General

  • Target

    RNSM00376.7z

  • Size

    17.3MB

  • Sample

    241104-wyytfatpgw

  • MD5

    1796e83f86a7fa57f10da5bf6bbf29df

  • SHA1

    f76ea287c02d805fa11f107eee049d5906c2d5c9

  • SHA256

    2cf55d64bf19e460c49659403bd0b77fb91fbc5a5f1f5b21855529f54c4cacb3

  • SHA512

    514dd575ee3ae5c684865c1d3513973ed00593a29a3f71e71aafe6e7fc7bfea6ebf5ded9efb06e207556836596a1de141bc70875c13f0799ad1d3ed82b4e4391

  • SSDEEP

    393216:cSjNjlFPvXuBwedeEt/tv6mxIXFfqb0iIY+qfHph9FNp7jAYDi95m4:cSN3XWwec0/tC+I1ybbP39Pp7jAYmj

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\ISMRK-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .ISMRK The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/d115b9ef9cdb265b | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAALdZDdsr7Xu2V8z/sec6QhfL4h7bt1CAQ6cukK1F+a7+KthmBUe+VxAeJjT9XZ9eeOVjZgZY80nT98aM1hBajEBvW3/7ZEXg2a1xcQe/eNwTvdUrpOPsSgaj1s0yqpZnUrNhNB5VdvNaOotBlMTBRotEGYE+eeb5QRiDJhBZhWieldtn2PfZLtkViQ3iKVJK4hNQadv5cajVJvO/ZUeDZR1Jzvud6BBAR+VQGSiR0x8AC18DudkwiBYvw/F6UKNNk+GbiEGkzU5Sz3HBxaxeuDwTyB0Rxfr9pRIIzcHhlFHe9bbz4+7hxy3J6X9Ux+OQE+v0Ypo9dJ9pb4eVel+pfAnKEdPIwvWcEi1VsP1uqoHVRWk9UI6S85a8NIsErcwaZYX1zFBERMZlyaQJpmCvR5HqOoBfff3s2+uzM5yoFJM88OHSWIp5ylyDgfSCk3M+XwdWmasF3ULz9ejRr61Av2P+Eam0NETsIVE7hp8ZyL1KTnh8XWjP5qEvd5JQhOQS3f0919R7Mt27V0oPNXjBr/4H2cDfW2H5vdjEUWmeaMZz7TKZODb0t/dPE4xNcPT2M/layuAB9EFUyjW2TdniQYCsNAGVTTv+acDI+xQxQnX3EjuZ5kVm3jfYnSYMvQlBjK6YAXs5wXBesBFpF1Em41OzMlbkPVdyW0gl89Mq5I6aMcS+oXxTKXcT/bot/QfY6BTw8QQT2YZ0HR92SZHFXLG0AaTy/XBIitpgdR9V9cojtYw3tqsNN9uNapRIXN3CBAdupN9cqcvfvlTKKrAzdP/v/IrvUzj56Swzspc7roC6lEVll+kPxv0PnysEC4Uj0vomDtmCth9s6pdjYugswbxr7nNQ4HgXsh0MYKhDAdFOzR2+3wYeLWOJnp+/AQHTT1t2oqp5PYGP5/LJB+d8MjhGOkOoMsLquICE4r7i3ku/exIQuqfeK7QmhxIhJK3iFDZisg+EOD8twQ+OFZaoxzEfbc6qSiu9z2dsGVlDFLFiExzhH2EEzxtE2scnIxUEqD4Rcy4RWwUgWJ/HaXaSx8PB9E23eLkPASMHM4bH/VbFeBqdO9VrFnj/n3sUvF9ZnioGjRsdqTOHqwIPsieSndLp34HNxPGP7luDTxKoZPUKP0xv/JZcUpzXIeGS22CPII6GWkk2G9AumfW1p17PokDZLYJDVwzQ65Cqt9ckx3AaF+7SITxgsMVqtJpb1Ni8jeA5+dVd0wuTGL3frRVPlqGxP8dZWZHiDZ2+1qEtko7dNnLKFTQe8bSTmPKY0ML9ZNx2n/T1jczUx1yJPXatGTJvYRRwuv5tQ6k/YlWDBsD7eclu9UWqLpl6Lqm2E8IQe0M1LbwlC7CgGJJIB85Qbvq9jWzRkpanBJMvhYWL0yGR53yqjESd9GLEWnB3OKTqswaabmoiIvYihOnzqy836tHCJmenbZ7a+jmwvyjyB+LUn0f/Ar+pY8+54LDg6EolC7nBOJNICVrK90jsnCXu/vpjzFVV6a4mUgNQLZc+Eg70vO7AU55JXVKwvi8h2hrkPBXMyvAoKAOKORGKlNTyx+uGBIzBmP1CRhaAC9s5+i9qlWl1OxCLnMR3Myksi9K8i5kA0hA/im8VnlDyXRVGyHG2NvDIBg2zM4/Af+CfrnZe/kT0UWkjkE4hFw0ZtN9xEqU8sHkcfm6GMSarbYjO3TAWEEGZ8JL8jMFdmdQ0XqYoOsMycbAFIuEsdYbetxjU1rcxqReZFW9S8/cSVUfvoySh40u7Aid5eXFpzvhsXHSiOvcEjrHenwZ9cCREgaQeE4Jg7zvHPgog9ui28MkwVuccX0CxwMEsSWTmBsUGgX6c839ypUSH2jKuvmUnNWaf/asVlz6rix0viC5Y74ZIFCChF4ErHwrQG8/X8zDHK9h+j250w8rkx59QWvbEhTSeWzVlPvejp2cHGs9oCkaYL+X42dna9x39lB7zVUHcmh2glL00Npry/BZplNSHKloEJsoHekeU4ZYqcyyiEldLOigueVoTc7k+tZNWp/RIuTc7E3HkrPU/6Pg/GlWEuYydqF4W+Q4N2ytmpY//DI5JNS+okgD/sF+7uQMEkiGu4gsyuYNQisu3Y/EMWEybznBLtBaJzfv0fxqVPYZNOTGmgekUEpR1KQGTW/MRf09y6tzbjakjjqj8yilut6PvPr5hbrLoU9WwViJzOYfmIb4Bg/VXrwxSoQmhHKdFBgF/Hyrs342cK8dd+6szOAAzXnrI3i2uYU4= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZfTpBRsHYd7m9Wp7fSTHaHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXBtOKl/2c2FOt0GtJYOVrVBi7t/hGCEYsboycU4ty4aab3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg71ZibpCRFI3vbLMeag1wcZOXQSRlWKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9RQ3PC2KZDEuTtKEisBZ9MNJGhHpcOfb/HRd0Psok9V+butLOnzJ/9bHYIh8kz6+xMRettGP+Pbn3W/eJIXs9ebdQm9EdhJFLd2qBglmnMLQYzygtAfj75QWEAiTIEnbJST+zbSAE= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/d115b9ef9cdb265b

Extracted

Path

C:\Program Files\BNIBBLSVR-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .BNIBBLSVR The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/d115b9ef9cdb265b | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAN7X152NY4xdEDXhNF9CG6OVRntNBD6H60vt8DLmnONLmlxh7IuaMpUEkwu4XQtQEk5PZ5v0N9AJiBEBy+RKS2CE9B7wZRDftHWsf3u4t6d0e9l4cDbP5rHb79MNG77EEeMkE5fMRuAfAtQsN77nRu7gYdvvTpW5O0PdrIrgWMpUpbMgBiWf67Fp9uIKQbnWLl67h1eyhNDXwnlRKPC1liFnsIoq3JCXp191BQaoYfZgCAUbG27AZVKdN6lTnT08dxQmXyZOrQA1s8iRlIYXhvxU1vlXS5qfXnJAfN0ptp6v+qMh/ZLYqWZ1Wz5HqbFqmJjed+xxOSnoTgDkFw+j/ygJPKFbNqH3eK73Xw0C1w/mkACvkhapOHKIfIG7tR44gJQnb2vE+7z5AbKwBvQyzAe8Dk5gBymy8D3jzYJNV6NXEDXZ9xuBhCLokv+wxPmk8KLAeGtYM22B5k2pqN/pP8q2/bcfOUSekMI3WzImK3hwV9uIPij4Rh6M7wUlUtzWRwb+WkXJTDRFEOmMTeR19TvI/LWr0plHGMdk3iCBO3Sj8QLFGS0uDwh5QZaAL4Nmcbl+1w4deCAjEhKu2BClvrbOVoGfDg6UF5ehiJG4CrSqS8uvXLhR2ZPRFCmXBzumhxxKeKnqeKpEDByu4FLoOe9Lv/XVJAQk3zefA3wofZQuIOQRJwJRqpSSugJiJx4na/0fYB37988K9qwNf7UFghtcWvC8NGZHxJHwWk4kmdysZqsF8sCol5CpFsKexb3boT19Fpc/7phPUYA/PvU552CngZ/G7OUoNSQtluvt/F9bRZxMmQ4Vr3WV5zkaHWpHMhkXeswjI4C14LRWHyBQWvAvGWH+8ItFH8cVp8Wo7Wxy3/xP+4kwSkDis8aXw4ecIMZQwzksKvJOWjMMQ72bqdTVpoUQyd8/8/TziBdFrALMGhpTjaPRGOyND6smyasdkeXZCcKYh7I8wXJ5Sk403NHYxM3NKkL8n0g6jO3/uM6xCVAWA59X9vjkOUAwp3hN83WbbQJ2h7a0LLK5aAfy3bAuQQeUpTJd252MfvSZD/6uENOVhvpF1bSA/ANebxGzY5WHfTLgLYi9PKy2/zcHp0XkEI3YqkxEInV7UKKB1F5ynp4pTGdXepwOxBVbe8TAgoBNouvvVjsHnLALvfl50xu9kzFqK5Idf93qF0Im5bFggWCSVsIxURQ2Kcocbi+J+3BiChldSkRo4XaFoFhFA6yGfg3s03n/JaQg2e8VOggAM8lVeOXG+coguxW/74TIPWErbkhWP6Th4J9wb9m7rXmNocvZhbWuqwaPpjNUAHjnwIhtrbT6po7UEaobNcJmz1LgUCfDbT/MxBxDjrwCjxUOH2jElIe/Gsde/E3DzRPFe48j+KPQZxBqOY11IPsN47LJRHi9mEo3tU55iNERasJ4WTgNEaaH0IpH94sZSa7/3Pchidwrcxfl4tso2h0P50ZF538iec6Na/NYENPbnHnguitbLdlmm8PBR6Y0JxrwFxZSVxeRRKtiuGhWzZZCvOhUYeSM6N/LOTD942zOchah9sTmpNgKYf/4/ZbTJ6xNjDeCKzseqH8G4VhXgbt4d39u4RT5+y6pctQ4Rqrvt1Pt9AmyUB6ZFijfWue9VESZC2cTb/TB56G+AsBH7Ad2SC5jxC0tq4my8AkAQ23J/kSPhCCfL94bEAyNb+ApuMOHK+jPXkAnYz295WY8dIf54E0C2ENB1IHjQyxC/ecAm93mRqR6V/3H7+DZzEHQ7Xyvp4QumbA7HNi/+PZOml3IOy1Vq2PgDkFwBpXba/bRQhYU5L9I6Ucayi1WPjrp+ctUWNd9Mix8zktsZj8O1hGnmyo6X7X3Q+GE9zax5VH9oH65HdT7ff4Afwky0uqxgFTkihUrwYswD8OF2kNxA4imAxbxxHbRL8MU5Vpk2ynNnVEPwzjqzkzDAgEg4baWLC3QBhSw91TPow86E5ozXOv0E2tXRQWtwOz8yEcXfQw9rVNO/0RYzFxmHRv8QRTGnzu8ZvCy58xChvZ/RoQQM/UcQ2pO3iHWq04ZWHUK+jnmp48jzCNh5sLRI1S2uRm3nQLY63w/Rd2rsDUnFjpljSb75uK0c68NWvVlLvnEnyUNQ3WFUb4sIkYkwzCo4YF8S1uc5SUAZmVX9cqNILIQk7ff837P+ElAOvr0gVIKB9NMY+neWNZ1G3dY2cWOlW71+G935HL2dhuJ7OdwRFG5hvyXS8fBWaA= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD29NvJMpDYAvOVp+DHRXzIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJKdAMBiVqq8ZsR+m3ZLGamd2R30fUP4vy/vNjLLHjC6P0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwArtwypi8A1fylXjmY7qx4Buw6gT2wK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM+ANjhw9QdIEj1UEGTyf6MN51c1gY/+eQae2sEznTbCqfrOdcnPBOVfcolLq8b9AmRcCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/d115b9ef9cdb265b

Extracted

Path

C:\Windows\System32\Info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>[email protected]</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } img { display:block; margin:auto; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHgAAAB4CAYAAAA5ZDbSAAAABmJLR0QA/wD/AP+gvaeTAAAAB3RJTUUH1gQdASckuERAkwAAHNZJREFUeJztnXmQHNd93z+v77l2jj0BkCAJghBo0SYJUpRKJC2Ksmm5Uo4kp2iplEAFoRy6kirFSUqp+A+XzUrKqaQc5yqVXFIYiSqKkhzK0UGTkmxLlERTRUEUBJIgQNyLvbC7c+7cM328/NHTM7PAAtxjZnYJ7beqa3r6eP26v/27X3fDNraxjW1sYxvb2AyIze5Av3Hw4MExVVVTiqIkgYTneUJRlLyiKIVGo5F96qmnFje7j/3EdUXwo48+qkaj0fcBDwN3AweAibfYbQE4Chz1PO+FarX6w2eeecbtc1cHhuuC4E9+8pPvAz4OfAQY3WBzGSHENzzP+8qTTz75ww13bpPxtiX48ccfV6ampj4kpfz3wLuvtp1lWei6jqZpaJoGgOM4OI6DbdvU6/VrHeZnQoj/snv37m88/vjjXm/PYDB4WxJ86NChh4QQnwHe2b1cCEE0GiWRSBAOhwmHwyiK0rXen5eyw5XnedRqNSqVCoVCgXK5jJTy8kO+AfyrL37xiz/o0yn1DW8rgg8ePDimadqfAwfp6rtpmoyPj5NIJNB1HV0PYZoRDCOMrofQNANFUbt2kXiei+M0aTZr2HaVRqOCbdewbZtCocDi4uJK0v1lVVU//cQTTywM5ow3jrcNwYcPH35ESvkVYDhYFgqF2LFjB8lkEk0ziURShMP+vKIILEvDNFUMQ0NRQFV9CXZdiedJmk2HRsOlXnfwPInjNKhW81SreWy7Tj6f59KlS9Rqte6u5IQQ/+wLX/jCdwZ7BdaHtwPB4vDhw38spfxTQAVQVZWdO3cyNjaGYYQZGhonFIqj6xqxmEEsZmCaGmKVZycl1Os25bJNqdTEth1qtSLF4jzNZpVMJsPMzAyu23auPSnlf7z55pv/w1a3zVua4EOHDlmKonxVSvnhYFkikWD37t2YZohk8gbC4SSWpZFKWUSjRk+OWy43yeXq1OsOtVqBfH6Ger3K1NQUhUKhvZ3ned+pVqv/5Jlnnqldo7lNxZYl+LHHHgvbtv0t4DeCZTfccANjY2PEYqPE4zsxTZ3R0RDhsN6XPlSrDplMjXq9ydLSHOVyhoWFBWZmZtrbOI7zk1gs9luf/exny33pxAahbnYHVsJjjz0Wt237O8BDAJqmsXfvXkZGRhkZuZmhoQlSKYvx8Qi6rly7sQ1A1xWGhgwURUGICLoeRtM8otEIS0tLeJ6Hoig31uv13z5w4MBfHTt27Jox12ZgyxH86KOPGpqmPQu8D3xy9+3bRyIxzOjoXiKRIXbsCBON9kdqV4JlqUQiGratYVlxpGwSi0UpFAoByTts2354eHj4y5OTk87AOrYKbDmC77vvvieEEB8BMAyDffv2EY8PMzZ2G7FYmImJUF+l9mpQVUEspuM4CoYRx3FqxGK+JLuui6qquyzLuvv48eP/F9gyjteWIvjw4cN/BHwafE95//79DA2lGB3dy9CQydiYtWrPWFEULMsiFAoRiUSIRCJEo1EikQihUKid4VIUBdd1V0puXAEhIBrVcBwwjDiuWycaDZPL5fA8D13X9+3Zsyd58uTJ7wFv3eAAsGUIbuWTvwQoQgj27t1LPD7M+PhtxGImIyPmqtqxLItYLEYsFmuTqKpqy44KhBAoioKqqui6jmmahMNhdF1HSonjvLWGDYc1XFegaUPYdpVQyCSXywFgmuZ9o6OjZ8+fP//aBi5Hz7AlCP74xz+e1DTtu0AS4Oabb2Z4eISxsX3EYhbDw28d/pim2U5Rqury0+omVnSpgG6pVVUVy7KwLAvXdd+S6FBIbZEcxXGqGIZOoVBACCEikcj7bNt+Lp1Op9dyHfqBLUHwvffe+yRwP8Dw8DC7du1idPQ2IpEwIyPXJldRFOLxOLFYrJ13FkKg6zqGYWCaJoZhtFKYnSlYpqoqQog22YqiEAqFUFWVZrN5TdVtWSrNpkDTIkhZp9FoUKvVUBQlnEwm3/nGG298C9hUz3rTCT506NDvCCH+DHwpvPXWW0kmbyAWSzI6qiOEL2krTbquk0qlMAz/JlAUBdM0MU0TVVVpNGyy2SJzc1mmptJMTaWZnc2yuFigWKxg2w66rmFZZtsee56HlBJN07Asi2azieM4Kx4fJKGQQrOpIoSKYUA+n8d1XQzDuDmVSmUuXLjwCrBp9eVNJfhTn/qUadv2N4Hhjt0dIZm8keFhHU27ukdlWRapVKqtdk3TxLIsQJBOF3jjjWkuXFhkfj5LOp0mn89QLGYplfIUi0UKhSK5XIW5uQLp9BKaJohGwxiGgRAC13URQhAKhdqlxZUgBBiGwHEsbLuGaWpkMhkAIpHIndPT08/X6/VNU9WbSvAdd9zx74DfAxgdHWV8fILR0b3EYjrh8NVDoXA4TDKZRAiBqqrtsmA+X+LVVy8wO5shl5snn59maekS1Wq+TW6lUqBWW6LRKFEup6nVCjQaTQqFJouLBSIRg0gkhGEYbe86sMtXI1lVBSBQ1SjNZgnbblKtVlFVNToyMmKdPn36J0C1D5fwLbFpBB88eHBMUZSvA4aqqm3VHI3GSSSu3q1AcsFX6aFQCNf1OHVqmrNnF8jnL5HNTlIu51hcnGd2dpbp6WkWFhbIZDJkMhkWFxdZWFigVCph2w2gSbWaw7Zd8nmXer1BKhXDNH3P3XVdLMvCtu2rkqzrgmZTIKVAVV2y2Sye5xEKhX6lXC7/MJfLXWQT4uNNI/jAgQN/LIR4GGDXrl0MD48xPHwT8biCepVeGYbByMgIQggsy8I0Ter1BseOXWBhIUMmc45SKcvs7AwXLlxgaWnpqo6SlJJms0mxWCSdTuM4Dqrq0WgUcRydfL7K8HAMyzIRQuA4DpZlUa/Xu6tKy6DrAte1aDSKSOlRLBYRQmjRaDR06tSpnwKFFXfsIzaF4EOHDiWEEE8Dlq7r7Nmzh1TqZiIRi0hkZburKAqjo6NtL1fXder1JkePnieXS5PNniebTXP27FmKxeIyUqWUjVqtNlmr1SYbjcYl13UrmqZFhBBaaz2VSoVsNoth6LhuFSk18vkmo6MxTNPPRwckVyqVFW8aRQHPE4CJEA2y2Wwg/Xvm5+e/W6lU5oGBpjK1QR6sC/8SiAOMj49jmhFCoSGiUXHVsCSZTLZjVV3XaTSa/OIX58nnF8hmLzI/P8+lS5e693fy+fzL58+f/9HJkyfP2La9TOx0XVdvv/322/bs2fNAMpm8H9Acx+HcuXNMTEzgeS6e53H0KNxzzx5M00BKSb1eJ5VKcbUQNxKBRiOGaUYZHx9nenoaRVGse++999Bzzz03CZzrzSVcHQYuwY8//ri2tLT0FSCmqip79uwhmbyRaNTCslbeJxKJEIvFMAyj7fC89tpFMplFstnJto0NUCqVjr344ot/ceTIkR8vLCykPc8rA3lgCcgBS57nlRYWFubffPPN17LZ7Mujo6NjpmnuACiXy9i2jWGAohhUKh7j4/F2tgv8gXvNZvOKvgoBvgbXkbJOJpPB8zwsy7r59OnT33QcJ8MApXjgBN96662/LaX8A4CJiQmGh8dazpVEiCtjTUVRGBkZQdM0wuEwAGfOzDI/nyGTOc/MzAyLi+2x697k5ORTzz///NPFYrGMT+Zs63ceuABMAZOt+QvAuWKxeOnEiROvJxKJZiKR+FUhhFKtVlvxrEBVI7iuZHh4CE3TcBwHXdcpl8vtuLl7UlWJ61rU60vYdpNyuYyiKKZpmtNTU1Pn8W+2gWDgBN91113/CfgVIQQ33XQTqdSNRCJhTHNl1ZxIJLAsi2g0ihCCXK7I2bPzLC6eIZ1eYHZ2NtjUOX78+P946aWXgpBkGigCi8BZIIufVXLoFAI8wMa/AU5PTk6+put6fXR09D1CCLVSqbQSIA5SRonFQoTDJpqmYds2QojLx2sBgRQLPE/gefX2DWgYRvTEiRN/D2QYkEc9UII/8YlPDCuK8nlAjUajTExMkErtJhwGRbmSYE3TGB4ebjtVjuPy6qsXyWZnKBTSnDt3LlCZ3okTJz5z5MiRo/hqeBaoAWeANKu/mIW5ubmfDg0NNVKp1EOAKJVKDA3FUBRBva6xY0eynd5UFIVKpbKiV+2nvEPUanlKpRLNZhPDMMYXFxe/WyqV8sBARoAMtLCqKMqHAANgZGSEUCiBqmqo6pVqTkpJPB5H07R2KnJuLkOlUqRcTnPx4kU8z+dtdnb2//30pz99BV8S54AK8Gbrd60o//jHP/7zTCbzv8EfNz01NUW5nKZSWWJ21s9SGYaBqqrE4/EV+65pXsvjjzM87A8EFUKo+/fv/w1gZP1XcW0YNMEfBL8YkEgkiERS6LoLXHmBVFUlEom00o/QaNhcvJihUJgjm81SLvsCUK1WT37/+9//NlDCV8c14DS+6l0vGs8+++yn6/X6z8F3ujIZ/9hTUxkaDd+5CoVC7erVyrlyj3A4RSKRaFexUqnUewATiG6gf6vGwAh+7LHHdCnlI+B7xZqmY5pRdH1l6Y1Go8seN1lYyFGtlqjViszNzQEgpbRffvnlL7iuW8eXXBvf3vYiuV+en5//A6ABtMZHF6lUlpif92u/qqqiaRqxWOwqUuxiWTE0TSca9fmMRCJ3WJaVoFUa7TcGRnCz2XwPrdg3Ho9jWVEURSCEu0KVhnbBHvxU4cxMjlJpkUwm0w5P0un03128eHEe30P2gPPAlbHLOvHCCy/8vFqtfgnAtm0ymQzlcpqZmXzb7gYOIFxZ9VIUiaIITDPK0NAQAIqiWHfcccd9QKJX/bwWBqmiHw5mhoaGsKyhq9rewKkKpDefL1GtVqnVltoeqed59Zdffvlv8J2qKr6XXOp1p0ul0p9KKatA63GWEvV6lVzOP1TgI4RCoRXOxUNVHUKhOPF4vN3m2NjYPfi+SLjX/b0cAyNYCHEP+CnHcDiMZcVQFAfP866YQqEQpmm2L9TCwhLVap5yuUyj0QAgl8u9lM1mgzDIAWaufvT14/nnn59vNpt/BdBoNCgWi5TLOebn8+3+GYZBOBxe8VwUxVfTlmW1R5pEIpG9gA7E+tHnbgyMYCnlveCX+oRQ0DTzquo5Go2i6/6wWNt2yGYrVKt5stlsu72TJ0/+Pb70OnRI7guEEP89mM/lctRqefL5GrbtH9IwDCKRSHtkSPckhIummahqJ1ETCoVuwZfe64Pgw4cP7xRC7ACfYMMIt7zKK1V0UCUKvM5SqYJt17HtOktLSwA0Go2Zs2fPzuCrZQ8/1u0bnn766ddd130DoFAo4DhNbLtGsdiJwoKRJFfesC5CSHQ91CZYVdXYjTfeeBO+J93Xp0sGQrDneXcF8wHB4CDlygQbhtH+n89XaDR8GxwMhMtms0fww6EmPsl9z+1KKf8afIfPNxVlCoXKMjW9sh2WCOFhGOE2wQC7du16B36iaXXDRdeJnlaTnvjdHTcJ1T0gEMteozDfeP2hkuo7jYlSE2W2RD1j0VSudHit4WFm5oba/2emMtRz85CZZ8L2y6lR97x5+wOJB0O6OLAzrs1HdKXRy/NYCUv2K+ai3AmAmClSr08znXkNZbZzquVikUqXGQkgpYFSr5MozTNhXwIgMVJ+3/vfn3THouqDcUutSnAV4V2iaf/kk98s9Kxu3BP18MTvjd0v4D8DD/SivV9y2ELwDEL7o8Nfm5veaGMbJviJR8f/ECH/gi0wQvM6Q04q8sP//GvpFzfSyIYIfuKj4x/Df+reT61bHjftahANewixJZ7ceNvAdQWFksrFWRPX9WmRklLZcd/9b76RPbnedtdtg7/8T1NDdVv+L1rk7r2pzt13S9L2DdjKUPuFJ9tYHaTXZFgsceCOGV74SZhsQUMIYrjiS8D7WV/hZP0EN2zt47TeSTUxYnPnAY1s4iF2v/NudGvoLfbexuWQ0qNRTHPx2M94+MF/4NvfjdKwBTFLedcj+0K/87ena9/CjxzWhHUT7MEjgX7/tf0V5pUHecfd70XYNcgMdNjRdQGhqFhDO7jlXe9l+kez7Nszxeun/LBq/7jxgb89XXsdOMEan1pcN8FCihtp2dlYUked2IkQGsweBz0BarjTF0ln/vJfeZXl7XXd53P5vldpV15l+2XrV9GulOAN8NGiZhVj/Hac8E5GkufbiyO6shOI4Bco1jTcZ90ESyHNQII9oaPqrabcOozdA9H9IL0WSW7r1+v67Zq4bBlyhXVd27TXt5YtW9/dVrBeLl8vL9uH7mV0HceDygC1keNrYNUIoWudQSiaKkz8hEiSQRHM5R54IGzSAem2prczufjbCMAb0CBI6a6gXdrQWEfWq3eZrLZaCwj2eHuT21ouNJADUtPS7erzilgzX70lWHJ9kQuA2rrwA4AX9KV36AnBEokMLoh0WtPlJGwCudYoRN8B4VvASIAa8dfbJWikoXwClk6Anb8KuZ6vouWgxqn7N1IvOe7toyttG+zRscGbQK4xCiMPQuSW5f3zWuPw1DCEb/Kn0d+C/BFI/wCaSywjt/umHQQCG9xDhnv8bFJgg7sleMDkJu6F1HsAAe4qi0zxuyF6O8x+Dcpnuo7VdU6DgPTH5G89CZbdk4N/gdzBkzvyfojsA7dThjxx6iw/P3ac85PTFJaKaJpKKplg/217ePe9d7FzYqy1pYCdH4WFZ2HpleV2eeAS3DuKe+hktTrVLcGDJHfoAFg3taV2enaeL3/9Oc6cn7qiq9lcgTPnJvmb773Ae991Jx/7yAeJhEP+ypFHoJmD6tnWMeyB2+Beog82OJBcd3DkGjtakuuT+4vjp/n8l79Fo3ntse9SSl46cowz5y/ybx/7GGMjraHKY/8Ipj8HTsW324Pyovtgg3tX8mnbKxe81hQQ3f3/inVd27TXBzdI9/rutrpuICkh+k5fLbsNzl+Y5HNPffMtye3GYibPf/vcV6mUlvybRAoYek+rT81OX/o++TdsL61wb2t6bRvcCtgHEQoZEyAscBu4zRqf/8pzNO21q9TFbIGvffv7PsFuA8Lv8L1tt95ldvo8eVtUgn2/ILDB3YmO1oS3fJ7LtsFbvt+y9d1tBeu9zrw+1iblxSOvsZhdWvd5/OToKS7NL/jteXbLppcGLMHBFe0Nei/B3mWd7ie5ElCG2gS/fOz0xrovJUdePd2RYnMX2OWOWen3FNhg7y27umr0Lxft9VEtt9fr+IUAB8f1ODu98eHRJ8/P8aFf39/6Z4LXs0ed3hqtXPQWjINbFz7wor0uSetnbllV2p5zoVDF8zZ+afJL1a4EicbAPGhonS9syTh4mQ1epnb7RC6eryVcv9LjOb2p+Lie226zfR4Dg6+bt54EBwi86EGQKyVQa0tbKiJaLy7d2CkMD5kdCXbyDC7JQccG9xB9yEV3O1T9JLclXW4dEGjAjlSYuezGXgl540ioQ3BjfsAqOggve4c+Z7L6SG7QnpMHEQHgvfuTfP2ljRF8/+3JDsHl1wZLcB/qwb2LgwMHZ6U6cD+L9V6uHdY8sD9GxFr/Axa37Qhzy4jaCZPKr3YcxUFMbXa3chzc9qJ7EecGTs7l64NlEuQSuBVwGwyZLgd/fX2fD7Z0hd//QCdpQuko2GmWxfQDmeipFPc+F92W0D5LroQO2Zk2MffdYvDhe+Or/joLgKkJ/sVvDjMa8fx2nAosfa/T54FOspdRUj9scKej/SfXax24Ap4Cnv/Sln98p8VIRPLki0Ucj2siGVH4w99MsntYAadle0vf8237oBHEwT0U4Z4V/Dv5l4AEdzDkBsv1JWg44Pqvfrj7BsEXV9H1ZFiwO+EGbxCF2s+gdmzj12Rd8K/hFpTgFkGye36A5AK+Ta6D6/8/NukGs9fEhYxLvlQnGW7pdGeBnhrBNaHrGvYIPX4EUIIiWG6LB0Fua77htW3x0anV1YOlhKMXGx3nSr3RP4fNmpCdiKQH6P24aEX4Q01Fi6hlvy3SRBe5oovQ7m0DckWL3GB/QWc50Ca3CTh+YaDpwutzq/945dFpjw/cGmSsxkDR2JQv4QjRc+XR42oS/nvtRbe6Dn4vUz/d66Vcvi3dy/y38fj/RecmobU82KZht+3o8TmNprt6gk8tQrnWJGq0jq1MAJfWcRE2CCVw/beqipbQiU8GpJaDbar1jnqeWduLCzwpODYjO2pajvnnMehJblEJ7sTmsiPBgSrup1oOtmk2oek/medKwbFLa/+28NE5jQduKPp/RBxUFQb9GorABm89L5qOClb8j0QNRC0H21Rq7RLfm+kQVXvtiun4okmj2cRUWzeREQdl/cN/1oXABveQ4N6/SEMRLRs8ALUcbBOMhnQb/PxSaF3ddjzBa/N6R003hzbJi+6tlt6QBLc74gFeIMGXqeh+qeVgm0Yd6uVWfwS/WFz/e7Z/Ph/hXaOtYT91C2IDfpGMEkhw2+ABndt7PejdiI5At7RV9AAkV3pQyrfLe+eWoiw11n9Kr6VjOI6NJjw/SrJNMAc4Jku0bHAPm+y9F60IX8ICR7btqMjOvJCt9cEy0SX1orNctJZfa5tCtqOeFzf2ju26q3IiE+6o6bo5eBXdYxvc+y+fKQqdsTN9lFw8Xz1Xcu1Dn8oPEdE2NsTmjWyMX4v7nwygJGB4gGpaBDa4dwz3juDA0W0H630mVwJLi8seEf2TX/1Rb84lSGLVgKYC1oDCpa2ayfK1SqA+la7Xs8hOVitQzzJYJrqcrVYoFKji7lBopW2C5blLq38GeL0oKhAalBQrdELH3qB31aRlEtxnycUDuw6FeXp+y1+OvAo71hd6rRmXedG9QB9s8Aqpyl6TiweaDvfcDyy0po0EE6s9pz6jdZgtEwdfgavGwRuIc6/YtwykQaRBD0ZQCq6Ltxkryta0wT664mDvAggXRAr/DXyw5vQjAmQT/xN/S0AeRBFEd1w6IMkaFBTYoja4hbYNngO3FWqggAgDUZAmCNM/rFBBKi0JbeJ/dsEF0QBqIKotgi/HdUZqN1ruy9YjWOKnKsFXM1eg6k+XcxMkvbr/L/v9JXvndHC+snf+RJ8keBvrwpauB8suG7yN9UEC7latB0PLZ/olU6u9hAy86K0YBwd92pbgDaD31653mazgZ0UnaxurQtsGb0EJ3rbBPYDcymOyYNuL3igCCd5yBHd3altFrx9eqx68NYoNK0jqtgRvDMvqwd1ZoPVf0+04eCuhD2Oyelts2PaiN4agHtzDyud2HLyVsJbXEqwSvX+6cDuTtX6ILZrJEu0ObdvgDaFVD+5lpLQRgtsP7ujCoVQp+71qjoKV2XjPfhlRG/Mfda7lqXkdTVizZXG9TW6E4JPA/QDzCxpl4zy18h2E5h4AMw/KgIaaXi/wdKgnmJ99k5Fwmukzna/YZUrO/Hqb3cDXR72/lkL5fYBjJyJ88KFL/OyV59l9wx3E4ykUpffj+a5nOHaJhfQblAvHmdDKTM75T2lISfPvTleOATbreO3Aug2mBPHZ3x17xdDEAYBIyOW9B8poEY2ybeB527Z4LdAUj7jVYGEOXnk9itu6fqcWm8/+1x/mvwqcAQrA2bW0uyEW/vWD8QP7x83vq4poPxRk6JJo2EXZVtFrguMISlUV1+1QUqx7Z//kO7k/q9juIv7Y4GlgcS3tbljMPnpn/JEHbjX+j6UpN2y0rW10kC67v/ifL+b/cqHkFoELQAM4zhrV9IYHE7+x0Jh85aL9g2RYMcKGEjFUhoQQ18Eg5cHD9ahmyu7rL16oP/2Zfyh8s9KUDWAG/x1Ck/ijF9eEXhlKBdgD3A2Y4zE1rCjbAfFa0LA9J1dd9qBVCV8tN4EpYF2xZ69JsIB9wDjr+Fr1NnDxB4iX8VVyCZhlHZIboF9SJoAwoPfxGNczHPyHVwf4PYFtbGMbWw//H4sSVoS1YoLgAAAAAElFTkSuQmCC'> <div class='header'> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>9CDB265B</span></div> <div class='bold'>In case of no answer in 24 hours write us to theese e-mails:<span class='mark'>[email protected]</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

<title>[email protected]</title>

class='mark'>[email protected]</span></div>

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\Program Files\Java\jdk-1.8\jre\bin\!!! YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note
All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email [email protected] Your personal ID: 1346CEA7-6AB2-9122-2814-352AEE6F36A3 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      RNSM00376.7z

    • Size

      17.3MB

    • MD5

      1796e83f86a7fa57f10da5bf6bbf29df

    • SHA1

      f76ea287c02d805fa11f107eee049d5906c2d5c9

    • SHA256

      2cf55d64bf19e460c49659403bd0b77fb91fbc5a5f1f5b21855529f54c4cacb3

    • SHA512

      514dd575ee3ae5c684865c1d3513973ed00593a29a3f71e71aafe6e7fc7bfea6ebf5ded9efb06e207556836596a1de141bc70875c13f0799ad1d3ed82b4e4391

    • SSDEEP

      393216:cSjNjlFPvXuBwedeEt/tv6mxIXFfqb0iIY+qfHph9FNp7jAYDi95m4:cSN3XWwec0/tC+I1ybbP39Pp7jAYmj

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Dharma family

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Gandcrab family

    • Modifies WinLogon for persistence

    • Troldesh family

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

    • AgentTesla payload

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (320) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Clears Network RDP Connection History and Configurations

      Remove evidence of malicious network connections to clean up operations traces.

    • Downloads MZ/PE file

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Network Share Discovery

      Attempt to gather information on host network.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks