andromeda | 81dd2aed2ac6ca4f819a7736d4aa4c00e76d89045bf9ce70f2359e68321fc664

Sharing

Copy URL

Twitter E-mail

General

Target

RNSM00371.7z
Size

8.1MB
Sample

241105-13g4psslgm
MD5

ee791e896c5058c5d4a12cad2d279a85
SHA1

6cb48708979a25e8a12eca2a32b2d9fbe5b15a67
SHA256

81dd2aed2ac6ca4f819a7736d4aa4c00e76d89045bf9ce70f2359e68321fc664
SHA512

12a37dd2bec8b9e7bc869eb6b928d42dc678bbbd5482eaae7f90c24d1b3b97500aefbe291d3f26125c4d10ebeb0f95cd4e9874944d429bd6c5f4e99d6f745d7c
SSDEEP

196608:tqjKf+U5zlOvOVF9GLCNOopBvEQ2G0mRYjb6p+UP+x8vYY:ksROSPaK2xmSjY1PVt

Malware Config

Extracted

Path

C:\$Recycle.Bin\{RecOveR}-bthbh__.Txt

Ransom Note

:2*70;5)(2&1 38#<$/5.#9"9#88+&; :2*70;5)(2&1 38#<$/5.#9"9#88+&; :2*70;5)(2&1 38#<$/5.#9"9#88+&; :2*70;5)(2&1 38#<$/5.#9"9#88+&; NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA-4096 https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? :2*70;5)(2&1 38#<$/5.#9"9#88+&; :2*70;5)(2&1 38#<$/5.#9"9#88+&; It means that on a structural level your files have been transformed . You won't be able to use , read , see or work with them anymore . In other words they are useless , however , there is a possibility to restore them with our help . What exactly happened to your files ??? *** Two personal RSA-4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key , which you received over the web . *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. :2*70;5)(2&1 38#<$/5.#9"9#88+&; :2*70;5)(2&1 38#<$/5.#9"9#88+&; What should you do next ? There are several options for you to consider : *** You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or *** You can start getting BitCoins right now and get access to your data quite fast . In case you have valuable files , we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions , please access your personal homepage by choosing one of the few addresses down below : http://h3ds4.maconslab.com/3F8B8F4801BB825 http://aq3ef.goimocoa.at/3F8B8F4801BB825 http://fl43s.toabolt.at/3F8B8F4801BB825 If you can't access your personal homepage or the addresses are not working, complete the following steps: *** Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en *** Install TOR Browser and open TOR Browser *** Insert the following link in the address bar: xzjvzkgjxebzreap.onion/3F8B8F4801BB825 :2*70;5)(2&1 38#<$/5.#9"9#88+&; :2*70;5)(2&1 38#<$/5.#9"9#88+&; :2*70;5)(2&1 38#<$/5.#9"9#88+&; ***************IMPORTANT*****************INFORMATION******************** Your personal homepages http://h3ds4.maconslab.com/3F8B8F4801BB825 http://aq3ef.goimocoa.at/3F8B8F4801BB825 http://fl43s.toabolt.at/3F8B8F4801BB825 Your personal homepage Tor-Browser xzjvzkgjxebzreap.onion/3F8B8F4801BB825 Your personal ID 3F8B8F4801BB825 :2*70;5)(2&1 38#<$/5.#9"9#88+&; :2*70;5)(2&1 38#<$/5.#9"9#88+&; :2*70;5)(2&1 38#<$/5.#9"9#88+&;

URLs

http://h3ds4.maconslab.com/3F8B8F4801BB825

http://aq3ef.goimocoa.at/3F8B8F4801BB825

http://fl43s.toabolt.at/3F8B8F4801BB825

http://xzjvzkgjxebzreap.onion/3F8B8F4801BB825

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Extracted

Path

C:\Recovery\05jyk078zz_Wannadie.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 05jyk078zz. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A77D2D0777BB9BF9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/A77D2D0777BB9BF9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: kjVesNZgNe7WlLS5+SELBJPxrJkyt7HR35zNF9E6sO6XaWR65TunhXv6yAv8mvoo e/36yU7jGwx3tk1WWCyuruBtdAfknIRW5RnkaGRLZ1Rsl76GrSl6cP7ESRzu9JFr MEYS35VZvX7lH2mu3nk8qNXjQz1Dy26s19raJ4toFx6t1pATVxPq/txkj19lTWNz ulOuEdrNLWYStruEOpKNyzViV//hih/klXKCu/cIKsBSeniJ4dCguvWSEorL/iZ3 l1ehf+ZGUw5dOkuS1h7TCcKa3+GORVgOguOf5HYIG6yDYFW6ZINjNCEzTY91hyCb VXFfnl2ZZKdRuOxn/9Uo15pcs7vnuG7URtMiGVo2zhbNiaL0C6HnTSfAg8z4NT7B fH/1a2j6dab1Kg94dTRluJCoPYzvVkeE2/UCKStVk3sMTTuO5gRsXWkCzENQLM2r jUL+EepMhaLJa2hPgHiD7mk7Ta6KyjOVAP62faPIyEWGg+OV7kR5xKTfZ5osWa1y 5DPK4a77i2PsxWqHUFCf8CrZ/qPwU79iU4gRFwPkduswqgYLUYhX3v6XN5+hjgS6 kC/Xnzdu2aVJ4D8H0qgn6UOrO2DSf4He39finpP3cAsre9PbPIbivjOX4fH+6a+y 34qT48QzdifA/1k0blIF/RxiAUuAoz6svPDeUU72hXOoxjNf04g9POdvPoKsJUT7 Kr/pw8fbtWi69bAZAW0LwnfKws7zFh5hf79mjZr9LeIfZrMoDffxnKpAwwI/9uvS +knqg3COSyfnuxsh0OuRiNoLydPMOaOFERgEjq9HppbXcuWANHCO74jKgDkIVdCF gl8LqL3+E6wJjjJKXzYvFSvniIZwjQOo+OunMYTSq2/lfMgl/tPSkRKrn8/ypnHM wQIA49v/4SiWKl3Rg/T68C6LsjOJvig+NOGK16eq1TKDZIRkiacuXW8uox2IoUDI 9clzqPPrW3gq8hErJ3L2qSft2njaim9p0kH0I0buVZWkdx6m3o14ST9ghitdXl29 QRmsbesWWApNDUk/z4gbXM4ygOjYUv3e0ikZF1FM5WxcGz8LdW8mcPtOiwsm3BHI bIph/ESHGgrMbl6pFqFLGUEMf8fAyc8PBqiPrbLIfYIspejMvH6FcQf8KrGL3ecv oPlWyDUOqSImzm8frsZwFHLq+a9MqecUhS/i76IttLn1FVZK6sQ6BfbQPyFM7nez 7eh/sKN7BK/yeF9y2T8tF8On1OkxmbV9hJo= Extension name: 05jyk078zz ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A77D2D0777BB9BF9

http://decryptor.top/A77D2D0777BB9BF9

Targets

- Target
  
  RNSM00371.7z
- Size
  
  8.1MB
- MD5
  
  ee791e896c5058c5d4a12cad2d279a85
- SHA1
  
  6cb48708979a25e8a12eca2a32b2d9fbe5b15a67
- SHA256
  
  81dd2aed2ac6ca4f819a7736d4aa4c00e76d89045bf9ce70f2359e68321fc664
- SHA512
  
  12a37dd2bec8b9e7bc869eb6b928d42dc678bbbd5482eaae7f90c24d1b3b97500aefbe291d3f26125c4d10ebeb0f95cd4e9874944d429bd6c5f4e99d6f745d7c
- SSDEEP
  
  196608:tqjKf+U5zlOvOVF9GLCNOopBvEQ2G0mRYjb6p+UP+x8vYY:ksROSPaK2xmSjY1PVt
Score

10^/10

andromeda dharma gandcrab sodinokibi troldesh urelas adware backdoor botnet credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan upx
- Andromeda family
  andromeda
- Andromeda, Gamarue
  Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.
  botnet backdoor andromeda
- Detects Andromeda payload.
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies visibility of file extensions in Explorer
  evasion
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Sodinokibi family
  sodinokibi
- Troldesh family
  troldesh
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Urelas
  Urelas is a trojan targeting card games.
  trojan urelas
- Urelas family
  urelas
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (566) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Adds policy Run key to start application
  persistence
- Downloads MZ/PE file
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Modifies WinLogon
  persistence
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1