General

  • Target

    RNSM00472.7z

  • Size

    46.1MB

  • Sample

    240925-y8k2fawdlr

  • MD5

    e71a3dbd999bf53c3c820819fce516d1

  • SHA1

    d7d0ea53cc45f81bd4efa0fe8c4bf0c1ade096aa

  • SHA256

    e54915db3dea53ce4044e5f7e0ae8c8f010dc1f62cc8b09054ed01f79e559ab3

  • SHA512

    bb9159041b28bd87203244e4d1bca7b62f76f43e0e107c50230c02aecf00c688ecde0814622070c68655a25eabf4566ee02ed7c2e62c4f425139c8b248f494f6

  • SSDEEP

    786432:joDk3ebC2AfOlxjhalhB8MFk70E8U9oTSq96Mbp69PHhX624TkIjwFTRCyQ:juyebCvOLgKKg0w9EPkPBX65TkIM7CyQ

Malware Config

Extracted

Path

C:\Program Files\Crashpad\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
Dear Management of Tquim Transportes Ltda! We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 800 GB of your and your customers data, including: Confidentional documents Copy of some mailboxes Accounting Databases backups Marketing data We understand that if this information gets to your clients or to media directly, it will cause reputational and financial damage to your business, which we wouldn't want, therefore, for our part, we guarantee that information about what happened will not get into the media (but we cannot guarantee this if you decide to turn to third-party companies for help or ignore this message). Important! Do not try to decrypt the files yourself or using third-party utilities. The only program that can decrypt them is our decryptor, which you can request from the contacts below. Any other program will only damage files in such a way that it will be impossible to restore them. You can get all the necessary evidence, discuss with us possible solutions to this problem and request a decryptor by using the contacts below. Please be advised that if we don't receive a response from you within 3 days, we reserve the right to publish files to the public. Contact me: [email protected] Additional ways to communicate in tox chat https://tox.chat/ contact our tox id: 7229828E766B9058D329B2B4BC0EDDD11612CBCCFA4811532CABC76ACF703074E0D1501F8418
URLs

https://tox.chat/

Extracted

Family

redline

Botnet

ANYTHING U WANT

C2

3.235.181.77:80

Extracted

Family

nanocore

Version

1.2.2.0

C2

darkrig.ddns.net:54984

127.0.0.1:54984

Mutex

a4e9a3b2-293f-477b-9774-458e8f942810

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2018-09-09T20:42:26.979636536Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    true

  • connect_delay

    4000

  • connection_port

    54984

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    a4e9a3b2-293f-477b-9774-458e8f942810

  • mutex_timeout

    5000

  • prevent_system_sleep

    true

  • primary_connection_host

    darkrig.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

njrat

Version

0.6.4

Botnet

By Dz

C2

fathiyassin22.ddns.net:1177

Mutex

d5a38e9b5f206c41f8851bf04a251d26

Attributes
  • reg_key

    d5a38e9b5f206c41f8851bf04a251d26

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

Run RunPE

Attributes
  • splitter

    |'|'|

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

112.175.88.207

112.175.88.208

Extracted

Path

C:\Users\Public\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">����������45 30 70 6F A1 A3 F6 23 1B C8 A1 78 02 43 D5 8C 0C F6 E8 14 43 22 DF F4 A3 BD 19 24 4E BC 0F 82 A8 8F 97 05 AC 66 2F 65 6C 0F 73 F1 D6 06 59 FF 0E FF 9F E2 92 B5 B4 40 81 41 18 8B 5B 1E DA C5 95 3A 4B DC F2 DD 7A 23 DE 73 85 DF 9E 44 1C EB 3A 6D 95 7F C1 87 69 70 F4 76 ED E8 F5 9E AB 01 22 76 35 B5 08 72 B0 48 F8 F6 20 D8 16 B9 E6 43 4B B8 03 8A 38 FB DC D9 E6 03 F7 FF 60 D7 10 D9 76 09 24 3B F6 C4 47 12 7F 9B 3D 9D D9 BD 86 72 FE 43 E9 0A F8 14 72 BE B9 56 75 04 E9 0D DE A5 82 DF 8C A4 51 BE 04 FB 0C 46 1F 93 FD F0 9E 8B 76 A8 A9 10 AE 49 E5 C7 4A 1F 20 58 D0 45 9D B7 7E 01 28 43 1F 3E C6 83 6C B4 5A 9F EF CA 6F B3 71 DE B5 CC F4 34 E3 59 95 AF EC 1A A9 8C D0 12 29 7B 14 DB E5 AE 1A 63 37 CD F7 E5 A6 5B 7A 7B 72 09 2E 98 B0 8F 18 18 8C 26 26 EF 1B B4 A6 0D </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br><a href="[email protected]">[email protected]</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> �����������

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>54A67FCC-2930</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected]</span></div> <div class='bold'>Our online operator is available in the messenger Telegram: <span class='mark'><a href='https://t.me/Resp0nse'>@Resp0nse</a></span> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

class='mark'>[email protected]</span></div>

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Targets

    • Target

      RNSM00472.7z

    • Size

      46.1MB

    • MD5

      e71a3dbd999bf53c3c820819fce516d1

    • SHA1

      d7d0ea53cc45f81bd4efa0fe8c4bf0c1ade096aa

    • SHA256

      e54915db3dea53ce4044e5f7e0ae8c8f010dc1f62cc8b09054ed01f79e559ab3

    • SHA512

      bb9159041b28bd87203244e4d1bca7b62f76f43e0e107c50230c02aecf00c688ecde0814622070c68655a25eabf4566ee02ed7c2e62c4f425139c8b248f494f6

    • SSDEEP

      786432:joDk3ebC2AfOlxjhalhB8MFk70E8U9oTSq96Mbp69PHhX624TkIjwFTRCyQ:juyebCvOLgKKg0w9EPkPBX65TkIM7CyQ

    • Detecting the common Go functions and variables names used by Snatch ransomware

    • GandCrab payload

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Modifies WinLogon for persistence

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Snatch Ransomware

      Ransomware family generally distributed through RDP bruteforce attacks.

    • Urelas

      Urelas is a trojan targeting card games.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (69) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks