Overview

overview

10

Static

static

1

RNSM00380.7z

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00380.7z

  • Size

    16.4MB

  • Sample

    241103-2qc5nawgmg

  • MD5

    d52392253e837d87a4d550b3b0e17ebb

  • SHA1

    f11f1b17d06b749034346cdddac52007aca54926

  • SHA256

    c019141bc3d483634d38672e50660478aa452db9066da062e72cd099a7d4937a

  • SHA512

    a79021e35a83223e47371f9468ecba168dcb02b806a7d2b97a0e915047d8249cc9c78766f3abfec25d50241ec96356f5d3bd4588ce2bc05e92d27318ea96f6e1

  • SSDEEP

    393216:8Iy7MoOupjBZ1VPIIwiV2NQVk9V0J0vTIdwJ1KXtaGXPJ1:Zy7MPuRvTPzYD957Id6ikWJ1

Score
10/10
agentteslaazorulthakbitmazezgratdefense_evasiondiscoveryevasionexecutionimpactinfostealerkeyloggerransomwareratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.jpme.org.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Ehimembano1@

Extracted

Family

azorult

C2

http://23.249.162.26/DB1/index.php

Extracted

Path

C:\Users\Admin\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
SEON RANSOMWARE ver 0.2 all your files has been encrypted There is only way to get your files back: contact with us We accept Bitcoin and other cryptocurrencies Do not try to reinstall operation system on your computer Do not try to decrypt files with third party tools, this can lead to data loss You can decrypt 1 file for free Our contact emails: [email protected] [email protected]

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-940901362-3608833189-1915618603-1000\YIPBAPHO-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .YIPBAPHO The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/81370634933a7906 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAANEnIJa6Z+QZZ7gnWkZtnsLVVPxKGvRGew3F5zCGiokpzid11qlRD0lxhTMpKZ2ha2cRphynNLxQffPn4AHU8YWnXaEzmTspxiX48dxWOyOIahWU1wEKJpsNLz4FVGOB0VrKfFqtZtJfdTCixuoxoe2hYMekYHwePYSRUyv8HsM8U3UayCsm6RVS0fbU/Cz7E5pbtcS5Fc6NDPw1cvTdp2VBcP+3W4Fk01jQMnYTfGDu8q7Ub7GtMKhO89JGuUe8HOi56UYsyNKf5W1jJnHxmzNIibPQD5FGxdeh0nhDmwzSvYBb0BDQfxA4NE4ZD3LjJlhnVKlYt9WlKS8mK/3y4hJkfVza8kmagBNr/k9FMERY4PUTMfFuIeR8nb3uKMyaFJZ43pkqboL650KsQC3/L5sUEIWTsqCMtJApz+BQiEJ4ZXj135ltUjC6jsIZvAkdsfuVzPKa9zR1yyR2ITOmsF9/6XmjEN6sB7AaQi5S4yyd3iCqPkJnnmfFGArGVKKUAXaGDOZNGX0SyhcxL02LupEhWbFsZFRPa1n9qrk0BbPNiLuxuZxEWS7zaqoz5Cm1UFpfqJ0VVLNBllQcwIX2j5dFYgrynhNPlSnrgd+KTyVSMsdT8ReGAt9Pdsy86jNUsp8gsdggmXOf8xtLNzgjW17ZlngZ25aO2QCPEnX6DTMGp4FvWmbVmflaGzRRI20AGNI0gWWeX5xvXEAP1CwoaErKFNGv1mQQTya8T7FDJN+Vfi1AAdzJiZ92VMjVP0o6VcKUsSHtePKywC8lF66kT0FakMYz/iJqEHAOS31FzL+fwir+pNO8Ce2jP+3XiXlwEcTGMjSaUpzamvWE9sYyWClGGzqnhi8eAO7u2koTm6IvTCfKxKPbvwJX0o445xaVJf+GuIzPfO61nsFj7EVocrPz6XEDpSfByiPOVptwLrO+Uspcs5qbincTuc5cf9GztWq8CAj3PeCq5VbjK8gkgcm2wE0R57QICLFClpWWMtLf7QKlfhtCuXi92VA6B4jsScCR2ISjevjLgydxn/3MhwoggdBm+XRMzAafzYlJILdGRdVSznc08BDaHsyvZgj2xzT2MFrQ2kYi4kOQBDnGQugwlriWp2v+ZDD0cWD73YRoyRn9QMkROKM/IeFnrqVH5oD+Oi4OH+yZZBjF4uuQjICCunEXol31+1o9E5dimuV6aCNUZttdIvKVm+XqlzIQ1XKXOFTmpLCgAFHnQBrwk4s54OxJH+znFkosAAdyZ/nSA7VrCZRJWEnv25Blpo1IjjwudcCAQAZD/RZ5D2k52W8ZVm7bUskfySm5Xj6XfeKiqO82teSZ/CF4O0Fb1pbf3KbahKc+PP7asFfsuaeQVTmnVrs30b7vAyhcAJwDZbc4NQQyhrzzUxCjDRGxL8QozLlkQFviMeAnO8J7ZtpoP29VZfZVp5FcZITRGlMZCo0/JIR6Y+qvqsvqF5086avdTcGk9RpI/pauXLnWhXibE2vJSpK65u/YxqqH01+EZACZ5wfFUc8j+W4x6VpgTyV7QSCNw6VGvdaBPRKYoJryKxQEdOUV5npKQh8GEnaKF4/nBEGJJJou574pLmqil2eqMGtmZxSa3hC7gdnMA87oEk8UUgFacvO31bMPs/NbKneJ81uk2j+qeYK1jnN/qSCXWDdE4bc5xKOrB8EGR11Kel7ynzHNBXyG0oAHEo0iVIcO4u/pat75j7OQF5NJFuDp3YWGimd3TRB5NPsZYyiqGL1EA1Hjm8r7RiX1EBz3pTfTkEYuEkslh0ZyxgVeAsrAJ5pwHGrV696itsY/YgVfodYvZEx/KEeZzJ1hSHo+qKHJKRGIb6o89uJU2cnIrui/do2012KpGKiHjUSgG0RHVOEnjamgyO8p/c3JG62lvdFVN2kTst3sDjdJ7kWZV3s9A5CPW0Z7A+nURufqeBLpTuFOAw/O6AG545P0ZLNPAhX7aJ5Sr9OztuyCifwlerflUlkt4wtgZFlZUQmicMYsUM1u7/qg6Ty9b7e1eabYvoboxW2bEa9KbPoQS69eW64sqkAWrQhv5rlI2Yu6jTIrlM6ba80ic8m3HhUbGjaUglm8RpJehQPz3vuzY+uzhlB4XcETTacI9hG7zZgF9hFR28JnogkXCgJbQl7qXRj3HVQy4JIpDMtIVN6G6nCLn4GYl60/Q10RPrDjN+p5TfVoj2fzHo/BeyqoMKk92PC+CaGWvRY02mOqhKK+Ov9xha6zC3SNMu8= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZCToNRtXYd7n1Wp7fZTG6Hhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB6OKl/2U2FusmGt1Yb1qHBi7trhHVEYgbpicb4tm4Pab3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pCBFK3vzLN+av1wMZNXQWRl2KYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9QQ3jC3KZBEuXtJUiuBZ9MNJGhHpcOfb/HRd0Psok9V+butLOnzJ/9bHYIh8kz6+xMRettGP+Pbn3W/eJIXs9ebdQm9EdhJFLd2qBglmnMLQYzygtAfj75QWEAiTIEnbJST+zbSAE= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/81370634933a7906

Extracted

Path

C:\PerfLogs\DECRYPT-FILES.txt

Family

maze

Ransom Note
Attention! ---------------------------- | What happened? ---------------------------- All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps. ---------------------------- | How to get my files back? ---------------------------- The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/87c2097c933a7906 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/87c2097c933a7906 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer! If you have any problems our friendly support team is always here to assist you in a live chat! ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- acyrjvzJdiVGpBjDA/TuA/nTdKCz251y7pfvnbDblZk2xqBIepdMkU2GMMkyh4z0aswiGaDizMPv80px5bvn5MgKDFMOQ3TefkcuF4Lshp+G+QazjxhkxWlozOuhPxA5gXb+bq1VEDGhofdyBiG/z5bFOwEfWXb5VT5zcJNqdYUv8Er1JvZq0QVU9leQ3aG0gGyM7v/1m42w+LT0neSQHtItlBBddhluNM+PlXUM+ZLwJarbtv5ofKMVTDYjwlWVwO2ni8LCxBTNJuRg3d/9XFPH42F6PuZXD4kiTTIe3flLnxX9YFQ5enGEaGLsfYbfN+GSezJM0NQuYiCmHD4z/f0Qx3EH87rb06K1DtKzJp23ZhqNSlxuznmsj5A5KWgvAyphp8mqhPGGXLcAlGfVtZgGTFMHd/rRDRN5TdAQJtaVqDc+9Pkr3Lzr3sBM/uBxiy1fNN4QoBqv8Bz18g7wgSFNANwOSHkKattXNXICrEjiORPFP0mZ6SdGhYGoNvx7B5UjFpuSFasxcsPx7qCu/1/zwBPkF5vm123CBzOagu0cmduwyikI3P+LKbOOcrn9nHPLsU383PakkX+uX79wmpOeOBWh2H2gI/xZuVz3w3fZXmt3XUHGrReejRo87NUi1Zn82oooevOiUcf1ubkpe1083XpRLLkNgSVaYeHyjKn8BuwThAMhRpNlzd/r6uueu3yzvqeSDDqIg7i6K/IkfbYuH7T/B2gDzjrHwkzxcq/we931cMF+WmxWKj4iiMAhW8aQQyG4d1ApVUMvLl/qgnDDfRIzYp4c3fhoHkqzGwJpXzAbnqCZUgZzgxpWX224W8gsutcr0YX+ux7P7vlFFJG7KQ95kbKBuYjO6KE1ZKx1k7lnW8nA9UAcfl2WvDZgjT5JJie9DL+Qv2zK2JyoW0tWxm0Erg3DnV0dXTrsViBN9wztoZRr+U/gPVE5xm09doSfc62nCTXATyujlQqvZ+X+Qku96nDAKiyn4NJk4rLPNaszEz3/36mDWWq75VWMVsjkRf2YrGHHiSrwdt6yeeBVuvoysNTReGyxmvdZv5zTJPx+R1ixMrt7cE+/6DwnEPOsvZMIoa6ZD5IKNCeI/CT5x4ftHBCPLWXjlZRfRhKwmzZRBNhbeYOScrBe/8pJ3oaaXzXGDo59iegMw9r+BPr9jeoFoQ60sMozCufOLvaXrOUwciexgEpLVLkkL5vHuA3QZerzpY0ZSA8v+L7ldDrY1JNxJ6ASZjsyzzRM4zSPtsZMiOsuiqviYPQ8tdnqm/bY1OrDTVGRJXr7RelGb68kfYyMDIby3gCYCH9YQvYLVYOOKOWfeSqs7BbKB18QaleRRU6DfVKZu0nm8B4tvb54Pr+yVY3UpzYl7MzDD09AiDWBRQrDtoxD/pEnyjYsB6pfLIe4jprL8f7WuUhB0fmtvOka5sZTg+xHCbJCg2GnnMm565WYSTS1/hkM0HwonH58D8gd0xF8hI129t+1aroxaQphnWxEyeB5bmKzV0zZkyA2IUHBzRf1PnHkqL0xl1Carkm/BRcD5qhlgyyVQwMV7/nPvyVwa/nu/6qRPOe1wGhp+Vo9a04348WtIUxPKCpYIWoHfgAXqXpVBB+xhRSJtG/lOd0M8slXOqhREj5VNbRn/s6tWrxFNw+GaFYdCYnNNCUYz4aoWGGaAG6JnijE1gYKTXt1AZKwElKVa8AwBhfc5cMhnvSUMTPS/xNO63CQmtyqUKyatFGzP/9OvRds9cJVBqzcoA3YjRbAZamxApiMYdfbwZolM6QdX6btl5RRYGxJIos6wJ5xlJ9skAR+mPdtvWIC+p4EQ69Hw52BCa4mMMxOuoY2fVei0X8tKap6r5IJYdb8Y0N4U5fj3J4VOtoB+Gsk6GFqb6cTdm2K45ZIXrzV9RndRkNwHZX7G1BWrlziwY3k/4UwxRAeGivfc5yr5RewAHMYvC5ZoqJflPqbGhxCtbjIkSFV8K7kk5+RcwiG+Cfu5DniozAHLIFZIxxSrsFTtj84UdgHekQeYoKfU407tMjdnOlWGSN1CPRguWHmI7mpUdG1nnKCpbgKOd1GcgqK6+Oq7FSghgH3PUBhYwRpOg7cLRp2qG5/MV8GrRh3ctIZWiU+PsFmFV77dl3AQSwDQj0JUBSGUhnC7yYz+3FT0moNy+fSJ3rVh4jZikypSG58r3EkB3xwyE2VeoMvAF3peHX7vpVb2gAqcfrv1vUEjvv2xjHAJ41Ejs26RwoiOAA3AGMAMgAwADkANwBjADkAMwAzAGEANwA5ADAANgAAABCAYBoMQQBkAG0AaQBuAAAAIhJVAFQASwBCAEUAQgBMAE8AAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCVnwAQwBfAEYAXwAyADAANgA0ADcALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAA0ADEANgAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHCm6uxyeBCAAQGKAQUyLjEuMQ== ---END MAZE KEY---
URLs

http://aoacugmutagkwctu.onion/87c2097c933a7906

https://mazedecrypt.top/87c2097c933a7906

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note
Atention! all your important files were encrypted! to get your files back send 0.5 Bitcoin and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: [email protected]. Bitcoin wallet to make the transfer to is: 1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9 Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ LyQpSGKEbHZjCQtz2WSeDUBx57eBPPWaditCNis6mroXyBuWQftOJvLuqtZ6wLM2CSwW+x6sYplOLxG9qtHntzzal5KG79faaDmPHle6DDOpyMvB3F1yA9r3WQnlqcdUxJgWkCWoU1Bs+REb+6qrX+z5shlqa/a5Cz8fjDc7O5rmoYZTQEnQDUje4zVootNs+e/lbUXPoMEnXBnM1OflUHsETO9q5qIYaLVfW07Fn9pGeSHiy0L9pNyNdM9g075r57j5E2f1AlTe0GPjh1Yve6BCuH7tMOeiYY8NhxWa6WfHoqkn/H1ItMoCIrLjm2RRt2bpKhUzDLuSXyTjxcpTNg== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Number of files that you could have potentially lost forever can be as high as: 22
Wallets

1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9

Targets

    • Target

      RNSM00380.7z

    • Size

      16.4MB

    • MD5

      d52392253e837d87a4d550b3b0e17ebb

    • SHA1

      f11f1b17d06b749034346cdddac52007aca54926

    • SHA256

      c019141bc3d483634d38672e50660478aa452db9066da062e72cd099a7d4937a

    • SHA512

      a79021e35a83223e47371f9468ecba168dcb02b806a7d2b97a0e915047d8249cc9c78766f3abfec25d50241ec96356f5d3bd4588ce2bc05e92d27318ea96f6e1

    • SSDEEP

      393216:8Iy7MoOupjBZ1VPIIwiV2NQVk9V0J0vTIdwJ1KXtaGXPJ1:Zy7MPuRvTPzYD957Id6ikWJ1

    Score
    10/10
    agentteslaazorulthakbitmazezgratdefense_evasiondiscoveryevasionexecutionimpactinfostealerkeyloggerransomwareratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Azorult family

      azorult

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect ZGRat V2

    • Disables service(s)

      evasionexecution

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

      ransomwarehakbit

    • Hakbit family

      hakbit

    • Maze

      Ransomware family also known as ChaCha.

      trojanransomwaremaze

    • Maze family

      maze

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Zgrat family

      zgrat

    • AgentTesla payload

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Contacts a large (1609) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

System Services

1
T1569

Service Execution

1
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Network Service Discovery

1
T1046

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

5
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

4
T1490

Service Stop

1
T1489

Tasks