Overview

overview

10

Static

static

1

RNSM00442.7z

windows10-2004-x64

10

Resubmissions

24-10-2024 19:47

241024-yht7essarq 1

24-10-2024 18:46

241024-xey6ja1dng 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00442.7z

  • Size

    88.1MB

  • Sample

    241024-xey6ja1dng

  • MD5

    4b38c460395d00fabeefa4f8ed666f42

  • SHA1

    267f3cec8cb2d370e66b2e38a20e795dd3ac136b

  • SHA256

    637818d66515e2c06402e23fe770314f0776dfa9816c321722d01d36c84eb63e

  • SHA512

    d0e9d0925abfb8a58416ae0764bbce1e0f1cd272e726b7b2bec1db72274a5e9df664e86cb895415c10437c7269831ec7dfe75274b0026431b898d09244dc31c2

  • SSDEEP

    1572864:hodAPPOiNbJytutfKZ6sl/r+iFESVxyFhUCYZxSGzlnrleOjLQ5w0N5L0RA4vz:hTWiNbJA4PAr+i4AfSGxBeOjL8L0Tz

Score
10/10
avaddoncontigandcrabnjratredlinesalitysectopratvanillarat@andomian@vtreqqhackedbackdoordefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistenceransomwareratthemidatrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

corona82.ddns.net:2300

Mutex

5d6783849b66a004f71db5ea93e302ae

Attributes
  • reg_key

    5d6783849b66a004f71db5ea93e302ae

  • splitter

    |'|'|

Extracted

Path

C:\Users\Admin\Desktop\fl6OA_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .CBEEacbDB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mjc1Mi1wb1RmeWRqZGxYYkU3SXJTN0dFakxGZ0JIcEUyd3RlaTQ4WFIzOTlzRHNZUWdmQ0t0L2lRdWZDY29lSmlBYVBTUDczazlYSGFXSXFzU204dnJWdmtOVm0vYndXbDBNN3RpYWdtUCtwOE82MXdnZkMrTHdybHZKQnVVcmphOG9GTllWYThVU1NPZ25ncEZJb3JQUGh2UnVrckFiRDEyQVBNdzJFMXV4b2IwUkxIaFRHbTlzdEovNURydHg3dGh5dVlCbjJIbkdtNkxnVHdrVVdSZFE2VFlmR1hGVXRxaTRWd2tpL1c3SkNQNnMyZXpmcWp5VnBOVmsyYVpmUkdmYVpxN2h1cUovenlBZDFvZXQyUGUxUklBT3BOVGV4TmF3eENyNTYwVEM1bEc3eE55RndtbitGaXBwb3Noa0FoaGZ4S29LK096aGtGc0x4aFQvallJTHZLSXBNTlFzYVhnU0V4d0JCNkZZMW9KU2tqZGhSMmRwaUFSWDlqV2ZJU1dvRVhZZVdKMXZFQTZiaHdXaUhhWUJVeEl2bzBsdHFtZmpyc1h0QklRamhZSTVlK3NLdkp0eFRaKzdtYmxWdU0yTzR4OTVOdlFYakVmU1kwbW1na3dNbEZSR2xjZkl6QTNtTU1uL3lKMTBielV2TTZ3QUUydFhZdjJiZ2dqVEd4cVVxMTRBZ0pLSFpTYWJleS9hZHY2cEpWaWVYR0l3UFdtQStOcVFJdStIcHFxZ2UvaUowZmVaRFBBcUh5d3g5OEh2NTVkdVFQZ0ZmdFlKN1ZLR245bnZ3V3NBY2pjSnVheXkzNnFUdk5yNnVpdjBuVnFuMjB6dmNqYVVxODZ3R0lVeTFGYUxVd2dsSmxLZHN4NnkzTjhIK2pZTWhZNzIva3p3UUtOY3lJcGduVXc0dThCTlpwUFlucnpmKy9jbXlhVnl2RUNvb3pwWXB1OUFpejJmbExRMFpRQXJLUGZDOW1FSDA1WnZJbHNLM1VLSGFZMkQ2MjJZUDl1QnBKbExtSmgrd1dFd25xQUVqSzUvaE9PYzhYNlRZeW5DZkxzanhMWUYzZzZmTEwwaHRKQWxNQk1UNmdwYU1LU2VURFkvMTFoWGo2cXE1Z3Q0d2lyM0xJTXNoa3pqSld4QkJObER2T1VZQ3pnWUZSbDhEcCs3aS9ZckNLTlpjV0kzTGFoS01GeFRmNXB5V3ZIcGZPYWFPaHE2RzN5aE8vWmFOZ0JFREtzOGlxMTNGZXVLalQzQkphazd3YWlEUVA1WndoaTdCZWZwVCtkblgydXVERXhmQ1hUQitqUDduVmdYRVpQLzM5Q0MwelhXdzBmczI0b3VSaE5lN0FmdXRkT0xBY2Q4Vkx3TEVJT083RTVMNDFFNitGcFRwUWRHL212R2hMZXE0N3VMeW5LNWVodWZjT2JnVXVtbTk4eWhQRWQvWUNtQnZLWmlKKy9sMHU2ZDhuR0NxWUxLT09xaHRLcGpSSEdQM0MvbHhxN3had0xVVnN0RDNMbWwyWUpoZ0wrdDVxc3U0Rk81bDZKWHRIYmVYajVZU0R5M05odUZ3NHJ6S1ZTUGNuMVpwVXhTWDRhYkw0SWE3cUxENCsyZ2ZJSExYeWNpaDFRSStmUk9pb3VyRGJXUEpmY3BnZm9MRFRtbWhUcTV3emhRYXZrRkh6L2RNU29BQ0p6YTN4VGtCQmVwSGNMRURzZGFKeUpUNWRkRTdIVDd5VWpSSXJjM281cTJYS2g4ZlhkczFXMldpVnlwci9iL09rRkpXdnA3Q080eUlPeFF5S0lXMk9BZmRoaFNHeUEvY203N2JycytkVHpTSTdGMmVoS0FHc1dES3o0elNqbVZWd2tjYm9vZ0dJeXdYSTlwWnQzN0VMRmhqQmNkUGFtWFBnSHd0TUcxL3RYOWxhUXNXUUFoQ3FidXh2aGNWdlZ6TGV1ODNvZHJvNS9ETXdsK2tMdzYrSStBcThvU05EQTJORnJtZXJvVWFGTDJFd3VRTE00WHVlU3dISFR5OTJKUSt6MG5wb3dmaGhsemNLV3lCZkRLaW8rNFpIUm90dm10bVcxUnFwNnlzdzdxWHRJVE9pRlNCZUpPVzZwaTBXMGEvU243Tk1oWFBaNEt1TFhrNEhreUdIanNxeDJwNHB4ZEtDY1c0TUY2T2FPdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * iMv0p3ja0EuKj
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\fl6OA_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .CBEEacbDB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mjc1Mi1wb1RmeWRqZGxYYkU3SXJTN0dFakxGZ0JIcEUyd3RlaTQ4WFIzOTlzRHNZUWdmQ0t0L2lRdWZDY29lSmlBYVBTUDczazlYSGFXSXFzU204dnJWdmtOVm0vYndXbDBNN3RpYWdtUCtwOE82MXdnZkMrTHdybHZKQnVVcmphOG9GTllWYThVU1NPZ25ncEZJb3JQUGh2UnVrckFiRDEyQVBNdzJFMXV4b2IwUkxIaFRHbTlzdEovNURydHg3dGh5dVlCbjJIbkdtNkxnVHdrVVdSZFE2VFlmR1hGVXRxaTRWd2tpL1c3SkNQNnMyZXpmcWp5VnBOVmsyYVpmUkdmYVpxN2h1cUovenlBZDFvZXQyUGUxUklBT3BOVGV4TmF3eENyNTYwVEM1bEc3eE55RndtbitGaXBwb3Noa0FoaGZ4S29LK096aGtGc0x4aFQvallJTHZLSXBNTlFzYVhnU0V4d0JCNkZZMW9KU2tqZGhSMmRwaUFSWDlqV2ZJU1dvRVhZZVdKMXZFQTZiaHdXaUhhWUJVeEl2bzBsdHFtZmpyc1h0QklRamhZSTVlK3NLdkp0eFRaKzdtYmxWdU0yTzR4OTVOdlFYakVmU1kwbW1na3dNbEZSR2xjZkl6QTNtTU1uL3lKMTBielV2TTZ3QUUydFhZdjJiZ2dqVEd4cVVxMTRBZ0pLSFpTYWJleS9hZHY2cEpWaWVYR0l3UFdtQStOcVFJdStIcHFxZ2UvaUowZmVaRFBBcUh5d3g5OEh2NTVkdVFQZ0ZmdFlKN1ZLR245bnZ3V3NBY2pjSnVheXkzNnFUdk5yNnVpdjBuVnFuMjB6dmNqYVVxODZ3R0lVeTFGYUxVd2dsSmxLZHN4NnkzTjhIK2pZTWhZNzIva3p3UUtOY3lJcGduVXc0dThCTlpwUFlucnpmKy9jbXlhVnl2RUNvb3pwWXB1OUFpejJmbExRMFpRQXJLUGZDOW1FSDA1WnZJbHNLM1VLSGFZMkQ2MjJZUDl1QnBKbExtSmgrd1dFd25xQUVqSzUvaE9PYzhYNlRZeW5DZkxzanhMWUYzZzZmTEwwaHRKQWxNQk1UNmdwYU1LU2VURFkvMTFoWGo2cXE1Z3Q0d2lyM0xJTXNoa3pqSld4QkJObER2T1VZQ3pnWUZSbDhEcCs3aS9ZckNLTlpjV0kzTGFoS01GeFRmNXB5V3ZIcGZPYWFPaHE2RzN5aE8vWmFOZ0JFREtzOGlxMTNGZXVLalQzQkphazd3YWlEUVA1WndoaTdCZWZwVCtkblgydXVERXhmQ1hUQitqUDduVmdYRVpQLzM5Q0MwelhXdzBmczI0b3VSaE5lN0FmdXRkT0xBY2Q4Vkx3TEVJT083RTVMNDFFNitGcFRwUWRHL212R2hMZXE0N3VMeW5LNWVodWZjT2JnVXVtbTk4eWhQRWQvWUNtQnZLWmlKKy9sMHU2ZDhuR0NxWUxLT09xaHRLcGpSSEdQM0MvbHhxN3had0xVVnN0RDNMbWwyWUpoZ0wrdDVxc3U0Rk81bDZKWHRIYmVYajVZU0R5M05odUZ3NHJ6S1ZTUGNuMVpwVXhTWDRhYkw0SWE3cUxENCsyZ2ZJSExYeWNpaDFRSStmUk9pb3VyRGJXUEpmY3BnZm9MRFRtbWhUcTV3emhRYXZrRkh6L2RNU29BQ0p6YTN4VGtCQmVwSGNMRURzZGFKeUpUNWRkRTdIVDd5VWpSSXJjM281cTJYS2g4ZlhkczFXMldpVnlwci9iL09rRkpXdnA3Q080eUlPeFF5S0lXMk9BZmRoaFNHeUEvY203N2JycytkVHpTSTdGMmVoS0FHc1dES3o0elNqbVZWd2tjYm9vZ0dJeXdYSTlwWnQzN0VMRmhqQmNkUGFtWFBnSHd0TUcxL3RYOWxhUXNXUUFoQ3FidXh2aGNWdlZ6TGV1ODNvZHJvNS9ETXdsK2tMdzYrSStBcThvU05EQTJORnJtZXJvVWFGTDJFd3VRTE00WHVlU3dISFR5OTJKUSt6MG5wb3dmaGhsemNLV3lCZkRLaW8rNFpIUm90dm10bVcxUnFwNnlzdzdxWHRJVE9pRlNCZUpPVzZwaTBXMGEvU243Tk1oWFBaNEt1TFhrNEhreUdIanNxeDJwNHB4ZEtDY1c0TUY2T2FPdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 4UWr9FWNqqctbCMc
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\fl6OA_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .CBEEacbDB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mjc1Mi1wb1RmeWRqZGxYYkU3SXJTN0dFakxGZ0JIcEUyd3RlaTQ4WFIzOTlzRHNZUWdmQ0t0L2lRdWZDY29lSmlBYVBTUDczazlYSGFXSXFzU204dnJWdmtOVm0vYndXbDBNN3RpYWdtUCtwOE82MXdnZkMrTHdybHZKQnVVcmphOG9GTllWYThVU1NPZ25ncEZJb3JQUGh2UnVrckFiRDEyQVBNdzJFMXV4b2IwUkxIaFRHbTlzdEovNURydHg3dGh5dVlCbjJIbkdtNkxnVHdrVVdSZFE2VFlmR1hGVXRxaTRWd2tpL1c3SkNQNnMyZXpmcWp5VnBOVmsyYVpmUkdmYVpxN2h1cUovenlBZDFvZXQyUGUxUklBT3BOVGV4TmF3eENyNTYwVEM1bEc3eE55RndtbitGaXBwb3Noa0FoaGZ4S29LK096aGtGc0x4aFQvallJTHZLSXBNTlFzYVhnU0V4d0JCNkZZMW9KU2tqZGhSMmRwaUFSWDlqV2ZJU1dvRVhZZVdKMXZFQTZiaHdXaUhhWUJVeEl2bzBsdHFtZmpyc1h0QklRamhZSTVlK3NLdkp0eFRaKzdtYmxWdU0yTzR4OTVOdlFYakVmU1kwbW1na3dNbEZSR2xjZkl6QTNtTU1uL3lKMTBielV2TTZ3QUUydFhZdjJiZ2dqVEd4cVVxMTRBZ0pLSFpTYWJleS9hZHY2cEpWaWVYR0l3UFdtQStOcVFJdStIcHFxZ2UvaUowZmVaRFBBcUh5d3g5OEh2NTVkdVFQZ0ZmdFlKN1ZLR245bnZ3V3NBY2pjSnVheXkzNnFUdk5yNnVpdjBuVnFuMjB6dmNqYVVxODZ3R0lVeTFGYUxVd2dsSmxLZHN4NnkzTjhIK2pZTWhZNzIva3p3UUtOY3lJcGduVXc0dThCTlpwUFlucnpmKy9jbXlhVnl2RUNvb3pwWXB1OUFpejJmbExRMFpRQXJLUGZDOW1FSDA1WnZJbHNLM1VLSGFZMkQ2MjJZUDl1QnBKbExtSmgrd1dFd25xQUVqSzUvaE9PYzhYNlRZeW5DZkxzanhMWUYzZzZmTEwwaHRKQWxNQk1UNmdwYU1LU2VURFkvMTFoWGo2cXE1Z3Q0d2lyM0xJTXNoa3pqSld4QkJObER2T1VZQ3pnWUZSbDhEcCs3aS9ZckNLTlpjV0kzTGFoS01GeFRmNXB5V3ZIcGZPYWFPaHE2RzN5aE8vWmFOZ0JFREtzOGlxMTNGZXVLalQzQkphazd3YWlEUVA1WndoaTdCZWZwVCtkblgydXVERXhmQ1hUQitqUDduVmdYRVpQLzM5Q0MwelhXdzBmczI0b3VSaE5lN0FmdXRkT0xBY2Q4Vkx3TEVJT083RTVMNDFFNitGcFRwUWRHL212R2hMZXE0N3VMeW5LNWVodWZjT2JnVXVtbTk4eWhQRWQvWUNtQnZLWmlKKy9sMHU2ZDhuR0NxWUxLT09xaHRLcGpSSEdQM0MvbHhxN3had0xVVnN0RDNMbWwyWUpoZ0wrdDVxc3U0Rk81bDZKWHRIYmVYajVZU0R5M05odUZ3NHJ6S1ZTUGNuMVpwVXhTWDRhYkw0SWE3cUxENCsyZ2ZJSExYeWNpaDFRSStmUk9pb3VyRGJXUEpmY3BnZm9MRFRtbWhUcTV3emhRYXZrRkh6L2RNU29BQ0p6YTN4VGtCQmVwSGNMRURzZGFKeUpUNWRkRTdIVDd5VWpSSXJjM281cTJYS2g4ZlhkczFXMldpVnlwci9iL09rRkpXdnA3Q080eUlPeFF5S0lXMk9BZmRoaFNHeUEvY203N2JycytkVHpTSTdGMmVoS0FHc1dES3o0elNqbVZWd2tjYm9vZ0dJeXdYSTlwWnQzN0VMRmhqQmNkUGFtWFBnSHd0TUcxL3RYOWxhUXNXUUFoQ3FidXh2aGNWdlZ6TGV1ODNvZHJvNS9ETXdsK2tMdzYrSStBcThvU05EQTJORnJtZXJvVWFGTDJFd3VRTE00WHVlU3dISFR5OTJKUSt6MG5wb3dmaGhsemNLV3lCZkRLaW8rNFpIUm90dm10bVcxUnFwNnlzdzdxWHRJVE9pRlNCZUpPVzZwaTBXMGEvU243Tk1oWFBaNEt1TFhrNEhreUdIanNxeDJwNHB4ZEtDY1c0TUY2T2FPdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * R77DywJhgSKyycUesaWH
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\files\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.xyz/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- G4PMVfIBxgsnelGeS0mBvtfbEvUCYmpZ2VShKSUoprVbEMDHo8DY9awWXGmamIY3 ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.xyz/

Extracted

Family

redline

Botnet

@andomian

C2

45.81.227.32:22625

Extracted

Family

redline

Botnet

@vtreqq

C2

45.81.227.32:22625

Extracted

Path

C:\Apache\GATE\GATE\GATE\GATE\GATE\GATE\GATE\GATE\GATE\!!FAQ for Decryption!!.txt

Ransom Note
Good day. All your files are encrypted. For decryption contact us. Write here [email protected] reserve [email protected] jabber [email protected] We also inform that your databases, ftp server and file server were downloaded by us to our servers. If we do not receive a message from you within three days, we regard this as a refusal to negotiate. Check our platform: http://cuba4mp6ximo2zlo.onion/ * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Do not stop process of encryption, because partial encryption cannot be decrypted.
URLs

http://cuba4mp6ximo2zlo.onion/

Targets

    • Target

      RNSM00442.7z

    • Size

      88.1MB

    • MD5

      4b38c460395d00fabeefa4f8ed666f42

    • SHA1

      267f3cec8cb2d370e66b2e38a20e795dd3ac136b

    • SHA256

      637818d66515e2c06402e23fe770314f0776dfa9816c321722d01d36c84eb63e

    • SHA512

      d0e9d0925abfb8a58416ae0764bbce1e0f1cd272e726b7b2bec1db72274a5e9df664e86cb895415c10437c7269831ec7dfe75274b0026431b898d09244dc31c2

    • SSDEEP

      1572864:hodAPPOiNbJytutfKZ6sl/r+iFESVxyFhUCYZxSGzlnrleOjLQ5w0N5L0RA4vz:hTWiNbJA4PAr+i4AfSGxBeOjL8L0Tz

    Score
    10/10
    avaddoncontigandcrabnjratredlinesalitysectopratvanillarat@andomian@vtreqqhackedbackdoordefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistenceransomwareratthemidatrojanupx

    • Avaddon

      Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

      ransomwareavaddon

    • Avaddon payload

    • Conti Ransomware

      Ransomware generally thought to be a successor to Ryuk.

      ransomwareconti

    • GandCrab payload

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • VanillaRat

      VanillaRat is an advanced remote administration tool coded in C#.

      ratvanillarat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

    • Vanilla Rat payload

      rat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

      defense_evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Direct Volume Access

1
T1006

File and Directory Permissions Modification

1
T1222

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

3
T1070

Clear Persistence

1
T1070.009

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks