General

  • Target

    RNSM00381.7z

  • Size

    28.1MB

  • Sample

    241103-2h8atswerf

  • MD5

    3667f140f7bbda37da8e81d046d35f37

  • SHA1

    599bce003d2b9839e35fd6c35e78337c9af64570

  • SHA256

    e15bf0308cb9c13f03a97d8759162405ffb9a890466ebc39064c39a8f3ae28fe

  • SHA512

    1957b20adaec07691ba9b9b859537b6336269a861f6d5f998bd01d320039c1a48727f41dc2de1769954a022f49442408c1cce5bb4c5294229ff0db09b24fe80c

  • SSDEEP

    786432:WOnL/xGjKfjgrBRFmRO7z1760pOPBNmK+9WiioRfWvgmnY6zbHJ:PvfcTFmRO7h/pOPBNmKdiie36Hp

Malware Config

Extracted

Family

azorult

C2

http://hyperlan.xyz/ynvs2/index.php

Extracted

Family

sodinokibi

Botnet

13

Campaign

981

Decoy

achetrabalhos.com

mercadodelrio.com

circuit-diagramz.com

brunoimmobilier.com

blucamp.com

karelinjames.com

zdrowieszczecin.pl

physio-lang.de

broccolisoep.nl

tieronechic.com

pilotgreen.com

magnetvisual.com

eksperdanismanlik.com

hypogenforensic.com

happycatering.de

grafikstudio-visuell.de

kristianboennelykke.dk

metallbau-hartmann.eu

subyard.com

wasnederland.nl

Attributes
  • net

    true

  • pid

    13

  • prc

    visio

    agntsvc

    steam

    ocautoupds

    dbeng50

    oracle

    excel

    ocssd

    msaccess

    ocomm

    isqlplussvc

    infopath

    wordpa

    synctime

    sqbcoreservice

    xfssvccon

    mydesktopqos

    winword

    mspub

    thunderbird

    powerpnt

    onenote

    tbirdconfig

    dbsnmp

    mydesktopservice

    thebat

    sql

    firefox

    outlook

    encsvc

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    981

  • svc

    veeam

    sql

    svc$

    backup

    memtas

    sophos

    vss

    mepocs

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.auditpayments.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    RQAbWLF6V.AF

Extracted

Family

gandcrab

C2

http://gdcbghvjyqy7jclk.onion.top/

Extracted

Family

sodinokibi

Botnet

$2a$10$maSqYzCs2s.gezYwrFOoJuI4SIRqDq0fr0z6iKBeb4EdgQpwYnYjq

Campaign

3385

Decoy

balticdermatology.lt

liveottelut.com

michaelsmeriglioracing.com

spsshomeworkhelp.com

campus2day.de

madinblack.com

tanciu.com

agence-referencement-naturel-geneve.net

jakekozmor.com

tinkoff-mobayl.ru

myhealth.net.au

maasreusel.nl

pmc-services.de

evergreen-fishing.com

noskierrenteria.com

galleryartfair.com

importardechina.info

trapiantofue.it

tux-espacios.com

ecoledansemulhouse.fr

Attributes
  • net

    true

  • pid

    $2a$10$maSqYzCs2s.gezYwrFOoJuI4SIRqDq0fr0z6iKBeb4EdgQpwYnYjq

  • prc

    thunderbird

    thebat

    msaccess

    mydesktopqos

    ocomm

    ocautoupds

    outlook

    xfssvccon

    wordpad

    encsvc

    excel

    agntsvc

    sql

    winword

    isqlplussvc

    powerpnt

    ocssd

    dbeng50

    synctime

    visio

    sqbcoreservice

    mspub

    tbirdconfig

    steam

    dbsnmp

    onenote

    oracle

    firefox

    infopath

    mydesktopservice

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3385

  • svc

    veeam

    backup

    vss

    sql

    memtas

    svc$

    mepocs

    sophos

Extracted

Family

sodinokibi

Botnet

$2a$10$8hHwQ6UVe38.cdSVLbUA8.ZZ/KtY/JBtxM33mqshGj2Cx91wDr9hS

Campaign

3815

Decoy

mediaplayertest.net

easytrans.com.au

coding-marking.com

fax-payday-loans.com

smogathon.com

digi-talents.com

mrxermon.de

testcoreprohealthuk.com

amylendscrestview.com

pointos.com

dr-seleznev.com

themadbotter.com

12starhd.online

whyinterestingly.ru

answerstest.ru

tradiematepro.com.au

wien-mitte.co.at

liveottelut.com

mercantedifiori.com

waynela.com

Attributes
  • net

    true

  • pid

    $2a$10$8hHwQ6UVe38.cdSVLbUA8.ZZ/KtY/JBtxM33mqshGj2Cx91wDr9hS

  • prc

    mydesktopqos

    dbeng50

    msaccess

    wordpad

    xfssvccon

    ocssd

    thunderbird

    outlook

    oracle

    visio

    tbirdconfig

    sqbcoreservice

    encsvc

    mydesktopservice

    firefox

    synctime

    infopath

    onenote

    thebat

    ocautoupds

    excel

    mspub

    steam

    isqlplussvc

    sql

    ocomm

    agntsvc

    winword

    dbsnmp

    powerpnt

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). ================ WARNING================ We have copied financial files and other important information about personal data. Example: Data from Sources server (172.20.0.60). It will be published on the Internet and will be used against you if you do not pay us, so if you do not want such consequences as customer churn, media coverage and other damages, we recommend you to contact us and pay the ransom. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3815

  • svc

    sophos

    vss

    veeam

    svc$

    backup

    sql

    mepocs

    memtas

Extracted

Family

sodinokibi

Botnet

36

Campaign

2864

Decoy

handyman-silkeborg.dk

sunsolutions.es

operativadigital.com

jmmartinezilustrador.com

finnergo.eu

metriplica.academy

fanuli.com.au

palmecophilippines.com

angelsmirrorus.com

tanatek.com

markseymourphotography.co.uk

gta-jjb.fr

teamsegeln.ch

annenymus.com

liepertgrafikweb.at

terraflair.de

brunoimmobilier.com

spacebel.be

casinodepositors.com

stabilisateur.fr

Attributes
  • net

    true

  • pid

    36

  • prc

    thunderbird

    mydesktopqos

    xfssvccon

    visio

    dbeng50

    outlook

    oracle

    isqlplussvc

    tbirdconfig

    firefox

    ocomm

    sqbcoreservice

    encsvc

    ocautoupds

    winword

    synctime

    excel

    onenote

    powerpnt

    msaccess

    sql

    steam

    mspub

    ocssd

    mydesktopservice

    agntsvc

    wordpad

    thebat

    dbsnmp

    infopath

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    2864

  • svc

    veeam

    vss

    svc$

    mepocs

    sql

    backup

    memtas

    sophos

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?A0C155001DD0CB01B3DD0A890028438E This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?A0C155001DD0CB01B3DD0A890028438E

Extracted

Family

djvu

C2

http://ancs.top/ydtftysdtyftysdfsdpen3/get.php

Attributes
  • extension

    .jope

  • offline_id

    K72FcnkdIQC15Y6gSOcshlkpUbvUZNl4zrQFK1t1

  • payload_url

    http://ancs.top/files/penelop/updatewin1.exe

    http://ancs.top/files/penelop/updatewin2.exe

    http://ancs.top/files/penelop/updatewin.exe

    http://ancs.top/files/penelop/3.exe

    http://ancs.top/files/penelop/4.exe

    http://ancs.top/files/penelop/5.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-SIiUh1jDFZ Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0218OIWojlj48

rsa_pubkey.plain

Extracted

Family

asyncrat

Version

0.5.3

Mutex

1990

Attributes
  • delay

    0

  • install

    true

  • install_file

    MozillaUpdate.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/hSbwYxQ2

aes.plain

Targets

    • Target

      RNSM00381.7z

    • Size

      28.1MB

    • MD5

      3667f140f7bbda37da8e81d046d35f37

    • SHA1

      599bce003d2b9839e35fd6c35e78337c9af64570

    • SHA256

      e15bf0308cb9c13f03a97d8759162405ffb9a890466ebc39064c39a8f3ae28fe

    • SHA512

      1957b20adaec07691ba9b9b859537b6336269a861f6d5f998bd01d320039c1a48727f41dc2de1769954a022f49442408c1cce5bb4c5294229ff0db09b24fe80c

    • SSDEEP

      786432:WOnL/xGjKfjgrBRFmRO7z1760pOPBNmK+9WiioRfWvgmnY6zbHJ:PvfcTFmRO7h/pOPBNmKdiie36Hp

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Azorult family

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detected Djvu ransomware

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Dharma family

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

    • Djvu family

    • GandCrab payload

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Gandcrab family

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Globeimposter family

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Modifies WinLogon for persistence

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Sodinokibi family

    • Sodinokibi/Revil sample

    • AgentTesla payload

    • Contacts a large (7782) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Modifies boot configuration data using bcdedit

    • Renames multiple (299) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Modifies file permissions

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks