azorult

Sharing

Copy URL

Twitter E-mail

General

Target

RNSM00416.7z
Size

63.5MB
Sample

241028-t2qk5a1nhn
MD5

9ad7acd12fdb6f4987085f017b1ed245
SHA1

3886b70681b87a8121485ae50885bc14b0f4651c
SHA256

9d2dc1dd809d37660de03488b05b4705e23b8cb04b9fd1cc1eb8c50943d8b9fb
SHA512

8364d22160cc3374fb912d59ce5cea2056b2f530e5693f636d3f30211b544e135f3b7eb5d59d76b955b390009d3203c4b771bbc0c295917c32e4402fed3a18eb
SSDEEP

1572864:NO+mdGZyLbosBDD8TFs9eC1O5qMQCBp2ZB22mi:s7boW85IP10qNyrRi

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
21011997

Extracted

Family

azorult

http://javiermar2.temp.swtest.ru/index.php

Extracted

Path

C:\Users\Admin\README.f875121f.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 90 GB data. These files include: Finance data Insurance data Buchgalting Data Banking data and details, bank contracts, creditors info Much personal data Marketing data Production, Technik data Email conversations dump and more others. All documents are fresh (last 365 days) and stored on our offline servers. All data will be published piece by piece. First data pack will be published in 7 days if we do not come for agreement. Your personal leak page: http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF On the page you will find examples of files that have been stolen. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH When you open our website, put the following data in the input form: Key: rIzr2nCuqbQL7MGMwoppaucqSp5AZufUiYhssYa1SGfO0XFf09fBDlLDWgKQSnnvIAfqYTsOgUhOTxzbxGsC9nH0yk2HOFhn7t8ntX8L0evyce8vKdgUKF7Xvjn6ljaQQ4HPEfPZFP2jvN0DgBVWl2WgNT1U3owZ1bNBjps34t33ObZc01Ce1yKx5CSlwUYbw1ktjqt5d7R9DwRL3NIGrTHvMX3qXI5aBAUnirnc4zHtfGPXq4CuFoh04Tv7VE81aohfvuz8D7wo7i28sbILoJyF6mzeQwSkAXolOhXKQAEPsGcdbfLxfY5uILkHB3d1gAyxT1owQXsY4heNQbY3yYL1Em7dDaLdbNhOf0adYWFiFfAl9EwLDRT96L9Xzsk17ho1B82wOWZ79ZqtT8yqnZ4APJb1LO91ASSsgUdNvR0lAaZTfXHHxUI1vDm5ygyV7cbxMlrQ5K1U6ughdd5WosogMJWVNjreirhzuDzY6SnixtukGYG0D9azzgOHcgidJcLV4n0orhzIaA1SMNYOpdOIadgBehCaHwEyr3hn8CEa6fgpUgK6E95 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF

http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH

Extracted

Path

C:\Program Files\Instructions for recovery FILES.TXT

Ransom Note

Your files are now encrypted! Your personal identifier: pAQAAAAAAAAeOqEnHZP=90UkCAN=EazcjvGMwvFb8lg=lE7UqInhZdybS9otvfXb3Xit3RabpFTtrVW8PMKrnMOfr2Nqe6akOR9w Koxjfcd+2mUNrqShgKLoi1V9ZrAy5fY7Gx2en02=yaNdgTPmt69noT0x4mSuXc3l9AdlhY=WpPTILLT+eL2e71NFMtSx6apG+1M8 B2f8KOlugx+w8bhlaUoVxklf=qdNCQAvIWPI6nm3Pgaf=flaZz11nYMFQtQPvGdTq0kHLlC9L3POIb6hiwLGiBRi=4LXw4k=Xn5p 21oe26GlT7wEajGX2oKqYad=Wdl4mdaWPQcR2oC6B+qEZLDAF8uW8=W4ofnZowRw4JW5U8CmkuaFBpm3nD30zso35xHiXG3BVJqx efnFfdnO1HuChj9m8LHcyYD+RTBxEC4u0=IRSDRkhIDZYl5BUryDjtKE4PYoraOGSdFE86Dbh+qusl8D57naHwFFyDAI7SCwBDWd 1y4EKcWJZ+V36ARMI5TAJH3JdiEc0P5PM4ZzoLNwZFv5xWN7Sc0glEpPkJUN4+1GTQTdIQgswWf4Ed=6=ZEOGc42x6Ickbi4GK1K 8EuubBU5QnXfoekFdzDN6V0TTD+EEjAgqfJq7g3OsSSgo0nHHjAS+BQsOIOX8ILvk7eizXUbRikZMOK9yYVs4qqIIbPOGfFZDZ3B sWVBKO5Z1Iu4nKzswAF1nTi4WXC0BjOD8aSLjWbYQbYTBlGHxB3EOxcsmJggDB6YG72GpjDLFBhISWJNT4LD6pHYja0JTY8=IIuL xHkY6BEUKSfq9CQDu84K6F61hxr0vmBxlG+snDuvBj3+Pk All your files have been encrypted due to a security problem with your PC. Now you should send us email with your personal identifier. This email will be as confirmation you are ready to pay for decryption key. You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Contact us using this email address: [email protected] (priority) [email protected] (alternative) An answer can be mark as spam Free decryption as guarantee! Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.). How to obtain Bitcoins? * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price: https://localbitcoins.com/buy_bitcoins * Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Path

C:\Users\Admin\3D Objects\HOW-TO-DECRYPT-kgkq9.txt

Ransom Note

[+] What happened? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension *.kgkq9 By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant get back your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] Using a TOR browser! - Download and install TOR browser from this site: hxxps://torproject.org/ - Open our website: hxxp://m6s6axasulxjkhzh.onion - Follow the on-screen instructions Extension name: *.kgkq9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) will make everything possible for restoring, but please do not interfere. !!! !!! !!! ��

Targets

- Target
  
  RNSM00416.7z
- Size
  
  63.5MB
- MD5
  
  9ad7acd12fdb6f4987085f017b1ed245
- SHA1
  
  3886b70681b87a8121485ae50885bc14b0f4651c
- SHA256
  
  9d2dc1dd809d37660de03488b05b4705e23b8cb04b9fd1cc1eb8c50943d8b9fb
- SHA512
  
  8364d22160cc3374fb912d59ce5cea2056b2f530e5693f636d3f30211b544e135f3b7eb5d59d76b955b390009d3203c4b771bbc0c295917c32e4402fed3a18eb
- SSDEEP
  
  1572864:NO+mdGZyLbosBDD8TFs9eC1O5qMQCBp2ZB22mi:s7boW85IP10qNyrRi
Score

10^/10

azorult darkside modiloader credential_access cryptone defense_evasion discovery evasion execution impact infostealer packer persistence privilege_escalation ransomware spyware stealer trojan upx vmprotect
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- DarkSide
  Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
  ransomware darkside
- Darkside family
  darkside
- Disables service(s)
  evasion execution
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies firewall policy service
  evasion
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Modiloader family
  modiloader
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- ModiLoader Second Stage
- Renames multiple (213) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops desktop.ini file(s)
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Uses Tor communications
  Malware can proxy its traffic through Tor for more anonymity.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1