dharma

General

Target

RNSM00364.7z
Size

14.7MB
Sample

241107-t2rs7aykcm
MD5

e06f8014237bfda194279e651dfbfab2
SHA1

6a56b7cac0d0d80ba621175f894075b35c83f074
SHA256

3d045e21f0acdb2ff12903a57efbabf302b8ffc4bcf1c0e328837dfde5e00ec0
SHA512

455278347b3a54ee0c78b68fd17f1449d69b6557707e266f1be03abec6ed417e8041a7b3f010469fadf3f1104f2ccb437b6b05625b8f7b18fd5a10acc781b760
SSDEEP

393216:MDGRp+OCdCFXelJVPbkgg0P+Fuu2B0ztGorVeHHYE:fRApEgJVPb9g0PD7qEo0HH9

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1805

C2

bitsupport.top

databasecollection.pw

carloslimmheklo.at

genesisgrandergh.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Emails

[email protected]

Extracted

Path

F:\GIMAE-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .GIMAE The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/20d13593c99f91cb | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAA2Gp8I2cjrlI+ECUlzXo+h76y9N/wkEp50JTXBybqCrat3g8Omh5XXEid/UZYCTHZZrI3SeRs8Q+FsHPeyAPRSxAPC9ESSMSXwQ7V+3LRK/KEs+bekk2v7hZFe+XGyeBcPFcUgIzKyto1dbiawDRvc4pP4dJMXWkrzhifVbsOkzMdlpjZIZwMa0lffUeU5enJWhfRREXhQYM3Yi6+5Paw0LiVc5IOIkcf5PFJtqslkfeC1s8P5BxNHQlK5yj3fSWDyScVYlmktznGoRsiHtWCLXcp5srA8CzC3S+OdhC07Yud2JjqndCcE+2hCcYSnIOAn0eNLQNjYHQv/WqEajhU/PDuByAjPa+CcQjuYcFUH+tEUneG7vBVAcrguXk8WNB7lK1jrwbxarXt/LTdWQyOx/eaK7jD/mERDiZaVHBpR99707/9/JP39lEXs6kROtx5EJp+mED2nNQh9kvTnu5oFrPmK4P1YONx+tJ5MuUT4jBH87iTcJ3aSSdLK55lhaH9mOdiOEqenhoHQB/GQKWABwa/xu4UK52fSv7WUd0ljR/dqDI0cZ6Modu5IHxe9bo7qy4Ibv41z1FL1GUEX6mel0SSp6N6n7IY6nedjVdDIiLG6BzX/ameqLYhxRObpOnrCEqERF9uqKJUYKPSENKDxVONaeyqMKWJ4hXJzpOpLFuitAPvBxVoSM6LZZqaaBYMk/+lU4t2Ujcyg4d2Hceq8d3yuOyUASQBmsu9GZZ5zTG8qBGbRLJ/y0kXxrM5Zs5kuuF0wWHOFQgHyVe26nPtOcp857yBo5kdtqlFQB/gBP0G8kZQli/fLkTT0v6hHmsX5Bwpg8Mjv3eB28Kc4qQIYgDUI9BT5A9Cnn7KTxd1ZsGPRsVzXaSVJJfC19+C2YEuE3LNNyejZbxsK/y63VT/BeHPDp90bEkI5ywBOiKMTnzT2AxYDzWJaViF+Lz8JNz8hOUmehdVd0aBLIRU8knmHjYE0DxLKerpb/p9d3WdKz42SvpdtjHmKoWUjdM37PNdVMHPMn5y0MwPI3eLPQAkRHzcjlY8u+tWUhXiQIWBHId+RgzadZ6+RSMj1vL8hyE9DiWZnPQ6QBZtlL9GhQHpW1qfYXHJ97FYgM0KAiVBquwUsMJqZjyl1CRUkKXm8b/YAq7UVFWLUuBByj16JC/XpuSKyx/iQY3fK1dcevRLqYDLcViGMmiAMeGBgKzNzd5/UW/ekZ8A4JlFyNMH8MDStXcRYpqcVBNQLSQG4XE4DKR3NwovsQctEOQ2qTAng1n7J9lMdZDqNdPeb7h0ebWvlplRqElwpUUYtkjZF1H0c+9xMqgXdLJXhmeBCYmwVH/ulCn91FWoRpTTvzRGZFCHFQmSeykk5NOINyHjd2HbNk/Qok3xNw8bY9eBooJQlCuue6jePkoM09Bp1gueDIc8wT+2jl54AEzlaIa7UrQXmkhjmSflIVU2lgfIXPnB3cEjk4sjeVCLubhtAohTyT5U2hdFOHurAdiZ33wAzyIu9M2AXNYkqtN2XfbpZ+x9tLZ1bw40tXmWMA3hWpCsbhZMfqy7m3rcWEWDblQw2WSChLJ4o+HYBzlKULD8/H4FHinHIf4RqFTSYufMfh/XsU3SzU2u96C2eIJF3v3iHJuaot09VqHsZ0iiqjxzzBmJSIBuZtXbQ7gZmsIzCro7tOkTYEBEkYoBMmW2m9rtY4BD32EtAnl8MOBxut0l4uH3aXqa+it6L2Xz1r/MnJX1KWXPI0EUEul758k6u/WvcQlu+Cj+vYYaFSViboe4C+dbLCQz4Or1K4tjDA7QhGeZjXsvrnAxc0wVpK/1Z0C/kQ/fQxW6ArkWlb1NnaA7EORNESc5hiwTnPzSShdNvWzMZerFOYAVrEGYVN8d6T8cb5YiJjdNf2z/zlHL05gs42s178N3Pf+hLMi1GyQG/2qL1gYktmIrSYDHqBDO9GHox1B58zbIq710cVWsUAQjwJW2x3OgErk+RBSFuFlFGFWiDF/lujB5W1r/pPlhH2mma3fVFJE1aAXK8tREtedHltqWovBfV+IgYaAc0te0xaY2S0C2Rj5oRQ23OahPkYIFCzJh5+6KwItGxQ4cX/tzjEo9Dt5jrAxE2Hsl+PqTtjyeEvPlPSM11HqzL0K2TkkKSBJ0kuysvd6YosjdIkOa7f7O1UyCYaq5v/HFaZeIhNmlbsACWEEop79ti1XU7ui0Lu1dZhzaEf+n0mQfR0F/JyxKyR70cSSpk= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDu9NXJOJDfAvGVt+DZRXLIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSBCDFtO6JfNAOBiFqp8Y9R7O3OLHFmYKRhUeBP4ryrvNzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhqApoTPFpp2CPDOx6ihEudzoNVoM6j2VyOmqqBlvarwLrtsypy8B1fKlWTmR7qd4GuxOgTOwQUyhb/ofzNwkLQejqrjTwFji9zPbKPSghI2dWKf+5gkQvDGihIFfEv5EsSM5AN7hzdQVIFj1CUHPyeWMbZ0I1go/7uRQeyoEinT3CrvrP9dFPEuVLsosLq4b4AnecHqVubCDEZSsSLSNnIyaZEI9b5008FGYczrSlaIGDBHFzoGoqA9wiUaNxMzG ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/20d13593c99f91cb

Targets

- Target
  
  RNSM00364.7z
- Size
  
  14.7MB
- MD5
  
  e06f8014237bfda194279e651dfbfab2
- SHA1
  
  6a56b7cac0d0d80ba621175f894075b35c83f074
- SHA256
  
  3d045e21f0acdb2ff12903a57efbabf302b8ffc4bcf1c0e328837dfde5e00ec0
- SHA512
  
  455278347b3a54ee0c78b68fd17f1449d69b6557707e266f1be03abec6ed417e8041a7b3f010469fadf3f1104f2ccb437b6b05625b8f7b18fd5a10acc781b760
- SSDEEP
  
  393216:MDGRp+OCdCFXelJVPbkgg0P+Fuu2B0ztGorVeHHYE:fRApEgJVPb9g0PD7qEo0HH9
Score

10^/10

dharma gandcrab gozi lockergoga troldesh 1805 agilenet backdoor banker bootkit defense_evasion discovery evasion execution impact isfb persistence ransomware spyware stealer trojan upx
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
- LockerGoga
  LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
  trojan banker lockergoga
- Lockergoga family
  lockergoga
- Troldesh family
  troldesh
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Contacts a large (7717) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Renames multiple (107) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1