General
-
Target
RNSM00372.7z
-
Size
19.1MB
-
Sample
241105-1zav8aynhw
-
MD5
511191aa5b0b84b16198a2fd8a1a070e
-
SHA1
1d1e618dd3ff7c16cf50177e5835b93236193173
-
SHA256
08c542e9381f386139d8313d0bb3d7a0906ead3cae228a075f518c18d7950b6d
-
SHA512
48c1f3a87618e9ce6038aa0b69091d8caa29dc63c0ef60d93bec63a990c9244d552c4fa119aff579145f5ad8c971eba361e186a485580d1d7a1ec9ac84653c34
-
SSDEEP
393216:XG3AJY8au5+qpUSohVYxdM8UZwY0pG0sDDqKnxp+fAVbbz2mwGQy:4IY8qqp1ohOxdswYoG0uVzMGl
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\MAETYEJZKR-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/a92a34d708e46a
Extracted
azorult
http://inixnetwork.xyz/index.php
Extracted
sodinokibi
7
474
golfclublandgoednieuwkerk.nl
glende-pflanzenparadies.de
blavait.fr
sjtpo.org
trainiumacademy.com
vitormmcosta.com
guohedd.com
reputation-medical.online
pixelhealth.net
bluetenreich-brilon.de
smartmind.net
breathebettertolivebetter.com
thegetawaycollective.com
cainlaw-okc.com
slotenmakerszwijndrecht.nl
malzomattalar.com
premiumweb.com.ua:443
iexpert99.com
mayprogulka.ru
magrinya.net
-
net
true
-
pid
7
-
prc
msftesql.exe
sqbcoreservice.exe
dbsnmp.exe
winword.exe
ocomm.exe
xfssvccon.exe
isqlplussvc.exe
mysqld_nt.exe
firefoxconfig.exe
thebat.exe
sqlbrowser.exe
agntsvc.exe
excel.exe
sqlservr.exe
thebat64.exe
sqlagent.exe
thunderbird.exe
visio.exe
mysqld_opt.exe
outlook.exe
mydesktopservice.exe
oracle.exe
ocautoupds.exe
tbirdconfig.exe
ocssd.exe
mysqld.exe
dbeng50.exe
sqlwriter.exe
onenote.exe
wordpad.exe
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
474
Extracted
C:\PerfLogs\OQIJYDDDP-DECRYPT.txt
http://gandcrabmfe6mnef.onion/a92a34d708e46a
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
SMTP.yandex.com - Port:
587 - Username:
[email protected] - Password:
Ilovegod12
649c2c45-aa3c-4919-bf3f-8e3624fcf690
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:Ilovegod12 _EmailPort:587 _EmailSSL:true _EmailServer:SMTP.yandex.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:649c2c45-aa3c-4919-bf3f-8e3624fcf690 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Targets
-
-
Target
RNSM00372.7z
-
Size
19.1MB
-
MD5
511191aa5b0b84b16198a2fd8a1a070e
-
SHA1
1d1e618dd3ff7c16cf50177e5835b93236193173
-
SHA256
08c542e9381f386139d8313d0bb3d7a0906ead3cae228a075f518c18d7950b6d
-
SHA512
48c1f3a87618e9ce6038aa0b69091d8caa29dc63c0ef60d93bec63a990c9244d552c4fa119aff579145f5ad8c971eba361e186a485580d1d7a1ec9ac84653c34
-
SSDEEP
393216:XG3AJY8au5+qpUSohVYxdM8UZwY0pG0sDDqKnxp+fAVbbz2mwGQy:4IY8qqp1ohOxdswYoG0uVzMGl
Score10/10-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
GandCrab payload
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Hawkeye_reborn family
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nd3v_logger family
-
Modifies WinLogon for persistence
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi family
-
Sodinokibi/Revil sample
-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Contacts a large (7733) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
M00nD3v Logger payload
Detects M00nD3v Logger payload in memory.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Renames multiple (315) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery
Attempt to gather information on host network.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
2Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Network Service Discovery
2Network Share Discovery
1Peripheral Device Discovery
2Query Registry
6Remote System Discovery
2System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1