m00nd3v_logger

Sharing

Copy URL

Twitter E-mail

General

Target

RNSM00447.7z
Size

72.5MB
Sample

241015-zp85lawgka
MD5

4fff81f774d59bf0a0e36d77c9516834
SHA1

8438aba49af87ce16619789a0c9b18f0a859d671
SHA256

3d193abb365ce0733cce9bb5428ce125c6db7e4383709129f92aaac198d92128
SHA512

c0ce8f6c491fb3730d3d88add75052bfa6e2c9bf9e6f795995a468783396cd8a76271ebd76ad8f8a0d7dcf90a629f106f86c695ade3ab5ffbee1ff6cbce5a139
SSDEEP

1572864:VsDSyVw8wW7W6luBF46VdHBgT6p0WZvESz+eU3G5Uj+S9bjcGVuMNQ4:uBw8w+4BFVXHBg6phzz+eUunG434

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Path

C:\Users\Admin\Desktop\HOW TO RECOVER ENCRYPTED FILES.TXT

Ransom Note

Your files are now encrypted! Your personal identifier: 690200000000000091DCDA751D91D91584300C035BF26DB9FFC698B01FC0CBC6F2481ACF9E89DBB0F4C828CF70AD5F49E6D6 1137D9A9536774D6294E79DA189FAECBBDB0E36BA6DFCF8DABD136E7D1D59521AE64319BEEBA98514CB16DFCAD5AEB43F97D 33C6E268EF5559A421D6893832A1E9D86259CE6C7B716376575EA596DC8BD1932E39C10CA726F00085AD6C3DB35A294FCFB5 8BAA51F7C214038379C784EDECA4C9674FDE6693909C9E4100DB2324659C4B30C3B1E35D5EE35CCA652E96C88E79A6ED0A17 101DF198B65B70E52326351C6AEF34A2822C426D2467D9A0290D15E02C124C9EDBB8B589CA1419F4E8E04CC23BC2364A096B 5EE49ED92E243BA75E3BE5672C72F1C7603E30C78308CAA987575FB625622C3564AD386568B77C9FF97EB9D38B9CE6E0085A 235D64AD2868FB68A71E64B9FE66714B84DB80B8FBE607 All your files have been encrypted due to a security problem with your PC. Now you should send us email with your personal identifier. This email will be as confirmation you are ready to pay for decryption key. You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Contact us using this email address: [email protected] If you don't get a reply in 12 hours, then contact us using this email address: [email protected] Free decryption as guarantee! Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.). Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

corona82.ddns.net:2300

Mutex

5d6783849b66a004f71db5ea93e302ae

Attributes

reg_key
5d6783849b66a004f71db5ea93e302ae
splitter
|'|'|

Extracted

Family

njrat

Version

0.7b

Mutex

CJRafFcfqdGb

Attributes

reg_key
CJRafFcfqdGb
splitter
&%&%&

Extracted

Path

C:\PerfLogs\KRAB-DECRYPT.txt

Ransom Note

---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/2d4605bb28163a06 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAACvFvXhSAMKS78hFMGUMldrKr1OZCqpH+eKlFAG544zQ4gxQ19TuQ2a1rcCYLjymARuFrYL8eCAXgOiBLgfduUcBa4GQhSFM0Caz/QrY9civ89Teff0uOR0rQNmu4TkN0KcxLpkPwelsNEmblPK2tXHUvECIZTA0bnPCPQBz7bDaC3ttnbjZjD6802NLfXJWcpD5My7bVdgajYw06yXxlpIYNoBSGN6UikV8emd3QtZUB6G+bIo5+rwdmn2B48Ohyd2MXT/8rpqifZJz/kpe05Cq7/HlgMDzlWq4SVkDfng854Ufid0JXerOnWihuj5bI4AQc+qo9ViOH6dpvsEF1T75S+OHKWqEG2fQAFIhJBBZwzipIx9BOg7K8WBW41icQ9Mg1L/D0XnTL8zFTg0mXqItqya+v8ohQCxkmKxuuZOEKl0thjcdysb35OyrMGXFtTLgaCQWDtSnXENDqrKPNsIOWHPd3EFSyrD4aeQvnHi5lctNXVy/JcaKh5pr+K5SCyrsCbGie85YepHFF12IO1pUEXXVpRKuABhYi4+QRspeMcqHiK3TVwVU1OkeS0TpOYZn+q8JW+6QE3f9PjXWAUdNM0vtYUtZIn0sYZkn6lCBgUX6nFRSfEIUYHI8X6fRzMPyGdUuwEFMYMmpGjOTbX4GOZCQVvv7H0inoDEq50w398RoE+NqI1dmZ7TFfxKhgC0PI6KrCIppNaNiWB9GVxfvTXxRYRLWL///V1C6NSu1NK023zeieKd/XZEbxxI6BbtE3egFrhjL+FOscHFh15oJHkAvdgDujAE14xn5zH5Cgr6snJGoVuZ4B6yphQCWZzlNxXBNCKkJe6eZye0R9T34LwIncCCD5GDBk5I3UN46O2WyRbF0XU3DQZupKwAcxc2wvxQAXjwpui68laqJA/vZv2UGoOhO3ehhpPb6WTJbDa27Xgq4QoHdfSxCS/az2xWjW7rMrXYCw4DhdMi3vrdkgIXsz2/PNflu06v6/GVgPUXZI+ByfCyY2sxiczc8ND1HgieuHmByFcL/XTstnT//7KYHNkpalOwgE3tiCPVBqV69lg3fR1ITRDq/RA4GJqJY+QnSFIHNaIJZhTvFf17Z7TrKCqvFL0syltr7DyIdT4ThRJ4Ji2v4//jo8Wdvfiuwdle3BnHEdAwDSB/s7Gj71bes+cEZHuUh6v/awruv0l7tcn90DplON9K6G8U4N7joiK9RscnsCiaB3jG+V0cXVJgI0YvGR68fR261CXeZXuSXyTwNN4l2OGYW6KSdezMwAH1EBSmTyndYCSSYrdHvv05xAUJoeBFoflAMcwDwcK2Z+/a35zPLVHx3JxmY9NWOw9P5q31vWBcX5gMQ/DxgAgSHnGyBDx0Bte5NTgftmgpAQeSjSyB/3afWDpBb7xr6FfXHz0jaSpV5ssTGZIX6yAl0fTiQhBkTBDJ8sTML1efELU4zbsbffel+LdKZc5sWHmJOpR3FzRAS9le6p7GDG6BehzcTIYms9NC+tdQRQHE27ngfR7oHwcQ8WdxRS8iVuQIYMsjBtjTgy+7QpeOnEAvYd43Z/HJYzJTQhfaYfaBR9/iIaPr6QY6ecpKO95u5/xoz/5oiOKZV3tp3QTRCQ5cBYvca5mkqbDh8UVbL6ssAkKdtrBFe73lt8R4njPNpOIhwSPLsh4gckqaUWOxXFZkYXbp6KU0jybIZgl9mTv+xRkS85Kvqw5XDiIj77a6BiFxfxfSWu4UdO24vyo+m9YUR8nQZFXX81Ca+wgLbkTO6Mp1omAfjZYWj5KO6JYrjYE5XHeM5NEmmOt6gh1+TZQmPRuz1pmAxUTZG6uGBU9eqmfefcuDxhgP4YzNCW0ykB7DuXoG0ZKF+wgNul0U+CcH9Y8imSPg9iuirmgPxgKpjH3aTiXw4A1OQg8mzgCNcC2U2mkn1MgY45M2jlCHOZOIGnl4wyuz1RQeV2OKkscz7bw5HaRnY42uBI6LGf/kKW6tnIJo2coRdzgxpRKDetZRwsZU8cInEdxrV7G2dS8lwv+P96jH3Xk0z+OB2HdzOtCmS/gwy6Af2OxIlYHVfx2USn2FtmJsDjYIRJ3hJFSwh3hwWmwHpFJEl+BQ4PlTqD0xg4nd74vxpW+PDXgtn2QnUCGj+VMjFvzhADB7WQAden10Ss9ELHJW3kIqOv8LVNQjm1NTabKQ6DpebjTIqgYQ9XxfiFN724IrXtQqcu7SAtPIY4Lm5tGQ1gBMLQW4G3jk= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZQTo5RtnYe7mtWqrfZTHKHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2VvxJZLcioOhXESUAq8AvrZFOOGXrrnRbUgkb3RxbZiWqMCRYZVYS6SPxsApS44o29yACVKCZChVpwPbuU3cBCJ92PeMM0O5MPsPh4obLFGTGJxjmtkoQXZnP7g/S/qe1vBzjTbrjctAG3g4l4JnF91nCFExNA73DM4r9X1sSmnFTw/ukeItONi4qYmnr7rr54JisbErkQzB7eLs/2A2FeswGplYPVrdBmTt8hGLEbYb+CdG4tS4Oaa1Y89yb4yj2X6ik5RJTW0qZlO+JIQJoJE5wNIoAhPenPc+Xu4LALKf/mE8g9prUQ2BxHtKtA6YZi3pDBFO3vXLOeav1wUZOHQQRlGKfTnX1k7gdn8OmUnfnyzzQU9nmrIqls6w6nIMVY7pYDeCfB4cCsAaPx5N938iQx7C2aZDEuftK0isBYFMbpH3HpkOdL/KRcYPool/V6Hu57PAzM79OXYDh9gzsuwcRfBtX//fbj3WqOJSXtVeYdRE9BthblLQ2rtgkmnaLUEz3wtRfiX5XWEHiWAEkLIOT7TbCgFxKc//nDM4dDE3625affWU7HI3LaG8Bh1SXQ== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/2d4605bb28163a06

Targets

- Target
  
  RNSM00447.7z
- Size
  
  72.5MB
- MD5
  
  4fff81f774d59bf0a0e36d77c9516834
- SHA1
  
  8438aba49af87ce16619789a0c9b18f0a859d671
- SHA256
  
  3d193abb365ce0733cce9bb5428ce125c6db7e4383709129f92aaac198d92128
- SHA512
  
  c0ce8f6c491fb3730d3d88add75052bfa6e2c9bf9e6f795995a468783396cd8a76271ebd76ad8f8a0d7dcf90a629f106f86c695ade3ab5ffbee1ff6cbce5a139
- SSDEEP
  
  1572864:VsDSyVw8wW7W6luBF46VdHBgT6p0WZvESz+eU3G5Uj+S9bjcGVuMNQ4:uBw8w+4BFVXHBg6phzz+eUunG434
Score

10^/10

m00nd3v_logger nanocore njrat sality xmrig hacked backdoor defense_evasion discovery evasion execution impact infostealer keylogger miner persistence privilege_escalation ransomware spyware stealer themida trojan upx vmprotect
- M00nd3v_Logger
  M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
  stealer spyware m00nd3v_logger
- Modifies firewall policy service
  evasion
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- M00nD3v Logger payload
  Detects M00nD3v Logger payload in memory.
  infostealer
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Renames multiple (232) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Uses the VBS compiler for execution
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1