General
-
Target
RNSM00379.7z
-
Size
27.9MB
-
Sample
241104-wjg75stmds
-
MD5
59e53cc4c3a9cb4d0b965ec637bcf169
-
SHA1
cd9d547d737e2ca22d32722c23c1552e5e104b01
-
SHA256
c21aa3d27a5957e5c39e4c0630d1c0e6a9083a670e0f1c81a1fba9fa1115442c
-
SHA512
7c97a623dee692afe2d6380901ea6b5afad44ac9ae092ffc6114c26035faa77e5d3da81698ec3b6ae61ef64ff989741cc23f5dcf05cda7b194a758ec18ad06f4
-
SSDEEP
786432:Y1c0lgTFvGoWFeKnWdNp/A/hcZD3pMawtwvLytbPM19:Y15lOFgFeKnqIhUDZGwDytbA
Malware Config
Extracted
emotet
Epoch1
187.162.62.135:80
181.231.72.200:80
45.55.83.204:8080
104.236.217.164:8080
128.199.78.227:8080
46.101.123.139:8080
185.94.252.27:443
181.171.118.19:80
46.21.105.59:8080
105.224.171.102:80
86.6.188.121:80
190.246.146.101:80
200.80.198.34:80
200.58.171.51:80
109.104.79.48:8080
89.134.144.41:8080
159.65.241.220:8080
186.23.146.42:80
203.25.159.3:8080
190.1.37.125:443
Extracted
C:\$Recycle.Bin\YEYFQM-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/5ef1df3d38d4324c
Extracted
gandcrab
http://gdcbghvjyqy7jclk.onion.top/
Extracted
sodinokibi
16
2932
premier-iowa.com
turing.academy
physio-lang.de
rarefoods.ro
palmecophilippines.com
ddmgen.com
omnicademy.com
baita.ac
cmascd.com
nationnewsroom.com
belofloripa.be
babysitting-hk.helpergo.co
tages-geldvergleich.de
iactechnologies.net
line-x.co.uk
richardiv.com
goeppinger-teppichreinigung.de
dinecorp.com
hawthornsretirement.co.uk
kerstliedjeszingen.nl
-
net
false
-
pid
16
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
2932
Extracted
sodinokibi
$2a$10$nWPIRSot/CckTPp00tnXQOFn2NS9abxBEdAbLQPH5CRiCW8.CQOuG
3382
bouldercafe-wuppertal.de
i-arslan.de
chavesdoareeiro.com
work2live.de
rehabilitationcentersinhouston.net
mirjamholleman.nl
pogypneu.sk
babcockchurch.org
lorenacarnero.com
schlafsack-test.net
c-a.co.in
lapinvihreat.fi
smart-light.co.uk
craigvalentineacademy.com
lange.host
amerikansktgodis.se
blacksirius.de
desert-trails.com
exenberger.at
hrabritelefon.hr
-
net
true
-
pid
$2a$10$nWPIRSot/CckTPp00tnXQOFn2NS9abxBEdAbLQPH5CRiCW8.CQOuG
-
prc
powerpnt
winword
ocssd
onenote
sqbcoreservice
encsvc
outlook
oracle
dbsnmp
xfssvccon
agntsvc
dbeng50
visio
thebat
mydesktopservice
thunderbird
msaccess
mydesktopqos
steam
sql
infopath
firefox
tbirdconfig
wordpad
isqlplussvc
ocautoupds
mspub
synctime
ocomm
excel
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
3382
-
svc
sophos
sql
svc$
memtas
mepocs
veeam
backup
vss
Extracted
sodinokibi
48
2839
fotoeditores.com
lisa-poncon.fr
loysonbryan.com
levencovka.ru
dierenambulancealkmaar.nl
apogeeconseils.fr
xn--ziinoapte-6ld.ro
mrkluttz.com
larchwoodmarketing.com
cymru.futbol
afbudsrejserallinclusive.dk
towelroot.co
frimec-international.es
fluzfluzrewards.com
liepertgrafikweb.at
sppdstats.com
happylublog.wordpress.com
kelsigordon.com
biodentify.ai
bratek-immobilien.de
-
net
false
-
pid
48
-
prc
pvlsvr
dbsnmp
VeeamDeploymentSvc
dbeng50
beserver
bengien
powerpnt
bedbh
EnterpriseClient
ocomm
outlook
thunderbird
thebat
isqlplussvc
steam
infopath
tbirdconfig
xfssvccon
sql
onenote
mydesktopservice
DellSystemDetect
visio
sqbcoreservice
msaccess
ocssd
raw_agent_svc
oracle
vxmon
excel
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
2839
-
svc
stc_raw_agent
BackupExecAgentAccelerator
AcrSch2Svc
vss
backup
PDVFSService
VSNAPVSS
VeeamDeploymentService
sophos
ARSM
BackupExecVSSProvider
memtas
svc$
MSSQL$
BackupExecJobEngine
VeeamTransportSvc
VeeamNFSSvc
mepocs
BackupExecAgentBrowser
MSSQL
CAARCUpdateSvc
CASAD2DWebSvc
BackupExecManagementService
veeam
BackupExecRPCService
MSExchange
MVarmor64
WSBExchange
sql
AcronisAgent
Extracted
hawkeye_reborn
10.0.0.0
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
(#@jS%{GF;0
51ca91c3-9a11-4443-9e61-ee6e5c097d44
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:(#@jS%{GF;0 _EmailPort:587 _EmailSSL:true _EmailServer:smtp.mail.ru _EmailUsername:[email protected] _ExecutionDelay:5 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:51ca91c3-9a11-4443-9e61-ee6e5c097d44 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:true _SystemInfo:true _Version:10.0.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null
Extracted
lokibot
http://107.175.150.73/~giftioz/.rojonm/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
djvu
http://mopg.top/Asjdi435784ihjk65pen2/get.php
http://nokd.top/ydtftysdtyftysdfsdpen3/get.php
http://ring2.ug/As73yhsyU34578hxxx1/SDf565g/get.php
-
extension
.rezm
-
offline_id
oTNOXYrFxLZ6FFJDHoOj4iFOlC2xJsN3KurV05t1
-
payload_url
http://mopg.top/files/penelop/updatewin1.exe
http://mopg.top/files/penelop/updatewin2.exe
http://mopg.top/files/penelop/updatewin.exe
http://mopg.top/files/penelop/3.exe
http://mopg.top/files/penelop/4.exe
http://mopg.top/files/penelop/5.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-yVc390S6cs Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0211Asd4a7d6
Extracted
xtremerat
iaficasioo.zapto.org
Extracted
agenttesla
Protocol: smtp- Host:
mail.gandi.net - Port:
587 - Username:
[email protected] - Password:
Blessed000@
Targets
-
-
Target
RNSM00379.7z
-
Size
27.9MB
-
MD5
59e53cc4c3a9cb4d0b965ec637bcf169
-
SHA1
cd9d547d737e2ca22d32722c23c1552e5e104b01
-
SHA256
c21aa3d27a5957e5c39e4c0630d1c0e6a9083a670e0f1c81a1fba9fa1115442c
-
SHA512
7c97a623dee692afe2d6380901ea6b5afad44ac9ae092ffc6114c26035faa77e5d3da81698ec3b6ae61ef64ff989741cc23f5dcf05cda7b194a758ec18ad06f4
-
SSDEEP
786432:Y1c0lgTFvGoWFeKnWdNp/A/hcZD3pMawtwvLytbPM19:Y15lOFgFeKnqIhUDZGwDytbA
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Detect XtremeRAT payload
-
Detected Djvu ransomware
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Disables service(s)
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Djvu family
-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Emotet family
-
GandCrab payload
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Hawkeye_reborn family
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lokibot family
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Modifies Windows Defender Real-time Protection settings
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi family
-
UAC bypass
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
AgentTesla payload
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Renames multiple (274) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
mimikatz is an open source tool to dump credentials on Windows
-
Adds policy Run key to start application
-
Disables taskbar notifications via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
5Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1