General
-
Target
RNSM00451.7z
-
Size
100.8MB
-
Sample
241012-wejv6sxdrj
-
MD5
25a26a65430350a0022581102fff29a3
-
SHA1
b272ad0783256581bfd8d8f4ccfb3e94bc11e012
-
SHA256
18c5384ce36acefcb3d0d949ac3de2f701e2e57c3b8c5c854e88e76a429fc931
-
SHA512
f2aa335691a17a08ce1bce135504ececd2360cf25b1ce0ab451a30529ac8dc447279b415b66e57f962e5453a49e79c87f138b0a3d3998d23776d2a3e1d0eab69
-
SSDEEP
1572864:Vi65n/L7luWRrheZg1926N6cQ2DMT8BgOt5BhW6qgWYL+uExniEdiEkg/N:Vd5vluWR1eWa6NN3DM4SOXX0sOHkM
Malware Config
Extracted
crylock
- emails
-
ransomnote
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <title>CryLock</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var ud=0; var op=0xc7bf30; var zoc=0; function document.onkeydown() { var alt=window.event.altKey; if (event.keyCode==116 || event.keyCode==27 || alt && event.keyCode==115) { event.keyCode=0; event.cancelBubble=true; return false; } } function document.onblur() { alert('Attention! This important information for you!'); } function ChangeTime() { var sd = new Date('<%DOUBLE_DATETIME%>'); var dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('pwr'); dt.innerHTML='<font color="red" size="5"><b>Price is raised!</b></font>'; dt.style.height=78; zoc=1; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('dt'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } var sd = new Date('<%UNDECRYPT_DATETIME%>'); dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('lctw'); dt.innerHTML='<font color="red" size="5"><b>Last chance to decrypt your files!</b></font>'; zoc=2; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('et'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { document.getElementById("blumid").focus(); var bid=document.getElementById('blumid'); var bem=document.getElementById('blummail'); if (ud==0) { op=op-0x10; } else { op=op+0x10; } if (op<=0xc00000) { ud=1; } if (op>=0xc7bf30) { ud=0; } bid.style.backgroundColor=op; bem.style.backgroundColor=op; var xx=''; var i=0; while (i<19) { xx=xx+getRandomArbitrary(0,2); i=i+1; } if (zoc==0) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="white" size="5"><b>'+xx+'</b></font>'; } else { if (zoc==1) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="5"><b>Price is raised!</b></font>'; } else { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="4"><b>Price is raised!<br>Last chance to decrypt your files!</b></font>'; } } } function Start() { window.resizeTo(800,500) setInterval(ChangeTime,1000); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background-color:#0066CC;" OnLoad="Start()"> <div id="pwr" align="center" style="position:absolute; top:10px; left:10px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Payment will be raised after</b></font> <br> <div id="dt"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div align="center" style="position:absolute; top:10px; left:170px; width:58%;"> <font face="monospace" color="white" size="4"><b>Your files have been encrypted...</b></font> </div> <div align="center" style="position:absolute; top:60px; left:170px; width:58%;"> <div id="rc"> <font face="monospace" color="white" size="5"><b>00000000000000000000</b></font> </div> </div> <div id="lctw" align="center" style="position:absolute; top:10px; left:620px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Your files will be leak after</b></font> <br> <div id="et"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div style="background-color:white;overflow-x:hide; overflow-y:scroll; position:absolute; top:100px; left:10px; width:768px; height:320px"> Decrypt files? Write to this mails: <font face="monospace" OnClick="copytext('<%MAIN_CONTACT%>')"><b><%MAIN_CONTACT%></b></font> or <font face="monospace" OnClick="copytext ('<[email protected]>')"><b><[email protected]></b></font>. mail <font face="monospace" OnClick="copytext('[email protected]')"><b>[email protected]</b></font>. <br> You unique ID <font face="monospace" OnClick="copytext('[<%HID%>]')"><b>[<%HID%>] <font size="2">[copy]</font></b></font> </div> <div title="Click to copy" OnClick="copytext('[<%HID%>]')" id="blumid" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:10px; width:380px; height:20px"> <b>Your ID [<%HID%>] <font size="2">[copy]</font></b> </div> <div title="Click to copy" OnClick="copytext('<%MAIN_CONTACT%>')" id="blummail" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:400px; width:380px; height:20px"> <b>Write to <%MAIN_CONTACT%> <font size="2">[copy]</font></b> </div> </body> </html>
Extracted
djvu
http://astdg.top/nddddhsspen6/get.php
-
extension
.gujd
-
offline_id
NcBG8wI6Q1WFhUNlCRyjmrWGeGew2vvCKtJgKot1
-
payload_url
http://securebiz.org/dl/build2.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-mNr1oio2P6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0316ewgfDd
Extracted
redline
terrornax
45.88.3.176:17033
Targets
-
-
Target
RNSM00451.7z
-
Size
100.8MB
-
MD5
25a26a65430350a0022581102fff29a3
-
SHA1
b272ad0783256581bfd8d8f4ccfb3e94bc11e012
-
SHA256
18c5384ce36acefcb3d0d949ac3de2f701e2e57c3b8c5c854e88e76a429fc931
-
SHA512
f2aa335691a17a08ce1bce135504ececd2360cf25b1ce0ab451a30529ac8dc447279b415b66e57f962e5453a49e79c87f138b0a3d3998d23776d2a3e1d0eab69
-
SSDEEP
1572864:Vi65n/L7luWRrheZg1926N6cQ2DMT8BgOt5BhW6qgWYL+uExniEdiEkg/N:Vd5vluWR1eWa6NN3DM4SOXX0sOHkM
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Crylock
Ransomware family, which is a new variant of Cryakl ransomware.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect MafiaWare666 ransomware
-
Detect ZGRat V2
-
Detected Djvu ransomware
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
MafiaWare666 Ransomware
MafiaWare666 is ransomware written in C# with multiple variants.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
ZGRat
ZGRat is remote access trojan written in C#.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Cryptocurrency Miner
Makes network request to known mining pool URL.
-
Executes dropped EXE
-
Modifies file permissions
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-