44caliber

Sharing

Copy URL

Twitter E-mail

General

Target

RNSM00470.7z
Size

27.7MB
Sample

240927-pdgk4asark
MD5

c44d7c388a28ea87918b43ad473e8397
SHA1

5dc3d609248dbcff87e97d42dbe83d11b007c914
SHA256

727f3139b67cedd9faa333bd9be5d1a46d72a3f8e62d76dd22a8f0e09480f686
SHA512

92ae685b34942e32552b5cd7c7752e893aa6a1f5d836d78ba291bd4cae87f0d1cfa39eea0a4a4274434cfe28be917183aa2461906d71f80d90bcbe25f6c2b40d
SSDEEP

786432:22tU3SVeiajy2CU5kPvqKdBtebjkNo/4FVb+G7YAN:DUiVexy2CU5GqnmGG0s

Malware Config

Extracted

Family

clop

Ransom Note

@@@ Sunrise Credit Services, Inc. @@@ !_! DO NOT ATTEMPT TO RESTORE OR MOVE THE FILES YOURSELF. THIS MAY DESTROY THEM !_! ***Also a lot of sensitive data has been downloaded from your network*** For example: ______________________________ \\EXT3326N\C$\Users\ddoane \\Sentinel3\Administration \\Sentinel3\Collections \\EXT3018-W10\C$\Users\dcohen ______________________________ THIS IS A SMALL PART, ABOUT 10% ______________________________ If you refuse to cooperate, all data will be published for free download on our portal: http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion.dog/ http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion.ly/ http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion/ - use TOR browser CONTACT US BY EMAIL: [email protected] or [email protected] OR WRITE TO THE CHAT AT :->: http://53prkfr3v6u4nltgmhot7wv2p4jci7vcxdqj3khbm6qg72cgqvedleid.onion/remote0/6479db06-4842-4dc9-a7b9-93fc0ed060d4?secret=sasp (use TOR browser)

Extracted

Family

44caliber

https://discord.com/api/webhooks/880444743786594376/7nG7bhpmSyiRUQvm-jCFyyipCldVgKgJc7JZjcb-3pSxoCHetueyCYqdQb9Az9ioJpeU

Extracted

Family

djvu

http://tbpws.top/fhsgtsspen6/get.php

http://astdg.top/fhsgtsspen6/get.php

Attributes

extension
.efdc
offline_id
rCmd3j4aykEBx0X7GSZFXZTRaA1p1vOlNlSS59t1
payload_url
http://securebiz.org/dl/build2.exe

http://tbpws.top/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-8FD9fC02w8 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0332gDrgo

rsa_pubkey.plain

Extracted

Family

oski

funkshybrid.com

Extracted

Family

urelas

112.175.88.207

112.175.88.208

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

218.54.30.235

Extracted

Family

darkcomet

Botnet

PlayHard4

michealbr.gotdns.ch:1390

Mutex

DC_MUTEX-AVXET1J

Attributes

gencode
vUp5c9nWJ7oT
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  RNSM00470.7z
- Size
  
  27.7MB
- MD5
  
  c44d7c388a28ea87918b43ad473e8397
- SHA1
  
  5dc3d609248dbcff87e97d42dbe83d11b007c914
- SHA256
  
  727f3139b67cedd9faa333bd9be5d1a46d72a3f8e62d76dd22a8f0e09480f686
- SHA512
  
  92ae685b34942e32552b5cd7c7752e893aa6a1f5d836d78ba291bd4cae87f0d1cfa39eea0a4a4274434cfe28be917183aa2461906d71f80d90bcbe25f6c2b40d
- SSDEEP
  
  786432:22tU3SVeiajy2CU5kPvqKdBtebjkNo/4FVb+G7YAN:DUiVexy2CU5GqnmGG0s
Score

10^/10

44caliber clop darkcomet djvu gandcrab oski urelas playhard4 backdoor credential_access discovery evasion execution infostealer persistence pyinstaller ransomware rat spyware stealer trojan upx
- 44Caliber
  An open source infostealer written in C#.
  stealer 44caliber
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Modifies WinLogon for persistence
  persistence
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- Urelas
  Urelas is a trojan targeting card games.
  trojan urelas
- clop
  Ransomware discovered in early 2019 which has been actively developed since release.
  ransomware clop
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Uses Tor communications
  Malware can proxy its traffic through Tor for more anonymity.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1