General
-
Target
RNSM00381.7z
-
Size
28.1MB
-
Sample
241103-2h8atswerf
-
MD5
3667f140f7bbda37da8e81d046d35f37
-
SHA1
599bce003d2b9839e35fd6c35e78337c9af64570
-
SHA256
e15bf0308cb9c13f03a97d8759162405ffb9a890466ebc39064c39a8f3ae28fe
-
SHA512
1957b20adaec07691ba9b9b859537b6336269a861f6d5f998bd01d320039c1a48727f41dc2de1769954a022f49442408c1cce5bb4c5294229ff0db09b24fe80c
-
SSDEEP
786432:WOnL/xGjKfjgrBRFmRO7z1760pOPBNmK+9WiioRfWvgmnY6zbHJ:PvfcTFmRO7h/pOPBNmKdiie36Hp
Malware Config
Extracted
azorult
http://hyperlan.xyz/ynvs2/index.php
Extracted
sodinokibi
13
981
achetrabalhos.com
mercadodelrio.com
circuit-diagramz.com
brunoimmobilier.com
blucamp.com
karelinjames.com
zdrowieszczecin.pl
physio-lang.de
broccolisoep.nl
tieronechic.com
pilotgreen.com
magnetvisual.com
eksperdanismanlik.com
hypogenforensic.com
happycatering.de
grafikstudio-visuell.de
kristianboennelykke.dk
metallbau-hartmann.eu
subyard.com
wasnederland.nl
-
net
true
-
pid
13
-
prc
visio
agntsvc
steam
ocautoupds
dbeng50
oracle
excel
ocssd
msaccess
ocomm
isqlplussvc
infopath
wordpa
synctime
sqbcoreservice
xfssvccon
mydesktopqos
winword
mspub
thunderbird
powerpnt
onenote
tbirdconfig
dbsnmp
mydesktopservice
thebat
sql
firefox
outlook
encsvc
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
981
-
svc
veeam
sql
svc$
backup
memtas
sophos
vss
mepocs
Extracted
agenttesla
Protocol: smtp- Host:
mail.auditpayments.com - Port:
587 - Username:
[email protected] - Password:
RQAbWLF6V.AF
Extracted
gandcrab
http://gdcbghvjyqy7jclk.onion.top/
Extracted
sodinokibi
$2a$10$maSqYzCs2s.gezYwrFOoJuI4SIRqDq0fr0z6iKBeb4EdgQpwYnYjq
3385
balticdermatology.lt
liveottelut.com
michaelsmeriglioracing.com
spsshomeworkhelp.com
campus2day.de
madinblack.com
tanciu.com
agence-referencement-naturel-geneve.net
jakekozmor.com
tinkoff-mobayl.ru
myhealth.net.au
maasreusel.nl
pmc-services.de
evergreen-fishing.com
noskierrenteria.com
galleryartfair.com
importardechina.info
trapiantofue.it
tux-espacios.com
ecoledansemulhouse.fr
-
net
true
-
pid
$2a$10$maSqYzCs2s.gezYwrFOoJuI4SIRqDq0fr0z6iKBeb4EdgQpwYnYjq
-
prc
thunderbird
thebat
msaccess
mydesktopqos
ocomm
ocautoupds
outlook
xfssvccon
wordpad
encsvc
excel
agntsvc
sql
winword
isqlplussvc
powerpnt
ocssd
dbeng50
synctime
visio
sqbcoreservice
mspub
tbirdconfig
steam
dbsnmp
onenote
oracle
firefox
infopath
mydesktopservice
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
3385
-
svc
veeam
backup
vss
sql
memtas
svc$
mepocs
sophos
Extracted
sodinokibi
$2a$10$8hHwQ6UVe38.cdSVLbUA8.ZZ/KtY/JBtxM33mqshGj2Cx91wDr9hS
3815
mediaplayertest.net
easytrans.com.au
coding-marking.com
fax-payday-loans.com
smogathon.com
digi-talents.com
mrxermon.de
testcoreprohealthuk.com
amylendscrestview.com
pointos.com
dr-seleznev.com
themadbotter.com
12starhd.online
whyinterestingly.ru
answerstest.ru
tradiematepro.com.au
wien-mitte.co.at
liveottelut.com
mercantedifiori.com
waynela.com
-
net
true
-
pid
$2a$10$8hHwQ6UVe38.cdSVLbUA8.ZZ/KtY/JBtxM33mqshGj2Cx91wDr9hS
-
prc
mydesktopqos
dbeng50
msaccess
wordpad
xfssvccon
ocssd
thunderbird
outlook
oracle
visio
tbirdconfig
sqbcoreservice
encsvc
mydesktopservice
firefox
synctime
infopath
onenote
thebat
ocautoupds
excel
mspub
steam
isqlplussvc
sql
ocomm
agntsvc
winword
dbsnmp
powerpnt
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). ================ WARNING================ We have copied financial files and other important information about personal data. Example: Data from Sources server (172.20.0.60). It will be published on the Internet and will be used against you if you do not pay us, so if you do not want such consequences as customer churn, media coverage and other damages, we recommend you to contact us and pay the ransom. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
3815
-
svc
sophos
vss
veeam
svc$
backup
sql
mepocs
memtas
Extracted
sodinokibi
36
2864
handyman-silkeborg.dk
sunsolutions.es
operativadigital.com
jmmartinezilustrador.com
finnergo.eu
metriplica.academy
fanuli.com.au
palmecophilippines.com
angelsmirrorus.com
tanatek.com
markseymourphotography.co.uk
gta-jjb.fr
teamsegeln.ch
annenymus.com
liepertgrafikweb.at
terraflair.de
brunoimmobilier.com
spacebel.be
casinodepositors.com
stabilisateur.fr
-
net
true
-
pid
36
-
prc
thunderbird
mydesktopqos
xfssvccon
visio
dbeng50
outlook
oracle
isqlplussvc
tbirdconfig
firefox
ocomm
sqbcoreservice
encsvc
ocautoupds
winword
synctime
excel
onenote
powerpnt
msaccess
sql
steam
mspub
ocssd
mydesktopservice
agntsvc
wordpad
thebat
dbsnmp
infopath
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
2864
-
svc
veeam
vss
svc$
mepocs
sql
backup
memtas
sophos
Extracted
C:\Program Files\dotnet\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?A0C155001DD0CB01B3DD0A890028438E
Extracted
djvu
http://ancs.top/ydtftysdtyftysdfsdpen3/get.php
-
extension
.jope
-
offline_id
K72FcnkdIQC15Y6gSOcshlkpUbvUZNl4zrQFK1t1
-
payload_url
http://ancs.top/files/penelop/updatewin1.exe
http://ancs.top/files/penelop/updatewin2.exe
http://ancs.top/files/penelop/updatewin.exe
http://ancs.top/files/penelop/3.exe
http://ancs.top/files/penelop/4.exe
http://ancs.top/files/penelop/5.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-SIiUh1jDFZ Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0218OIWojlj48
Extracted
asyncrat
0.5.3
1990
-
delay
0
-
install
true
-
install_file
MozillaUpdate.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/hSbwYxQ2
Targets
-
-
Target
RNSM00381.7z
-
Size
28.1MB
-
MD5
3667f140f7bbda37da8e81d046d35f37
-
SHA1
599bce003d2b9839e35fd6c35e78337c9af64570
-
SHA256
e15bf0308cb9c13f03a97d8759162405ffb9a890466ebc39064c39a8f3ae28fe
-
SHA512
1957b20adaec07691ba9b9b859537b6336269a861f6d5f998bd01d320039c1a48727f41dc2de1769954a022f49442408c1cce5bb4c5294229ff0db09b24fe80c
-
SSDEEP
786432:WOnL/xGjKfjgrBRFmRO7z1760pOPBNmK+9WiioRfWvgmnY6zbHJ:PvfcTFmRO7h/pOPBNmKdiie36Hp
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detected Djvu ransomware
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Djvu family
-
GandCrab payload
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Globeimposter family
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Modifies WinLogon for persistence
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi family
-
Sodinokibi/Revil sample
-
AgentTesla payload
-
Contacts a large (7782) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies boot configuration data using bcdedit
-
Renames multiple (299) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Modifies file permissions
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1File and Directory Permissions Modification
1Indicator Removal
4File Deletion
4Modify Registry
3Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Discovery
Network Service Discovery
2Peripheral Device Discovery
2Query Registry
8Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1System Time Discovery
1Virtualization/Sandbox Evasion
2