFlG1HFdoTKa7FigavOQ8zLc2ldVkEQEoL0Nv7BnKW15nqFwma7F4o6q6AANjlJKNaIIgemyYUk7PTWyIdUN3eeWenC9+qxFpKsXqYkOwOUG4EDGQkCiNUqeG4mMzCKsf4L9cPoPXwbCRwaP7g7om40TXfIbId6oA72sdQMxVK1fZxKaO9lqED6fj8edm7bPXRs30WiAUe8BIvhjPCDucHqwbft/5naEMKRmy9KPsJ5uAQee+YH1vRbxZeGe4FpTQiNWNvHETDEbu5jEBsOyHCDrp7qgA17Uys9q9uFYrrYeEc9W4eg8AjVYNd+RhCk1+wppnzfINgm/mCOwENLNV6l4Msr8gFMifaX+UIYFHEmN60NEC+rHyhWhmDsgdxUc5j1kR4hGV/ps1rwtqXHtd6dCboDz9XV8P2xFhumq/Dbi1hY5mp4rlSjttS0WxDjcazqOHPuFm5MDTpk8+WLa0yWrCaZMraVXgsSEpRpzg72CPxW4EJZBv5DN0pnSPJlxiJnKT/5FnTkbL6fotyyo1fzqN4SXCpb0vBwwjTWV4b7fMXLJPRithKGFVSXy84eEcmTHGASN6bq8eHyrMDg0Z4eSzdwKhY8HsOKxAGFV0WIbWW2286aPdMjp3YoMmMp4eY5MIuxnyBQ0WRdRav/oV+0P5Hbcn3v3ulJBMCjvzNVmOI1iBnWPjPA2bUIAz9OJ/ZG9jagx/2RzbEEOKEPcdqAebqehz32Io5CCpvzEuN2ni0hPBr1bq0nTjuTW8rYuGKinSocazTFImTRVwIfJ9VB61ybXeM8mkNhgiX8ULuLKJ8+lSM1yjWkmOLI6uhZYNYrm0/T5c3Luw6kjzZ3YQsOGBwdKoCafRYnsG/vJE2a2iBQm0Wh23b57TYs4puekc8izJ4a6ChFOFdPFDpyIkx1ixpWPWTcT3CGnp6wwKuh0ZO6HOl0uVC+IKOLlGYKAGORHDgRI/+yBh+Fj+LbCS7lHkg4veiLwGTvy+B6Wx/hqjeM32MyRNfUMEy1n7xFaZRPX3D1lhUS8r3aFfGsMqYnd63dc/1Zgo3rd8SNGB5EreTpn1W5Ovy2GRrj/xqvJ+bveNaeSdFeNgC9HOSTXBehj2qWfhi0XzNMLMUfaKVjoyEGkFsFLK3c0lJ/tQoTAwe4F3U1n3lp0/fBxIz4L0M10kLAxd3bDKzY5IQS7eYOorWoe6pgrb55jQRhAhK1qbZjMNsmaPm2lHD/tHxnsXrpOP/60OlNon4rsKxGBCY49uhBnZTRdn40JSIPqZ5xDX0KlGl7yn1Jyq6Gd+1705AJDzbQsmzZQo7mJJHLrRucMuPXLHbPG1Z4RizSPo7C88Hq/qk0QJ1DwISFIsSXbxVqwLVQXxZ3MqG1661A6AAVKWf56aVl8TT5h/rhwUvB/CEaJW9tYsgWksGxx6JDQi7Llo4QnlLpooDtDY9FzQjFVoA35aMgjmKLfSZK/dnPQ0doEsX9ZWhfWchst5p+VU3c= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZfToFRunYP7ntWvLfSTHKHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXBtuKk/2M2GOsuGtpYZVqKBnTtrBHVEYob8icS4oy4Pab3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pARFI3vLLMOaq1wcZNHQURlWKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3TC2qZBEuTtLkigBZ9MNJGhHpcOfb/LRdoPsok9V+butLOnzJ/9bHYIh8sz6+xLRettGP+Pbn3W/eJIXs9ebdQm9EZhJFLe2qhgw2mJLRMzwAtbfjn5E2ENiW4EkrJfTw== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/f0598199c13cc0e6

Targets

- Target
  
  RNSM00483.7z
- Size
  
  47.3MB
- MD5
  
  089cee221e08d8edad93795d4a0ddacf
- SHA1
  
  56c1ef11b308e8def30e19a8cd2b5d908eb20c78
- SHA256
  
  75f2278a58d14d126c9bce4e31b527cd258bf00ff36ea128374a5f2bf0f86e5c
- SHA512
  
  ea2f9f01ca0681e73d27c03b609a0c3ecdc9cc78d4eda03d88e844961a267ba63d81caa6e5f3cd6ce122a243b8dcef5fa5c600ac1b410aede0a8f1dd4ed0db17
- SSDEEP
  
  786432:4g8X+Ijnxcyzew9udeAhP5XltZehEExusKZhdINIsLyVhm08ek9GLEUUSccH0I:4FuMxZeL0YrzE3qdMLyVh7orUUSh
Score

10^/10

avoslocker gandcrab mafiaware666 aspackv2 backdoor credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer upx
- Avoslocker Ransomware
  Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
  ransomware avoslocker
- Detect MafiaWare666 ransomware
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- MafiaWare666 Ransomware
  MafiaWare666 is ransomware written in C# with multiple variants.
  ransomware mafiaware666
- Modifies WinLogon for persistence
  persistence
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (161) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Modifies Windows Firewall
  evasion
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Uses Tor communications
  Malware can proxy its traffic through Tor for more anonymity.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1