ardamax

Resubmissions

22-09-2024 11:21

240922-nf3exaxbrf 7

19-09-2024 15:20

240919-sqqajsvgnf 7

19-09-2024 13:36

240919-qv9tms1gqm 10

Sharing

Copy URL

Twitter E-mail

General

Target

RatAlerts.exe
Size

36.7MB
Sample

240919-qv9tms1gqm
MD5

f921e16ca321bbe2e490f036f8b99c74
SHA1

6e25638b340ba77f3e467bbbdc27c48209e193af
SHA256

6b1700a3961f46120afdf3c5e027556682badcae0015503d533c9f808f214ddc
SHA512

04492839ccaeeddc9090b7f6c6458294540bb3e2589108a3c459ae87a11c6cabe6548d80805f37b8bd43616d3645afdabe8b95b9f37c85c06f5c87b137a10274
SSDEEP

786432:pjE3Qtst8rW8WZ2YwUlJAdQ/2j6+s7LWB75zuXVgM3MGYS2fAMJLjvZ:a3QtIoWlZ2mlq62qHWB75ilZMGJ24MRN

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

soso

xsasax.no-ip.info:88

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_dir
windows
install_file
windows-help.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
1111
regkey_hkcu
windows-dif
regkey_hklm
windows

Extracted

Family

xworm

127.0.0.1:14624

button-temp.gl.at.ply.gg:14624

93.183.95.210:5552

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Extracted

Family

emotet

Botnet

Epoch1

128.92.203.42:80

37.187.161.206:8080

202.29.239.162:443

80.87.201.221:7080

190.188.245.242:80

12.163.208.58:80

213.197.182.158:8080

201.213.177.139:80

62.84.75.50:80

45.33.77.42:8080

185.183.16.47:80

78.249.119.122:80

177.129.17.170:443

51.15.7.189:80

152.169.22.67:80

119.106.216.84:80

109.169.12.78:80

51.15.7.145:80

219.92.13.25:80

190.117.79.209:80

rsa_pubkey.plain

Extracted

Family

emotet

Botnet

Epoch2

38.18.235.242:80

5.196.108.189:8080

121.124.124.40:7080

104.236.246.93:8080

113.61.66.94:80

120.150.60.189:80

91.211.88.52:7080

47.144.21.12:443

108.46.29.236:80

139.162.108.71:8080

134.209.36.254:8080

139.59.60.244:8080

66.65.136.14:80

76.175.162.101:80

174.106.122.139:80

95.213.236.64:8080

174.45.13.118:80

50.35.17.13:80

209.141.54.221:8080

87.106.139.101:8080

rsa_pubkey.plain

Extracted

Path

C:\Users\Public\Documents\RGNR_1AE990F6.txt

Ransom Note

Hello VGCARGO ! ***************************************************************************************************************** If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** *********What happens with your system ?************ Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US. You can google it, there is no CHANCES to decrypt data without our SECRET KEY. But don't worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY. We are looking only for MONEY, so there is no interest for us to steel or delete your information, it's just a BUSINESS $-) HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any other software, without OUR SPECIFIC ENCRYPTION KEY !!! Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view ! **** ***********How to get back your files ?****** To decrypt all your files and data you have to pay for the encryption KEY : BTC wallet for payment: 1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4 Amount to pay (in Bitcoin): 25 **** ***********How much time you have to pay?********** * You should get in contact with us within 2 days after you noticed the encryption to get a better price. * The price would be increased by 100% (double price) after 14 Days if there is no contact made. * The key would be completely erased in 21 day if there is no contact made or no deal made. Some sensetive information stolen from the file servers would be uploaded in public or to re-seller. **** ***********What if files can't be restored ?****** To prove that we really can decrypt your data, we will decrypt one of your locked files ! Just send it to us and you will get it back FOR FREE. The price for the decryptor is based on the network size, number of employees, annual revenue. Please feel free to contact us for amount of BTC that should be paid. **** ! IF you don't know how to get bitcoins, we will give you advise how to exchange the money. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1) Go to the official website of TOX messenger ( https://tox.chat/download.html ) 2) Download and install qTOX on your PC, choose the platform ( Windows, OS X, Linux, etc. ) 3) Open messenger, click "New Profile" and create profile. 4) Click "Add friends" button and search our contact 7D509C5BB14B1B8CB0A3338EEA9707AD31075868CB9515B17C4C0EC6A0CCCA750CA81606900D 5) For identification, send to our support data from ---RAGNAR SECRET--- IMPORTANT ! IF for some reasons you CAN'T CONTACT us in qTOX, here is our reserve mailbox ( [email protected] ) send a message with a data from ---RAGNAR SECRET--- WARNING! -Do not try to decrypt files with any third-party software (it will be damaged permanently) -Do not reinstall your OS, this can lead to complete data loss and files cannot be decrypted. NEVER! -Your SECRET KEY for decryption is on our server, but it will not be stored forever. DO NOT WASTE TIME ! *********************************************************************************** ---RAGNAR SECRET--- QWZjY0QxRTk2MWU4RTIwYkVCRUNhRWMzRjhCQTdlZDJkNUJCN2JkNDdDMzREMTYyNjNGNTdiZGFDYmI3ZEVhNw== ---RAGNAR SECRET--- ***********************************************************************************

Emails

[email protected]

Wallets

1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4

URLs

https://tox.chat/download.html

Targets

- Target
  
  RatAlerts.exe
- Size
  
  36.7MB
- MD5
  
  f921e16ca321bbe2e490f036f8b99c74
- SHA1
  
  6e25638b340ba77f3e467bbbdc27c48209e193af
- SHA256
  
  6b1700a3961f46120afdf3c5e027556682badcae0015503d533c9f808f214ddc
- SHA512
  
  04492839ccaeeddc9090b7f6c6458294540bb3e2589108a3c459ae87a11c6cabe6548d80805f37b8bd43616d3645afdabe8b95b9f37c85c06f5c87b137a10274
- SSDEEP
  
  786432:pjE3Qtst8rW8WZ2YwUlJAdQ/2j6+s7LWB75zuXVgM3MGYS2fAMJLjvZ:a3QtIoWlZ2mlq62qHWB75ilZMGJ24MRN
Score

10^/10

ardamax berbew cybergate dcrat mydoom xmrig xworm soso backdoor defense_evasion discovery evasion execution infostealer keylogger miner persistence rat stealer trojan upx worm emotet gandcrab pony squirrelwaffle epoch1 epoch2 banker credential_access downloader impact pyinstaller ransomware spyware
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax main executable
- Berbew
  Berbew is a backdoor written in C++.
  backdoor berbew
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Xworm Payload
- Detects MyDoom family
- Disables service(s)
  evasion execution
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies visibility of file extensions in Explorer
  evasion
- MyDoom
  MyDoom is a Worm that is written in C++.
  worm mydoom
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- SquirrelWaffle is a simple downloader written in C++.
  SquirrelWaffle.
  downloader squirrelwaffle
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Emotet payload
  Detects Emotet payload in memory.
  trojan banker
- Squirrelwaffle payload
- XMRig Miner payload
  miner
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2