Overview

overview

10

Static

static

1

RNSM00453.7z

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00453.7z

  • Size

    124.4MB

  • Sample

    241012-v4dvsasdkg

  • MD5

    476f712361418b566450de6542746a33

  • SHA1

    ecb5554071fdbed5fc9ce8bf4c7f05377864e8c4

  • SHA256

    7b09cbca6d171aa7f46ae5abd6830f16f29b20ec26021b5d45ee8e51747e2141

  • SHA512

    3513bff42f8b0de2138512e8bff1e44f721816d8130c4a7030095097770d8bf2bc910e65c7aab6bd3ebfd6b9d4164b0cb18e1849f1bcda855f1b36102364e03b

  • SSDEEP

    3145728:k2k+SMixLEhqcaA6zSP0aoZpjvQ/qFISVBueFYVkcItr7SFy:k2k+SMQKqccSP+pzwqFIcFS01SFy

Score
10/10
agentteslacontidjvugandcrablatentbotnanocorenjratquasarredlinesectopratzgrathackedoffice04terrornaxagilenetaspackv2backdoordefense_evasiondiscoveryevasionexecutioninfostealerkeyloggerpersistenceransomwareratspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

djvu

C2

http://astdg.top/nddddhsspen6/get.php

Attributes
  • extension

    .gujd

  • offline_id

    NcBG8wI6Q1WFhUNlCRyjmrWGeGew2vvCKtJgKot1

  • payload_url

    http://securebiz.org/dl/build2.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-mNr1oio2P6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0316ewgfDd

rsa_pubkey.plain

Extracted

Family

nanocore

Version

1.2.2.0

C2

62.109.11.164:2346

Mutex

7b5cc397-d08c-4533-acb0-e661fb0000dd

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    62.109.11.164

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2018-08-30T06:50:10.862172036Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    2346

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    29994

  • keyboard_logging

    true

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    7b5cc397-d08c-4533-acb0-e661fb0000dd

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    62.109.11.164

  • primary_dns_server

    8.8.8.8

  • request_elevation

    false

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Path

C:\ProgramData\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.xyz/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- k8YFPCgpUPCstbXQJ5w7yn7BMwdjIJirvjxMNOUny5INNUgHXGYkhd42AvbcUC3B ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.xyz/

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

127.0.0.1:5552
Mutex

90cdc4299e3838b5249c33e1c7a2dd25

Attributes
  • reg_key

    90cdc4299e3838b5249c33e1c7a2dd25

  • splitter

    |'|'|

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

192.168.1.2:4444

Mutex

b2ec2a58-c128-4e0f-a41e-e57162b3d7ff

Attributes
  • encryption_key

    1D5CDB2FA3BC76D3356F72927A44B5934F473655

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

redline

Botnet

terrornax

C2

45.88.3.176:17033

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1833231669:AAGi09Fqux60ktahLhT8D677G7uISE3okog/sendDocument

Extracted

Path

C:\Users\Public\Pictures\recover.txt

Ransom Note
!!! IMPORTANT INFORMATION !!! All your files are encrypted. Decrypting of your files is only possible with the private key, which is on our secret server. To receive your private key follow one of the links: 1. http://s3clm4lufbmfhmeb.tor2web.org/?id=AstHzPrd62I6AQzATGyQGSXmFuQmbxiPPgl4bd32t4kfdQ%3d%3d 2. http://s3clm4lufbmfhmeb.onion.to/?id=AstHzPrd62I6AQzATGyQGSXmFuQmbxiPPgl4bd32t4kfdQ%3d%3d 3. http://s3clm4lufbmfhmeb.onion.cab/?id=AstHzPrd62I6AQzATGyQGSXmFuQmbxiPPgl4bd32t4kfdQ%3d%3d 4. http://s3clm4lufbmfhmeb.onion.link/?id=AstHzPrd62I6AQzATGyQGSXmFuQmbxiPPgl4bd32t4kfdQ%3d%3d If all addresses are not available, follow these steps: 1. Download and install Tor Browser: https://torproject.org/download/download-easy.html 2. After successfull installation, run the browser and wait for initialization. 3. Type in the address bar: s3clm4lufbmfhmeb.onion/?id=AstHzPrd62I6AQzATGyQGSXmFuQmbxiPPgl4bd32t4kfdQ%3d%3d 4. Follow the instructions on the site. !!! Your personal identification ID: AstHzPrd62I6AQzATGyQGSXmFuQmbxiPPgl4bd32t4kfdQ== !!!
URLs

http://s3clm4lufbmfhmeb.tor2web.org/?id=AstHzPrd62I6AQzATGyQGSXmFuQmbxiPPgl4bd32t4kfdQ%3d%3d

http://s3clm4lufbmfhmeb.onion.to/?id=AstHzPrd62I6AQzATGyQGSXmFuQmbxiPPgl4bd32t4kfdQ%3d%3d

http://s3clm4lufbmfhmeb.onion.cab/?id=AstHzPrd62I6AQzATGyQGSXmFuQmbxiPPgl4bd32t4kfdQ%3d%3d

http://s3clm4lufbmfhmeb.onion.link/?id=AstHzPrd62I6AQzATGyQGSXmFuQmbxiPPgl4bd32t4kfdQ%3d%3d

http://s3clm4lufbmfhmeb.onion/?id=AstHzPrd62I6AQzATGyQGSXmFuQmbxiPPgl4bd32t4kfdQ%3d%3d

Extracted

Path

C:\yunbox\driver\_readme.txt

Family

djvu

Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-mNr1oio2P6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0316ewgfDd
URLs

https://we.tl/t-mNr1oio2P6

Extracted

Family

latentbot

C2

hhhhhhhhhhq1.zapto.org

Targets

    • Target

      RNSM00453.7z

    • Size

      124.4MB

    • MD5

      476f712361418b566450de6542746a33

    • SHA1

      ecb5554071fdbed5fc9ce8bf4c7f05377864e8c4

    • SHA256

      7b09cbca6d171aa7f46ae5abd6830f16f29b20ec26021b5d45ee8e51747e2141

    • SHA512

      3513bff42f8b0de2138512e8bff1e44f721816d8130c4a7030095097770d8bf2bc910e65c7aab6bd3ebfd6b9d4164b0cb18e1849f1bcda855f1b36102364e03b

    • SSDEEP

      3145728:k2k+SMixLEhqcaA6zSP0aoZpjvQ/qFISVBueFYVkcItr7SFy:k2k+SMQKqccSP+pzwqFIcFS01SFy

    Score
    10/10
    agentteslacontidjvugandcrablatentbotnanocorenjratquasarredlinesectopratzgrathackedoffice04terrornaxagilenetaspackv2backdoordefense_evasiondiscoveryevasionexecutioninfostealerkeyloggerpersistenceransomwareratspywarestealertrojanupxvmprotect

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Conti Ransomware

      Ransomware generally thought to be a successor to Ryuk.

      ransomwareconti

    • Detect ZGRat V2

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • GandCrab payload

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

      trojanlatentbot

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • AgentTesla payload

    • Clears Windows event logs

      evasionransomware

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Modifies Windows Firewall

      evasion

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

File and Directory Permissions Modification

1
T1222

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

2
T1070

Clear Windows Event Logs

1
T1070.001

File Deletion

1
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

5
T1012

Remote System Discovery

1
T1018

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks