azorult

Sharing

Copy URL

Twitter E-mail

General

Target

RNSM00375.7z
Size

40.8MB
Sample

241104-w4qp1svgkq
MD5

b9cb855d8759e858e4c7267043774061
SHA1

b08bf37327071e56097f20d9e20820bd08a1d06c
SHA256

184d8f3a951d0a05dc121e7fe26c18edef88b710465f500c08eceefbf4600a80
SHA512

67f17a2ec8166849c2eb14331d76d226ee1b18f38dfdd1910551f7a4f5e01489cc2c7a2900990aaa55a5fc114d86845d19ff17209ebfe061b22f325dd2050b3f
SSDEEP

786432:/ZmXo4mvRp5JhfkurS0EIrGosbXA9gdOwwJmTHU1EGInRa9:4yzzI0NYj6Cz2GHWEGIn49

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
A1234567X

Extracted

Family

crimsonrat

216.176.190.98

Extracted

Family

systembc

146.0.75.34:4083

Attributes

dns
5.132.191.104

92.163.33.248

206.189.120.27

Extracted

Family

azorult

http://hyuifrfrfy.temp.swtest.ru/index.php

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-4050598569-1597076380-177084960-1000\PKXIUTMLZ-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .PKXIUTMLZ The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/903c55d7ccdfd7b2 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAEI3ENusXqwzkrIk9imahOiUQhE+9gv27UoDsE18ZngAy+exQXd/x4DGw8lbv40c281vm0IPfhQ1Nc8IndNiyXVRb4MZq447YWvP3e2v0y2ASbEvAeJlNhhkUlQnrNqsEwScUq9RIDFWSDy0et1jPBpMUlo795zkdAgJaoT2Z8cknRrCITXhuCHYDlMjSaaUw4MhGWSe8cumfuxmvWHgLUHQOZOz5sSH4KrKl/zBXm6WWChtX0aCCCy7w+/0oooJIKjhauLvMY1eQQuqSXJ6BHE6EkH/4bkMP91t0cM5nslcNefT6lhYyaQpW4KoexkeaOKVSBcFFupqs/EcQHArzpb9kFUqR08AQxSI5di8h8UhB6JSYkjDSK0mFJEMOIoEHwmhoO/TIVhH8bI2VCBve+BBiCyE+yBPYEFyiMuXoR+ixaHJs3hupMgXGM/cCvh5+m5f6qFtIKIUnKLf/ioV/98zSyLlsOhmC+ZAfYcDHa0gmynoIQFepnJCQmDYLRGEsPUOwgS+5CbYQlzsAdj7Wd9T94HEA1NB/aG2H85BM5DjmOH1I9ZcfqxAGfLTnQsPUK6GELw4nhvqu2HCioJNjC3kdP9S1okPWXs1Fe7mfc8Zyny8JVvrX2qi+edt+1Ajc8qkOCGWCNPtEUcFVcwnZbmyhWUQtycYjaxlRURXvnukG168pnfYQRMD8eZ9gKu/q2vjol3KP2tYm++DQZTzdQGah8oT81UveXtMPWXry4fW7K2J3AnMrS0UQbE46aQz+bNaXitqiTmhKgf47+EyOtfzLNyNHJn3izPppxbR1c+VZ9EaJ3O/JqkGbbYkHRIm85QGKZk7b33ceu0x2ZKxtuDpg8raLk/ZK8v7eAVNH0y67M6TufrnCuy1K8r4xqF6Z95W0FUcObItX6YjmUqilRqSthq0uHVK2QAhomRfc5WkhPEDWSM8TjFtW7TOujxnbR6XfGkrW+KmTTB8IAIgkA7FNwAmDwCNLI+FFmdmth07grhD+onVoSQ84O61gIE4eOfHXcr/R2FeELZJNbukmNmqQVZfA63d7O3bjXs0VA0r0x73wN4x4HRwWVgmTGPHJmhKiZfIQyKaWjifeD65Hj+/yI1DsLNmy78NUEFUN43DXx/VhLFpkUZbtPRLpIXq5StLm4pXnkBY0UhNmyWjd+gPjeyKXlpdOUjHLM/WlzlvP5Jfaa/qXStlWubM54chEPEhlXldI2OGE7kXDOqSkNT37kaIbbamD3o3Yyr5v6svf0wlWGRuhzTHuRL+UdQVQqhnUBKeVF/RU4wtxt0cZcPvpYxE04vCl92Tp853akmwY1V/r+7TAIhIYU0iA0bhOe+oriMZB9n4C5tTVL3l7ym5yeheQihRdvPouAx/B4WMWEzzw31oo7Pi1rVxPSYb6mmvlHO9ywnku6LI+T/CnXHU9tgr4vmmJFMQ4hqfj3pH4hjIvPG5ePjEr1Gayb/rTWNga9WYEOoCqaqDJum25JIy8+9zSgqsXTWQ0fYQniW1zEIotMp5r/J9AGwnlVuDP91VzR3MTD+YuMCZmedH9oLzFJT1+bf4t2ZUdwozl5RNGMH1fpRYOUvIyFO0wLStN496p6N2Izf5SHHgei+qsryuF8MzSfVNKOKnZv/SL3W94vPMh3TpFTeh8ZLWihQ32ZW0xOODqtPJxCPTyIXDL7GSkaWLjU+S8TDj1VD/aKRx88vxHUL2wwdA7d/OL/JLmr/nWnpddjOtAgFfibQh+DWjGuN502mVg9PhgfEBqXGGo7SbTyo5cTq/hG0tTj2hsIKaWfozHcEIqXZS8xTOFYsjNKaCweKDrKIpmSO/IFiWaAazo4r+BMxxcqIsK5ruZY6tC8XPYNQ/6Pw1novJqFBnwbnkNzCsvL5Az4t1H6vI0HV8mCMoZjx+hLWH3oIUiMga1aW34iD0Ax/j5hscB6BLrmcc4SukXvcNYxEniy5oAaD8dD+p0i2fT2hZsxlr4N8lCOxWNu2VFwA1DyM0Y5i/eaZKLZZ26gZ2xOQYHRs3KGdEOkCVRQN4WUEnOI1PbpJyACEUjaDp27MebobJaGaPvSOu0imd9k3XJp+cdGwA8SUo6Z0bJ+TfrDeX1OzEGnkZR6GKdvT6s/xIBWR3WdteDxHwYIJKnu2ID7QmYwqJDulEnJVv8KlynyjLtfyDm5f6R205d9DAgerFlWxMVHqGkfU8HJl7giv7GignADGqTScA6zMMgt3fdcRanaJgGzgVFOA= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZOToZRrHYT7nNWvLfaTG+Hhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB6eKk/2U2QusjGt5YOFqEBnTt/hGCEY8b9ScV4ou4Oab3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pChFF3vDLM+ao1wIZOHQRRlOKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9TQ3fC3KZHEuHtKkisBZ9MNJGhHpcOfb/HRd0Psok9V+butLOnzJ/9bHYIh8gz4+xNRettGP+Pbn3W/eJIXs9ebdQm9EdhJFLd2qBgkWnMLQYzygtAfj75QWEAiTIEnbJST+zbSAE= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/903c55d7ccdfd7b2

Extracted

Path

C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

==== GERMAN ==== Alle Ihre Dateien, Dokumente, Fotos, Datenbanken und andere wichtige Dateien werden verschlusselt. Sie konnen es nicht selbst entschlusseln! Die einzige Methode Zum Wiederherstellen von Dateien muss ein eindeutiger privater Schlussel erworben werden. Nur wir konnen Ihnen diesen Schlussel geben und nur wir konnen Ihre Dateien wiederherstellen. Um sicher zu gehen, dass wir den Entschlusseler haben und er funktioniert, konnen Sie einen senden Senden Sie eine E-Mail an [email protected] oder [email protected] und entschlusseln Sie eine Datei kostenlos. Aber diese Datei sollte nicht wertvoll sein! Mochten Sie Ihre Dateien wirklich wiederherstellen? Schreiben Sie eine E-Mail an [email protected] [email protected] (reservieren) Ihre personliche ID: <! - ID -> Beachtung! * Benennen Sie verschlusselte Dateien nicht um. * Versuchen Sie nicht, Ihre Daten mit Software von Drittanbietern zu entschlusseln. Dies kann zu dauerhaftem Datenverlust fuhren. * Entschlusselung Ihrer Dateien mit Hilfe von Dritten moglich verursachen Sie erhohten Preis (sie addieren ihre Gebuhr zu unserem) oder Sie konnen Opfer eines Betrugs werden. ==== ENGLISH ==== All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email [email protected] [email protected] (reserve) Your personal ID: 39C30A83-A525-95CF-6195-C1AA1476D328 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Targets

- Target
  
  RNSM00375.7z
- Size
  
  40.8MB
- MD5
  
  b9cb855d8759e858e4c7267043774061
- SHA1
  
  b08bf37327071e56097f20d9e20820bd08a1d06c
- SHA256
  
  184d8f3a951d0a05dc121e7fe26c18edef88b710465f500c08eceefbf4600a80
- SHA512
  
  67f17a2ec8166849c2eb14331d76d226ee1b18f38dfdd1910551f7a4f5e01489cc2c7a2900990aaa55a5fc114d86845d19ff17209ebfe061b22f325dd2050b3f
- SSDEEP
  
  786432:/ZmXo4mvRp5JhfkurS0EIrGosbXA9gdOwwJmTHU1EGInRa9:4yzzI0NYj6Cz2GHWEGIn49
Score

10^/10

azorult buran crimsonrat dharma gandcrab systembc backdoor credential_access defense_evasion discovery evasion execution impact infostealer persistence privilege_escalation ransomware rat spyware stealer trojan upx vmprotect
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- Buran
  Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
  ransomware buran
- Buran family
  buran
- CrimsonRAT main payload
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- Crimsonrat family
  crimsonrat
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- Modifies WinLogon for persistence
  persistence
- SystemBC
  SystemBC is a proxy and remote administration tool first seen in 2019.
  trojan systembc
- Systembc family
  systembc
- Clears Windows event logs
  evasion ransomware
- Contacts a large (3335) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Looks for VirtualBox Guest Additions in registry
  evasion
- Renames multiple (334) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Clears Network RDP Connection History and Configurations
  Remove evidence of malicious network connections to clean up operations traces.
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1