Overview

overview

10

Static

static

1

RNSM00374.7z

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00374.7z

  • Size

    7.7MB

  • Sample

    241105-1q284ssjfk

  • MD5

    c63f53079f272724aeac535366e879cb

  • SHA1

    948e3d55280499eeb6c265f63a8bc7b9dc12ffed

  • SHA256

    46556d30b37cd555be08b1de8e585f8f8d86322efeb1e2ed14d88a905b04d73b

  • SHA512

    2f6c6175a7d6a4453e56a9a440224c2237c3755f279d91aecf2cf7062dae4e282a401192d2d6f4a444ab48b8eb1ec701d38f74a755be63159edb4dd21e02778f

  • SSDEEP

    196608:M4nmnYeVX/6F3PsG9oBdaeBIYfQ+PqLDq47eOs17:pc+3PsG+6CPqiJ/

Score
10/10
agenttesladharmaemotetgandcrabjigsawsodinokibitroldesh1928135631296aspackv2backdoorbankercollectioncredential_accessdefense_evasiondiscoveryexecutionimpactkeyloggerpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Family

gandcrab

C2

http://gdcbghvjyqy7jclk.onion.top/

Extracted

Family

sodinokibi

Botnet

28

Campaign

1356

Decoy

alwaysdc.com

lgiwines.com

housesofwa.com

circuit-diagramz.com

efficiencyconsulting.es

startuplive.org

parksideseniorliving.net

phukienbepthanhdat.com

mahikuchen.com

motocrossplace.co.uk

thegetawaycollective.com

ruggestar.ch

raeoflightmusic.com

pro-gamer.pl

boloria.de

drnelsonpediatrics.com

piestar.com

karelinjames.com

supercarhire.co.uk

hom-frisor.dk
Attributes
  • net

    true

  • pid

    28

  • prc

    winword

    tbirdconfig

    mydesktopservice

    agntsvc

    steam

    wordpa

    mydesktopqos

    ocssd

    thunderbird

    excel

    dbsnmp

    xfssvccon

    sql

    isqlplussvc

    sqbcoreservice

    ocautoupds

    msaccess

    powerpnt

    infopath

    ocomm

    mspub

    synctime

    thebat

    onenote

    firefox

    outlook

    visio

    dbeng50

    oracle

    encsvc

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-wannadie.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1356

  • svc

    memtas

    mepocs

    sophos

    veeam

    backup

    svc$

    vss

    sql

Extracted

Family

sodinokibi

Botnet

19

Campaign

312

Decoy

breakluckrecords.com

peninggibadan.co.id

acibademmobil.com.tr

ninjaki.com

mieleshopping.it

modamarfil.com

activeterroristwarningcompany.com

slideevents.be

ygallerysalonsoho.com:443

ddmgen.com

forskolinslimeffect.net

deziplan.ru

solutionshosting.co.uk

smartspeak.com

humanviruses.org

avis.mantova.it

nxtstg.org

craftingalegacy.com

2020hindsight.info

hospitalitytrainingsolutions.co.uk
Attributes
  • net

    true

  • pid

    19

  • prc

    sqlservr

    mysqld_opt

    agntsvc

    excel

    synctime

    tbirdconfig

    mydesktopservice

    isqlplussvc

    msaccess

    visio

    thebat64

    dbsnmp

    mysqld_nt

    infopath

    winword

    sqbcoreservice

    ocssd

    sqlbrowser

    wordpad

    mydesktopqos

    oracle

    msftesql

    thunderbird

    encsvc

    steam

    ocomm

    thebat

    ocautoupds

    sqlwriter

    xfssvccon

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    312

  • svc

    svc$

    memtas

    sophos

    veeam

    vss

    mepocs

    backup

    sql

Extracted

Family

sodinokibi

Botnet

19

Campaign

96

Decoy

speiserei-hannover.de

delegationhub.com

subyard.com

martha-frets-ceramics.nl

hostastay.com

luvbec.com

dayenne-styling.nl

111firstdelray.com

lidkopingsnytt.nu

fbmagazine.ru

peppergreenfarmcatering.com.au

ya-elka.ru

mundo-pieces-auto.fr

mediabolmong.com

yuanshenghotel.com

fidelitytitleoregon.com

penumbuhrambutkeiskei.com

2020hindsight.info

aslog.fr

teethinadaydentalimplants.com
Attributes
  • net

    true

  • pid

    19

  • prc

    tbirdconfig

    onenote

    sqlbrowser

    firefoxconfig

    ocautoupds

    ocssd

    thebat

    winword

    mspub

    dbeng50

    steam

    sqlwriter

    sqlservr

    msftesql

    encsvc

    infopath

    mysqld_nt

    sqlagent

    mydesktopqos

    synctime

    wordpad

    powerpnt

    outlook

    dbsnmp

    isqlplussvc

    ocomm

    sqbcoreservice

    oracle

    thunderbird

    xfssvccon

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    96

  • svc

    veeam

    backup

    sql

    mepocs

    sophos

    svc$

    vss

    memtas

Extracted

Path

C:\Recovery\qh600s-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion qh600s. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CA0FA58F67666807 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/CA0FA58F67666807 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: tZvVd73KG0w112/thAhcB7GowUICnD5+RQ1mmDXC+qsQ0ruMcg8/NV9vxL3fT9UA 1HlF18bcs1DURjJs1O8NbBqV6Stavo3FxFrQvokBV89Fe+GFL6ZBhUBopWevuP3K S7aa8j6PGu2ZDGKo0l/OEK8650WGUaYJXba9LlcPO37UxilLdAxFIu6aTVGMYk63 eD2hqX9FtZoPXF1kb5q6dwqkdfS+FrLaVLRjxqp/e6JiTZO2JA9bjDuy09XSijq3 1OOOl6BwyQvacF3ajgDp16gQh0ZmIV3A15k9G8txoe8RFZchxSmNWZ451t+8OuTH J01cgPtc3qve2XdLXqxdarp2QqygntMLcoxWtc8nho8pkHkge+9I3kB79hlbOqcR 9YeOIlSRKYwSd0mtdXoc6whC+vi/k94VCY91TaXgiqCFBqPVoyBnNXWEqCQLNPnY MCKILD3+RCyYJvuIAicNVPUh3G4pugcoczssyoIFgZGMkPadA68edSsNVqcqlwCU jLCg6XYTdqKaxcQp+VXzdT9N71SgNpZnJFn3QIYRyGfSskWw3tiiC+WL6FX4+gHn Jn07274eXiDTBpadHyNBURFiU4Tm7nEiCVdxlb92Mnk+8dNIOPHl47WqaorbCyjc S0zhgvYcDrASJ7DiLhwGXFwgt8zrjnhK6h6Xnpvyhrp+B/JZEhYbsaEnQNSE15Vw gZGvHA8S9giouChsKa20sWZzxV4iA96P/nP0pze5hKt4xENZZKjdAKtdEVbukNP1 FdjaBKG/4feuSxoAqgpNUYVmUUzb0XJpBLjYSH/+XipqYapccu/mdIQpsMLO7ayy pELpxMfC5f7itPye6FuoxcLPM91XfDjHLK1lKdlQBik5arylS3a9rhhY4f+SFG2h mfFGvKlJufqaKztRdyoASzbIEGRLetObSk4tY10JBhM4vtcw3qsNHvhEFfuKgKJh SW6rv+GXr3bMoNAc3hbDOk1g4N3ECNxW9hq1P8/IL0Titb9uP1U46VhYmaDU9l/r MzZy0HqHeWNyNlnP0DGJLRuWMuECrgq8BxLaC2RUoF6KQuRuto1XFYH4biU7qWNo oL0Ug/UGNRf5EtV3PPx9BXO6D6R5u0J96uI/ijNs2DEvU5rXEFbWJWdlw101b7qx ZC09JuYwskRBL5Cxr7JZJ89hHM1K6kPwojP6z5vUhgyP5qCp4gaeozrrMwlFGOlK NEZ3nqIITmlwInZWCk4xbw== Extension name: qh600s ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CA0FA58F67666807

http://decryptor.top/CA0FA58F67666807

Extracted

Path

C:\Users\0200u43-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 0200u43. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CA0FA58F67666807 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/CA0FA58F67666807 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: AJjng44cVylqMUCxL33IgCC1MftFsKpCCmxnKsOuh/N82TYwV+/87Jp+5iHbKnB/ vUktpK47qBisq7Pg5aZk9jRzZ6j5LOXsixTTRLLkB5JvMik5ifqBNntFBqvcRvg8 LH6+vHTSWLCey0BcXqfnP8o+UHktIkrZrolucpGyGQz2Kbi5oxglhi2Tz9KF4pHe zpEE0SJuef/4A+9zlKjsUuNt4ModLRK337Qzz9T4a/UPW3SBIG/4ZCimyQlQqqXO v/lU67+NNFBE2OUDfEAqy9Hv+TFRdSHhvqejfZDCK6GXTdDJaLj44bMTlVarYr7E bhzIzzA08pvHjop9NQxtnVeFs0E9QOFGk+Mn7l4/lQih1xi/zIBL2lovW0Dm+8vw rDCQkure2WMjCtYGG1ztpxK4GZAIcWPB6d74BZaH6WvffEL0GYC1UkVcdeMCRbhy gXGL8ZsXnT9LAaAOsyJn3QvmfduG0v8pmbeKdqWQfx8S+crL5twIUpz1qlBxmbl5 YOSUM5M7n0P9PpDqCSLFQApw+UYJonjw33gMDzFK+EzC4JnnpxqGuZtnLo7GSrkC fHl7piJBPaIz9BGpjjZXh/BsGmWoPLbzKuyumMLyK7KDRLSeuKCMpRYg7Fn1bdwO GRMz9wJFRntFnvbEH8F/ox/dTN+mb5AMya76uJhRtm1MVvgHNP4G9Eoq940vKRPu cdlMhAOtN0vf7YSWu5e9PMZS81/6cmM/j4RjzCPP1v+VFDUruaV/VCqF/hNvUUMP NLoB/ChYIowdaG/dG34EZWkrkdUlLX1mMSs/D1qErbUsupQGhk1lmBx3OHW94I7Z OwGCjuvY6r4Dgpgs37ExkXtzW3f7kefcEPe80AUngolckBmUY20jxtjzzD45rfkR 5u9ITktM+EIWY1Ou5eQeqSthByVMO1rXySz9hagw0Ekofea3Z1ZcjLYhetBciQvY 3gHrjqaXvI+dZTYeysvkTCW1+FrcG5LHPG8o8bPuTcSCJzhmbDnc5/45vo/AR+RA T4aVGlH1K4Rn/iq9f0w48NCEXnIAA2Ybgn2I2wSPpLBkhwjjEt+nXUhhs+1rRglk hk4EgeMu9Rq/VE+e5oK6QYYsjwJcX8VjI+Y6z3zkEluuswRjWp6ihBkZqveAVXqh w59yvltXm8xjbowmMqN5T8SZOF7WQLT1CSYkNz6tvevfVT30OfOB7Q5GkgVego4E RxgHqBkpF3Lwgu8dGin6hA== Extension name: 0200u43 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CA0FA58F67666807

http://decryptor.top/CA0FA58F67666807

Extracted

Path

C:\Users\m5r5p-wannadie.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension m5r5p. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CA0FA58F67666807 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/CA0FA58F67666807 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: xwWVW2QMakYTBSbbXStiUJOPNdQvl0fBTTpF6eI0dKisRvcC5gwAN4O+mhSZdF0k WR/LbY7in//uirOpblMLDIK2Z3K7MEOAcaRKG58Ww3n0cpHBpzFu957RfTIfrtl0 BhdOCZm+IVwLXGngi/rAr215z9je4jzYx6BteTM8ir24qVkmaElHlVrU298tZ1e8 2B3mYgCkWCuQPMsJ/Z8ac6ZtIv86QeQ0NEMalsiZLv7HvqpIK/xRw6eWmikAeeGf 8UNDMVl5O/H5MJg4KnloeXkQw4f9YIgbDPSIOvafzBJEOO33zFMg8q54InjGoXuF tbnkTs6bLj99xY4LbbYRvn7KW7IHqcrW7D3kqyLXvFh5gyG7P+tOY0ACLu2PR/W9 cqBeCFAA4yT/QHki6RjsBka91OnnItkKobJLnMKPb9IO9rHjeC1oj8CCIAdzh9Wf F1ZLhrx55d5X4A+2vtBGld7otJg+J+l5YFr/0FDVzZuuQ5iJauKzv7M2cjnHu/As qWMb72WgUS13Wifb6Tkg3C4kOwawrkv+rO6HoWx6obv1/5IWDpzNkayAtorsIRfv EWuDYbH731aUDvNZHbaZuEQbmE2lqfpIWt4kNPq/Slp8iWvDzi2U7ehhVuQpWyc/ u34Pjbc6dG3ItjMIjXk2enTX3f5g/+OfuRfRCvsrQzlqoamFXaXjUeShEu53/Zf5 VBGI2nxuVIZx2pDdHcV102Lxi4jZymtptYUl6pwo7mQE76YJ57zv7eWyCKhAnwYl mHYO16fcENxbHvqbBiyLTNyLGALFjc2O/sNkhWC+ZdZTZVKNGzw3k+SPoKIrQ946 vco/Wm2AOLgXemn6h8u39OZx1VSF+DO6ZmdujTW9Ju+2saKYTEhlbk2/T8Ue7W9k /jPIBzaa5yn8YjTTSm4+mT5mh9LvBFUXyLFNgAL9pDkhm/+s+YfQME7EP4u8pbDp tIXB3ZA/WiONG3PLIGkbpQcivwbDGMmWadnDMMtWHRaRegtt2Jgo71AvwM0aF4nu G0hG9aAsMRfXH0eogVXeXc1d0/BWbOTjnuZzr+ZDbIpplLUoJfzYDhY0z6GHHWiX x49QexJW6jOgUoJppW4fv2rO++yP1/zXF+0cT+I0ye+1TZoWmm2wHKOIUAZcngda jQJBp1UDgMzv7HgP/aT41OPeDBmgS/uof0eD3wSE0/NjQy/PRvNM5+GLC1pDxOjC +eNrxR7dl2VhUsuBqN+Diw== Extension name: m5r5p ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CA0FA58F67666807

http://decryptor.top/CA0FA58F67666807

Extracted

Path

C:\Users\04d6g7u0-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 04d6g7u0. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CA0FA58F67666807 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/CA0FA58F67666807 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: leXOb7qbKxbuGxXw0aSywfKVcZoWaRCCmDfDnj8HOJxCbcExjI3GdFzo3j470rhn pF4Sem9LqesPW/aBcWn0U8MKqsN93mY7SjugA/PP2Q8EiiOh2IVT5FfgFxvWVW9t 2tMuXCn+Zejpo3qTf5NVHvUbuXP40jCmd44RXupcRUbPqNIE+gX+6cuIObhLZuk5 8NFBk1C88aubHOr5YoJz0muip4lmlUr5Pj6Z+cplh8S4hQnSW+7zRIOuEHTnd5hU Uhlr6GqwGhKu1ZuA2KuJ6Ywrn5EeiaB79WUupR53pFu6daFom/AKaeeS401Mit0d vcCNZ4LaLuqGVVBunzd6HegTik4cbDIf/tQv95QorTwEIyJGmu3Ck7xONeV33wSu TL1NSIL1Cer7Mj8OjeN4lDx8XTcWVlEZSUwkyi1YPc2wxdzFDKWtK4HrkHMMCn62 8n6u5fPxGbrUfi1GhCaK1XH/M/ZfCgTcnylRAvJCfPxpBbPkfxZXzLdFwrvpk4hU wpBsdlzCIa/fB1fqBz4Ag84v7FqAfTv5mtGC68aHiFG0bgnUY7z7JEkeoFSkXKoO l4OCHSOYFHDfkLT1LLjtYZ+XfQnt1RYqzALEWyKYUBC+8yOstCeeQw/hYicHK6QR 5aIAHEp29gyPDRob4i36DuVoWz+n54FJiZB6g28NGPohroerJtZ75j6iavK8xQgD UpSRG9QPg0r52fjqbhoVnw/FZcvMiuhp/xD+E8JFp3FqJqJGQ2RB69iGwKdERTXk UnkU/n5LdgfxoM5YiQPb9dJtUhHTzM7EyEN6jWVZcnQbCYVS7HFSjIIR2Fnt5B4X SU48fm/KT9nvakmZgAFEGY38X78scAvd2n3OPr3u9gVNfHkGI3SSvM3GFGIoUfkE 4FNaOZ8l5QWESAxOyYZunZfhK0/f6ZXu28BLTeuwehuVYA2WOMQQZMJnaho6pLUM fNXYG7nrExlTiZTUuKqcsmmAuz2dLHlxYoD3CAXhgUyVB8PIw+j4KvNb3vJsCG5B 9jxzt5EpLk8OBt8a1Wrl30ouIh/dDay8MoxuyeDJ8wBG0OQf3THCGSDA2gdmFFDI iNn8MshAzdAYOD4arOMxU4aYB3qjZ7xgKc4bjb8J4j5LRtGzdLAtHKu2ZlypcnAt NAdgPGYAd1Ux/+9hxsKLcQFrBCFPNgemPOxSg3Qm517TDVPKpFwVqdXrtsLeu5xw lRntn8TlXvGmlH6IJYQ63nI/tDw= Extension name: 04d6g7u0 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CA0FA58F67666807

http://decryptor.top/CA0FA58F67666807

Targets

    • Target

      RNSM00374.7z

    • Size

      7.7MB

    • MD5

      c63f53079f272724aeac535366e879cb

    • SHA1

      948e3d55280499eeb6c265f63a8bc7b9dc12ffed

    • SHA256

      46556d30b37cd555be08b1de8e585f8f8d86322efeb1e2ed14d88a905b04d73b

    • SHA512

      2f6c6175a7d6a4453e56a9a440224c2237c3755f279d91aecf2cf7062dae4e282a401192d2d6f4a444ab48b8eb1ec701d38f74a755be63159edb4dd21e02778f

    • SSDEEP

      196608:M4nmnYeVX/6F3PsG9oBdaeBIYfQ+PqLDq47eOs17:pc+3PsG+6CPqiJ/

    Score
    10/10
    agenttesladharmaemotetgandcrabjigsawsodinokibitroldesh1928135631296aspackv2backdoorbankercollectioncredential_accessdefense_evasiondiscoveryexecutionimpactkeyloggerpersistenceransomwarespywarestealertrojanupx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Dharma family

      dharma

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Emotet family

      emotet

    • GandCrab payload

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Gandcrab family

      gandcrab

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

      ransomwarejigsaw

    • Jigsaw family

      jigsaw

    • Modifies WinLogon for persistence

      persistence

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Sodinokibi family

      sodinokibi

    • Sodinokibi/Revil sample

    • Troldesh family

      troldesh

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

      ransomwaretrojantroldesh

    • AgentTesla payload

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (190) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Downloads MZ/PE file

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

6
T1112

Subvert Trust Controls

2
T1553

Install Root Certificate

1
T1553.004

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

6
T1552

Credentials In Files

5
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Process Discovery

1
T1057

Query Registry

6
T1012

Remote System Discovery

1
T1018

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

System Time Discovery

1
T1124

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

5
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks