buran

Sharing

General

Target

RNSM00426.7z
Size

17.3MB
Sample

241027-takkssxjgt
MD5

8cf2c7d415775b5196246520c2b59271
SHA1

82ef631a57e81daf3bb2e417eab8da6430ad20dc
SHA256

5eac949abc1ffef1ef1674274a591d10ba4007bd56162cc0c5bb43a99644506d
SHA512

cbd349f83deaaea2c0774e51eefc6863e3a0845f2e93b829c797e845c9852f5fd82922e7d6308322dd22b92d08cf9d4c166f6ee09eb04b024f85da7cbdba8ce1
SSDEEP

393216:4Y+JuAQ92vSTTF6Bmbm6+f90VZ5WT1J0o5ji7XyB1lczJ:WJOwGoBymJfY5WT1J0ayqjcl

Score

10^/10

Malware Config

Extracted

Family

crimsonrat

172.245.87.12

Extracted

Path

C:\Users\Admin\Desktop\HOW-TO-DECRYPT-4lrb9.txt

Ransom Note

[+] What happened? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension *.4lrb9 By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant get back your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] Using a TOR browser! - Download and install TOR browser from this site: hxxps://torproject.org/ - Open our website: hxxp://5lyi3c7x3ioakru4.onion - Follow the on-screen instructions Extension name: *.4lrb9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) will make everything possible for restoring, but please do not interfere. !!! !!! !!! ��

Extracted

Path

C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: C6C-677-A9C Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Targets

- Target
  
  RNSM00426.7z
- Size
  
  17.3MB
- MD5
  
  8cf2c7d415775b5196246520c2b59271
- SHA1
  
  82ef631a57e81daf3bb2e417eab8da6430ad20dc
- SHA256
  
  5eac949abc1ffef1ef1674274a591d10ba4007bd56162cc0c5bb43a99644506d
- SHA512
  
  cbd349f83deaaea2c0774e51eefc6863e3a0845f2e93b829c797e845c9852f5fd82922e7d6308322dd22b92d08cf9d4c166f6ee09eb04b024f85da7cbdba8ce1
- SSDEEP
  
  393216:4Y+JuAQ92vSTTF6Bmbm6+f90VZ5WT1J0o5ji7XyB1lczJ:WJOwGoBymJfY5WT1J0ayqjcl
Score

10^/10

buran crimsonrat hades modiloader vashsorena zeppelin credential_access defense_evasion discovery execution impact persistence ransomware rat spyware stealer trojan
- Buran
  Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
  ransomware buran
- Buran family
  buran
- CrimsonRAT main payload
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- Crimsonrat family
  crimsonrat
- Detects Zeppelin payload
- Hades Ransomware
  Ransomware family attributed to Evil Corp APT first seen in late 2020.
  ransomware hades
- Hades family
  hades
- Hades payload
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies WinLogon for persistence
  persistence
- Modiloader family
  modiloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- VashSorena Golang binary
- VashSorena Ransomware
  Ransomware family with multiple versions/spinoffs. Decryption of files is generally possible without paying the ransom.
  ransomware vashsorena
- Vashsorena family
  vashsorena
- Zeppelin Ransomware
  Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
  ransomware zeppelin
- Zeppelin family
  zeppelin
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- ModiLoader Second Stage
- Renames multiple (163) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1