azorult

Resubmissions

07-11-2024 16:06

241107-tj4p2axqdj 10

Sharing

Copy URL

Twitter E-mail

General

Target

RNSM00368.7z
Size

22.0MB
Sample

241107-tj4p2axqdj
MD5

d728ec40b45ff477b64c06d87cc208c5
SHA1

eac93b8463f9eea61fba9a65b5702cac14659df7
SHA256

dd766a85145f448ac53d6332470c564d49f434aeb3a13ea56c4823159462cf7a
SHA512

28adba96fe00430b6a6e4e48b23540cc88b58077d38e7d6e1a3f9fa1373fa87d599d9ce16e4bfb83b3b18e5e3b6b940424b28fc52240c0841e144e0a6fb1a86c
SSDEEP

393216:mEaxbeX1ozG2HCXS/3HamRok531B/02FsEp1M44JT3cdXH4Qh8j8cGwjY0hd:XaxyQG2iC/3HLRokN04p1MnJT3cp4o8j

Malware Config

Extracted

Family

crimsonrat

81.17.56.2260

111.115.6.118

104.144.198.121

Extracted

Family

gozi

Botnet

1000

x1.narutik.at/webstore

cdn5.narutik.at/webstore

cd.pranahat.at/webstore

Attributes

build
217083
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
dns_servers
172.104.136.243

8.8.8.8

176.126.70.119

51.15.98.97

193.183.98.66
exe_type
loader
server_id
550

rsa_pubkey.plain

serpent.plain

Extracted

Family

sodinokibi

Botnet

Campaign

Decoy

zorgboerderijravensbosch.nl

barbaramcfadyenjewelry.com

mbuildinghomes.com

jonnyhooley.com

albcleaner.fr

redctei.co

supercarhire.co.uk

bd2fly.com

ziliak.com

alattekniksipil.com

jlgraphisme.fr

a-zpaperwork.eu

letsstopsmoking.co.uk

selected-minds.de

advance-refle.com

bodet150ans.com

pokemonturkiye.com

alexwenzel.de

stagefxinc.com

hensleymarketing.com

Attributes

net
true
pid
20
prc
mysql.exe

sqlservr.exe
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
44

Extracted

Family

azorult

http://lanubeposada.com/cgi/l/index.php

Extracted

Family

sodinokibi

Botnet

Campaign

474

Decoy

golfclublandgoednieuwkerk.nl

glende-pflanzenparadies.de

blavait.fr

sjtpo.org

trainiumacademy.com

vitormmcosta.com

guohedd.com

reputation-medical.online

pixelhealth.net

bluetenreich-brilon.de

smartmind.net

breathebettertolivebetter.com

thegetawaycollective.com

cainlaw-okc.com

slotenmakerszwijndrecht.nl

malzomattalar.com

premiumweb.com.ua:443

iexpert99.com

mayprogulka.ru

magrinya.net

Attributes

net
true
pid
7
prc
msftesql.exe

sqbcoreservice.exe

dbsnmp.exe

winword.exe

ocomm.exe

xfssvccon.exe

isqlplussvc.exe

mysqld_nt.exe

firefoxconfig.exe

thebat.exe

sqlbrowser.exe

agntsvc.exe

excel.exe

sqlservr.exe

thebat64.exe

sqlagent.exe

thunderbird.exe

visio.exe

mysqld_opt.exe

outlook.exe

mydesktopservice.exe

oracle.exe

ocautoupds.exe

tbirdconfig.exe

ocssd.exe

mysqld.exe

dbeng50.exe

sqlwriter.exe

onenote.exe

wordpad.exe

synctime.exe

encsvc.exe

powerpnt.exe

mydesktopqos.exe

steam.exe

msaccess.exe

mspub.exe

infopath.exe
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
474

Extracted

Path

C:\$Recycle.Bin\KRAB-DECRYPT.txt

Ransom Note

---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/2a0e2685bfc94857 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAABgEVCkPpUriqQWzqdoO+usbD4dHBcifARZZBHDKxvGaSVG/AWqGkTwfAL/N/Wf2HlTVxtU0dO7bdX0rBaDWkP0BYKve2ka9eXyhrLbSD63J8zpGQX6U+KgVQ9v9hX533QKLM6wRv2Rl+HYj0rnmW4LAV5MyNwThPOvvKZaUy95lgJhc9bo1wbChYJJwJhsrWal0zTpiA3dD5alXMXTQSV4+iBinARvFp0YRPe5qDd0yYdjv343Bwx32xDx8v+wycA7nKK304w2hPFRaii3Vsmp2Awrhegvl2TXJzaIKbveNwgQ5jgkQXYacOY7gB6fg5BFpIop8OqXVUKQLs1BlvwVDfTdctIQwa9H5SxSjAeUs2BoQVJTokddb28+i+l6/RZ4uUKNU4Tgj4vIbD0ZuBYYVBNt5kqfpVkzjy0gHA/Olctqd0lOjAo1GiZzR7pDAwIxh9sUVDjoJ6+IOzkdgp/grxS8KFgbJ18JSrEqbWUYx6s8SPSVAcZUNd7tFPlt33MeKwKf2A7o9arkaN3zzbzAAy+G18z6yNVDDNmIXOV/8AqNzY1AcWVfu1Grks+DJzrVeb+muW01HWMeiNSO9STJF4/hoFbIoOB1uXWj3PecFG+I6pJF2SVcuaTU/a0nP54NdtP9L91UctOSgL9XUQzlFbIHyfXQAFVStNqgx3E9LBUxrBSd5AcYofe/rJeiZN3J/GKfvaLw8u8o7M0vnTChIzVi3LpO/xz54cqZqAXO0+zNWnJnqzdexrhRpssqrFAtbB0r5kXFTEeF2u6d8crwkuBKyDWHtA3plm3TDSfZQQ8XOLY9BNZiFD7GGh06WLgaEd+Rl6uBEwbNmKh7spZFtWB/JyvQ2WTGnynIz/cnLapvpoH4wTKushAZV4WxlySzwTEMMx110CwSzh1y9SS9dTKmOVh3LCcJpkKD9QQrb6ybGKO0cUfoFHjBw+mL6Lw1IK0aOIFomanEm5z1zosnjAnIF8u11OvMuFOMoHsOIJuje3ChTl1C0Kl+3AkC8feP6OP8U/ZXvBl9dH661MuMFa+KVqD/QJysZ75oqIfMZg66q8+V1PUrLXEfYuWfYXz/7mxCOMFRQB2NzPuazR9OCh1e69xPwjiKGtWXKgfbROnPvopr85mbCJB4JyMILPNmmMjIeCcNRBe/R5PuNMHFGAB11C8rGTFdTzo7s8pO8vRu3NFJKbn8q0zD0sQNPL1o4t3cnUYrmnP2hbkpgyDirfNBcp8l+Lxl8RJo0ZPu/BHfABK3+UYBWay9INEN058e9FmzUg472mV8T537hMol8Aw4O14bYgBXLHLEQnUINl6IXMSBkyvFSR9UBEptXnlgqeU/Af68U8J6kG0mE45q4CCokl4Lc+WnylpDkQS9n0s8E6qqY26xgYoz2uQA4arTrz1QXp1f0kouQyKsrp288Myo7EUuReIXxEIMN3dUaFXYBwmoDmoOqaUNt2GXyNb42zdhcT5RZHDn/ofu0PWR0O7BFh4kRtR4e2rz45ERIlcf0QPEYd1smF0TzU3lPOGlWAeWO5yytYKuPwyxc2ijJtnwDbF1axMSN1XtCAijjBD+V7wDTFfGC+e/wnahtmO/sy7X4FTXNIlCYiO6rfVuPfd0MvJlNlk/Vko7YIRwbFBp2vKlr+g8wiaA26JtcuBD8G0zt55+zTrR4dt01flFOdgpmWVDOnNNs1ZWymPNeMYhBEO6Xxu0JxHrwII4ZDpKkY/U0ArjAvsSzJr7SCwDPEPdHIWrbeMpCoRXGcFKNbBJC2OVeswxSSNKPFxIGdhs8YZUyrHuNX+prjndOceogbhcgbyEuFgZ+3db12hBtSpNMyAwrrOY5aF5p77oRq70+W8IXXCsidvSZ29oufha6Nsjtf7r7nbwvVfTtlpRVW+1QaNJ4fXEZhwDweRqDefbJRh81Cd55Cgb4eomrTsK77q2PkWrMBo+8rN7hlkUInuAzcAh2f4ka6BVMfudSlzPAoxiUhgx591wAZI6vNzLwJ2SmBaHVfuA27g1MoIelMT69nxGP2ZSxqWjYUHnMm8UpMruwZtihA+tmnCZ3/c7Ejt2Z2GOdrreRwLIIESL+vmUD+9RSxu1KAr8NJeuAP2mKF5FCCegRyD1gESUoKWic4JTs2jfEajeV/V3VlOtZ0XCsQWBgv5rgDjPqLfaSF8x0FZPB5oc9NzME52QEpMg2cAbqNNrAhOR8Grve22dUsT/5/B12tGQU1VC+D8m7Gn8Tmp8= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZYTpFRuXYe7nxWsLfGTGSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB4uL1/2Y2ROskGt1YZFqGBnXt+xGFEdAbpSca4ty4PKb3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDxFF3vXLNOav1wMZM3QSRl2KYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9TQ3TC3qZEEuftJEioBZ9MNJGhHpcOfb/IRdAPsok9V+butLOnzJ/9bHYIh8sz7exIRettGP+Pbn3W/eJIXs9ebdQm9EZhJFLe2qhgw2mJLRMzwAtbfjn5E2ENiW4EkrJfTw== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/2a0e2685bfc94857

Extracted

Path

C:\PerfLogs\!HELP_SOS.hta

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Decryption Instructions</title> <HTA:APPLICATION ID='App' APPLICATIONNAME="Decryption Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 12pt; line-height: 16pt; } body, h1 { margin: 0; padding: 0; } h1 { color: #555; text-align: center; padding-bottom: 1.5em; } h2 { color: #555; text-align: center; } ol li { padding-bottom: 13pt; } .container { background-color: #EEE; border: 2pt solid #C7C7C7; margin: 3%; min-width: 600px; padding: 5% 10%; color: #444; } .filecontainer{ padding: 5% 10%; display: none; } .header { border-bottom: 2pt solid #c7c7c7; padding-bottom: 5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .key{ background-color: #A1D490; border: 1px solid #506A48; display: block; text-align: center; margin: 0.5em 0; padding: 1em 1.5em; word-wrap: break-word; } .keys{ margin: 3em 0; } .filename{ border: 3px solid #AAA; display: block; text-align: center; margin: 0.5em 0em; padding: 1em 1.5em; background-color: #DCC; } .us{ text-decoration: strong; color: #333; } .info{ background-color: #E4E4E4; padding: 0.5em 3em; margin: 1em 0; } .text{ text-align: justify; } #file{ background-color: #FCC; } .lsb{ display: none; margin: 3%; text-align: center; } .ls{ border: 1px solid #888; border-radius: 3px; padding: 0 0.5em; margin: 1em 0.1em; line-height: 2em; display: inline-block; } .ls:hover{ background-color: #D0D0D0; } .l{ display:none; } .lu{ display:none; } </style> <script language="vbscript"> Function GetCmd GetCmd = App.commandLine End Function </script> <script language="javascript"> function openlink(url){ new ActiveXObject("WScript.Shell").Run(url); return false; } function aIndexOf(arr, v){ for(var i = 0; i < arr.length; i++) if(arr[i] == v) return i; return -1; } function tweakClass(cl, f){ var els; if(document.getElementByClassName != null){ els = document.getElementsByClassName(cl); } else{ els = []; var tmp = document.getElementsByTagName('*'); for (var i = 0; i < tmp.length; i++){ var c = tmp[i].className; if( (c == cl) || ((c.indexOf(cl) != 1) && ((' '+c+' ').indexOf(' '+cl+' ') != -1)) ) els.push(tmp[i]); } } for(var i = 0; i < els.length; i++) f(els[i]); } function show(el){ el.style.display = 'block'; } function hide(el){ el.style.display = 'none'; } var langs = ["en","de","it","pt","es","fr","kr","nl","ar","fa","zh"]; function setLang(lang){ if(aIndexOf(langs, lang) == -1) lang = langs[0]; for(var i = 0; i < langs.length; i++){ var clang = langs[i]; tweakClass('l-'+clang, function(el){ el.style.display = (clang == lang) ? 'block' : 'none'; }); tweakClass('ls-'+clang, function(el){ el.style.backgroundColor = (clang == lang) ? '#BBB' : ''; }); } } function newXHR() { if (window.XMLHttpRequest) return new window.XMLHttpRequest; try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } function getPage(url, cb) { try{ var xhr = newXHR(); if(!xhr) return cb('no xhr'); xhr.onreadystatechange = function() { if(xhr.readyState != 4) return; if(xhr.status != 200 || !xhr.responseText) return cb(xhr.status) cb(null, xhr.responseText); }; xhr.open("GET", url+((url.indexOf('?') == -1) ? "?" : "&") + "_=" + new Date().getTime(), true); xhr.send(); } catch(e){ cb(e); } } function decodeTxString(hex){ var m = '0123456789abcdef'; var s = ''; var c = 0xAA; hex = hex.toLowerCase(); for(var i = 0; i < hex.length; i+=2){ var a = m.indexOf(hex.charAt(i)); var b = m.indexOf(hex.charAt(i+1)); if(a == -1 || b == -1) throw hex[i]+hex[i+1]+' '+a+' '+b; s+= String.fromCharCode(c = (c ^ ((a << 4) | b))); } return s; } var OR = 'OP_RE'+'TURN '; var sources = [ {bp:'btc.b'+'lockr.i'+'o/api/v1/', txp:'tx/i'+'nfo/', adp:'add'+'ress/txs/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = 0; i < json.data.txs.length - 1; i++) res.push(json.data.txs[i].tx); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.vouts; for(var i = 0; i < os.length; i++) if(os[i].extras.asm.indexOf(OR) == 0) return decodeTxString(os[i].extras.asm.substr(10)); return null; } }, {bp:'ch'+'ain.s'+'o/api/v2/', txp:'get_t'+'x_out'+'puts/btc/', adp:'get_tx_uns'+'pent/btc/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = json.data.txs.length - 1; i >= 0; i--) res.push(json.data.txs[i].txid); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.outputs; for(var i = 0; i < os.length; i++) if(os[i].script.indexOf(OR) == 0) return decodeTxString(os[i].script.substr(10)); return null; } }, {bp:'bit'+'aps.co'+'m/api/', txp:'trans'+'action/', adp:'ad'+'dress/tra'+'nsactions/', adpb:'/0/sen'+'t/all', ptxs: function(json){ var res = []; for(var i = 0; i < json.length; i++) res.push(json[i][1]); return res; }, ptx: function(json){ var os = json.output; for(var i = 0; i < os.length; i++) if(os[i].script.asm.indexOf(OR) == 0) return decodeTxString(os[i].script.asm.substr(10)); return null; } }, {bp:'api.b'+'lockcyp'+'her.com/v1/b'+'tc/main/', txp:'txs/', adp:'addrs/', ptxs: function(json){ var res = []; var m = {}; for(var i = 0; i < json.txrefs.length; i++){ var tx = json.txrefs[i].tx_hash; if(m[tx]) continue; m[tx] = 1; res.push(tx); } return res; }, ptx: function(json){ var os = json.outputs; for(var i = 0; i < os.length; i++) if(os[i].data_hex != null) return decodeTxString(os[i].data_hex); return null; } } ]; function eachUntil(a,f,c){ var i = 0; var n = function(){ if(i >= a.length) return c('f'); f(a[i++], function(err, res){ if(err == null) return c(null, res); n(); }); }; n(); } function getJson(url, cb){ getPage(url, function(err, res){ if(err != null) return cb(err); var json; try{ if(window.JSON && window.JSON.parse){ json = window.JSON.parse(res); } else{ json = eval('('+res+')'); } } catch(e){ cb(e); } cb(null, json); }); } function getDomains(ad, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp; url+= s.adp+ad; if(s.adpb) url+= s.adpb; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptxs(json)); } catch(e){ cb(e); } }); }, function(err, txs){ if(err != null) return cb(err); if(txs.length == 0) return cb('f'); eachUntil(txs, function(tx, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp+s.txp+tx; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptx(json)); } catch(e){ cb(e); } }); }, function(err, res){ if(err != null) return cb(err); if(res == null) return cb('f'); cb(null, res.split(':')); }); }, cb); }); } function updateLinks(){ tweakClass('lu', hide); tweakClass('lu-updating', show); getDomains('1783wBG'+'sr'+'1zkxenfE'+'ELXA25PLSkL'+'dfJ4B7', function(err, ds){ tweakClass('lu', hide); if(err != null){ tweakClass('lu-error', show); // tweakClass('links', function(el){ el.innerHTML = err; }); return; } tweakClass('lu-done', show); var html = ''; for(var i = 0; i < ds.length; i++) html+= '<div class="key"><a href="http://7gie6ffnkrjykggd.'+ds[i]+'/login/AQvQw86LCSsHXtfqp2CAXDZ5dLzMLr6DABUDElxBLyOjN23802C9DWbA" onclick="javascript:return openlink(this.href)">http://7gie6ffnkrjykggd.'+ds[i]+'/</a></div>'; tweakClass('links', function(el){ el.innerHTML = html; }); }); return false; } function onPageLoaded(){ try{ tweakClass('lsb', show); }catch(e){} try{ tweakClass('lu-orig', show); }catch(e){} try{ setLang('en'); }catch(e){} try{ var args = GetCmd().match(/"[^"]+"|[^ ]+/g); if(args.length > 1){ var file = args[args.length-1]; if(file.charAt(0) == '"' && file.charAt(file.length-1) == '"') file = file.substr(1, file.length-2); document.getElementById('filename').innerHTML = file; show(document.getElementById('file')); document.title = 'File is encrypted'; } }catch(e){} } </script> </head> <body onload='javascript:onPageLoaded()'> <div class='lsb'> <span class='ls ls-en' onclick="javascript:return setLang('en')">English</span> <span class='ls ls-de' onclick="javascript:return setLang('de')">Deutsch</span> <span class='ls ls-it' onclick="javascript:return setLang('it')">Italiano</span> <span class='ls ls-pt' onclick="javascript:return setLang('pt')">Português</span> <span class='ls ls-es' onclick="javascript:return setLang('es')">Español</span> <span class='ls ls-fr' onclick="javascript:return setLang('fr')">Français</span> <span class='ls ls-kr' onclick="javascript:return setLang('kr')">한국어</span> <span class='ls ls-nl' onclick="javascript:return setLang('nl')">Nederlands</span> <span class='ls ls-ar' onclick="javascript:return setLang('ar')">العربية</span> <span class='ls ls-fa' onclick="javascript:return setLang('fa')">فارسی</span> <span class='ls ls-zh' onclick="javascript:return setLang('zh')">中文</span> </div> <div id='file' class='container filecontainer'> <div class='filename'> <div style='float:left; padding:18px 0'><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADEAAABACAYAAACz4p94AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAARCQAAEQkAGJrNK4AAAAB3RJTUUH4QEcFBoaYAOrHQAABThJREFUaN7tmlloXGUUx3/3ziRtTa2xcZ1gtaJFDFjtwSqllaKiiEilKOKDNS2UivXF+qD0QRBRUMQXN/TBBcFifahYFC0urfpghSMqaDSkdQMvojZpIk2zTMaHe776MZ17M6u9ozkwzAwz3/ed/9m+s9yABkhEUFX/+43ATcBy4FxgMdABTAB/Aj8CXwO7VfVdb10AlPy9aqGgTuYDVS3Z56XA48AtdWz1OrBdVQ82AiaoVfJATlWLIrIAeAbYWKciS975LwJ3q+pEJQ03DYRJKVDVGRFZCew0kylnqFaaAULgB+B2Vd1fru3ZKFcDAFS1JCLXA7uBMxs1S29t0fzn5kKhMBBF0WAURYgIURQ1DsIAhKaBVcAbwKk0l0JgGlgIrCkUChpF0U/VAgmrOCBvPrAEeBY4jdZQ3jRyDvCEiJxl2ne+mLowTQs5VZ0yJ95mobMaRx0A3gMGgSPAycCFwHXARQlrfKFeDjwMbG7IsT0zKorIauBtYFGFvxY9s3wZ2Kaqwyn7dgNPpkQ1t9/PwGZV3TNbxErThAOwCOhPADBtexwGNqrqrrR4bxFnBNgkIm8CrwFdCX66BNgA7KlLE2aDeVWdFpHlwPsVfMEBGAXuUtUd1YRGH6CIrLdAESZoYxC4Q1U/r8exQwMQAFdb+CuP7U6LO6oF4MK0d+47ZlpJfJ0HXFsm3OpB2HsPsCZBUtgF9VSZo85KFq7zqnrUTOq3ChYyA3QCq7x1NYFwZnYKsKJCFOqwz59YJKo5VTAmAQ4CuxKiHUCviCyryZzMhIqeOnsSDh8B9qnqTJqU0kKyAT8MfJwiyB5gWa0+ETjGgPOBeQkSGgG+rPdmM99wfjUEHEoA0Q0srRmEaSRv+VFHAogx84lGyO01ChxI+E8XcHq9aUdnhahU8uL471bszJoWVEFHbL8kHhfXCyIE5qesGXX+UW9F5mli0jSbRPMaAdGZ8vtUtSG1ykg1mXIRdzaaxVYjSU7kPmFKaAsq5DW+dBY2WAyV89GV8ntXran4tGfzW4B7K0grAI5WMIF6zAjgD2ATsDXhrPFaGwGZJhE59jrOPMraMIuBK4EzTFqlE8x7YNr6TFUP+dkwQCAiobuhRWQt8DTQl2FlfAtsVdW9DoyviUeA7U1owbSSfL4eU9UHjlVRInI/8FDGATizcvytLhQKQRRFewMRuQJ4y+y/Xcg13IaA/tBCWxftRe5+uwC4NQTWzpabZFgbAFeF1qzKtSEIp40+l+QFtC91hvwHaA7E/xlEKesgZrz6u19VA/eytH64FUGkmSCKtt8XwKWq+opL0GxE8AKwknh6mkkQ03bXRMTT0F9d7m/pfdGy5SHgPtclyRoIZyLfAR95APC6If4A5sOsgfB7UQe88jbJoceI+6+ZdeyOKrWWzxqIwJN+H/F8rlJDzR8XrMiyT1wM3OnX7V797oBeQzxYbF6lJCLTTcpi3fhrBNiiqjsrNCBuIx5Ozs+qT+SJW5vdxHPoS3yHlrjH8nyzAbTCsZ1ZjfPPoMa/DMdpAc0lgHMg2gREqcxPSrSoHdoqx+4Ceu3Sc4x3c/wkNpMgclZT9AIPisjZFl57gUeZZeKThcuuvDhyAppsFfOt9gl/385/w7FLtDmFwF9ebdxO5IQ/HBIPLabaGMT+kLitP9GGAELi4ecHIfAqyc9VZJWc+SvwUi6KorFCofANsA44qQ0AuEfrfgHuUdWB0IqWT4Ebml3At4hywPfAelXd5y47sIfY7XbdQNytuwxYkCHmR4GvgOfcM4fGL38Dzdjo/H/3PFAAAAAASUVORK5CYII=" style='padding:0 7.5px'/></div> <div> <h2 class='l l-en' style='display:block'>The file is encrypted but can be restored</h2> <h2 class='l l-de' >Die Datei ist verschlüsselt, aber kann wiederhergestellt werden</h2> <h2 class='l l-it' >Il file è crittografato, ma può essere ripristinato</h2> <h2 class='l l-pt' >O arquivo está criptografado, mas poderá ser descriptografado</h2> <h2 class='l l-es' >El archivo está encriptado pero puede ser restaurado</h2> <h2 class='l l-fr' >Le fichier est crypté mais peut être restauré</h2> <h2 class='l l-kr' >파일은 암호화되었지만 복원 할 수 있습니다</h2> <h2 class='l l-nl' >Het bestand is versleuteld maar kan worden hersteld</h2> <h2 class='l l-ar' > الملف مشفر لكن من الممكن إسترجاعه </h2> <h2 class='l l-fa' >این فایل رمزگذاری شده است اما می تواند بازیابی شود</h2> <h2 class='l l-zh' >文件已被加密，但是可以解密</h2> <p><span id='filename'></span></p> </div> </div> <h2>The file you tried to open and other important files on your computer were encrypted by "SAGE 2.2 Ransomware".</h2> <h2>Action required to restore your files.</h2> </div> <div class='container'> <div class="text l l-en" style='display:block'> <h1>File recovery instructions</h2> <p>You probably noticed that you can not open your files and that some software stopped working correctly.</p> <p>This is expected. Your files content is still there, but it was encrypted by <span class='us'>"SAGE 2.2 Ransomware"</span>.</p> <p>Your files are not lost, it is possible to revert them back to normal state by decrypting.</p> <p>The only way you can do that is by getting <span class='us'>"SAGE Decrypter"</span> software and your personal decryption key.</p> <div class='info'> <p>Using any other software which claims to be able to restore your files will result in files being damaged or destroyed.</p> </div> <p>You can purchase <span class='us'>"SAGE Decrypter"</span> software and your decryption key at your personal page you can access by following links:</p> <div class='keys links'> <div class='key'> <a href="http://7gie6ffnkrjykggd.jktew0.com/login/AQvQw86LCSsHXtfqp2CAXDZ5dLzMLr6DABUDElxBLyOjN23802C9DWbA" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.jktew0.com/</a> </div> <div class='key'> <a href="http://7gie6ffnkrjykggd.yio3lvx.com/login/AQvQw86LCSsHXtfqp2CAXDZ5dLzMLr6DABUDElxBLyOjN23802C9DWbA" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.yio3lvx.com/</a> </div> </div> <div class='info lu lu-orig'> <p>If none of these links work for you, <a href='#' onclick='javascript:return updateLinks()'><b>click here</b></a> to update the list.</p> </div> <div class='info lu lu-updating'> <p>Updating links...</p> </div> <div class='info lu lu-error'> <p>Something went wrong while updating links, please wait some time and <a href='#' onclick='javascript:return updateLinks()'><b>try again</b></a> or use "Tor Browser" method below.</p> </div> <div class='info lu lu-done'> <p>Links updated, if new ones still don't work, please wait some time and <a href='#' onclick='javascript:return updateLinks()'><b>try again</b></a> or use "Tor Browser" method below.</p> </div> <p>If you are asked for your personal key, copy it to the form on the site. This is your personal key:</p> <div class='keys'> <div class='key'> AQvQw86LCSsHXtfqp2CAXDZ5dLzMLr6DABUDElxBLyOjN23802C9DWbA </div> </div> <p>You will also be able to decrypt one file for free to make sure "SAGE Decrypter" software is able to recover your files</p> <div class='info'> <p>If none of those links work for you for a prolonged period of time or you need your files recovered as fast as possible, you can also access your personal page using "Tor Browser".</p> <p>In order to do that you need to:</p> <ol> <li>open Internet Explorer or any other internet browser;</li> <li>copy the address <a href='https://www.torproject.org/download/download-easy.html.en' onclick='javascript:return openlink(this.href)'>https://www.torproject.org/download/download-easy.html.en</a> into address bar and press "Enter";</li> <li>once the page opens, you will be offered to download Tor Browser, download it and run the installator, follow installation instructions;</li> <li>once inst

URLs

http://'+s.bp

http://'+s.bp+s.txp+tx

Extracted

Path

C:\Users\90g22xg-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 90g22xg. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2611882FBFC94857 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/2611882FBFC94857 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: xr4492IASGfYAYTtWebXYD2fuYw/r/hhxjd32Q1XI0BjVXylEx655E5fdmhf5GQu A3So9fJbZFQUOPO557Xnsl/U9cxrl9CxRSrAcqeSJ42ajfU3CNsR1P/7aoTaODrD PeIx1beTiKbC2FXCB3nt4bka2FcFFqidcvgdHEvm4WMEOvnLfOp8MzJmh89nniT1 mgiu5Kw113CVzBlMFWpZTSrM7CIkMXuEezjXaCykgKE2g7aSEa3waDx6QcRHN8Sw EOY1FCUmNU3adpjni1OKeuULxOSt13njGnMeNhuelHdWRPDogOml/451gcgwJttS fLdRhMKv+SH5eMBryt5SowPvHyND0o9j2v/+cLmpJejjoNd9JxvN8PHzWyvE2Net W69QSdpOlClmHUd3nrdeTwnJHo8mT9+Lti9e4GHOV9QrvCPT3cpRfcMUhKZabTQH LZOjYUBx1gQa1NfaIFo8AbSroMXILw+m4apNJi0wrUI031Q5sxsSENlkzSxnN+Hj RxZFWqTwA+c8yQCB0EJWriIOBeX+rYoFoGgGHXRtde3esCxaxRmKX4PwSZaLS9kC cYGqwwVTk/M0aF2hSYZflrhASWB/o7vDSUXQDQfm2DLvIe2vog/uDSenoantHujh q9vRjVrK7V5kXlaoBjqzuLFH7xG7ohUgplbqBYX3tf5FRowVYuI4XZanc58tGNUt EuZPDY+1DQnDg3vBA6SANCyqkmbDHBxqnCs1aJQ46oKBhow2iMkY/SFJAAhSjs5K CaEV7axFYy7vvm3TsvW27Y4Sol5GF/XeurMVlaYPCXffr1P9NSxs6BBfMaDijUQT UNEm1nm0OF4FXoh9UWLNUXwSsaFEKO61oBsySU25lXexJVoJHI7zmoponNek210a v6pmoUmrqHXJT2TgW2tKDWsaspL/427uWiEg2FUZap9nJ1fb68OBtV84+i1XiljC 8hOyN4eNNmjvHi08//YXxCeplJ6CgQmWuIxxJKNmcW97Udd9EDaCPlDdywmujlbJ ckuUDWWzYdUyCe+SzDB0egVESptX2ZcpQAjM0GhvyVxS1UfUbJWgNclh/fNwyx/r 6YNunRl78We6ayonK/nqaysfFmeYb0gL4Z98xb6z2Iw03BMcSf8rNIm0/4GvdDgH xdsffvaLo+JCzjctDiU5mkQFjZoPAFiQjMshO+1sbDpituo5FG2lyv04UEcRW84k w18TCn/Tt0MrwQ3h4SMDZg== Extension name: 90g22xg ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2611882FBFC94857

http://decryptor.top/2611882FBFC94857

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>BFC94857-2253</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected]</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Targets

- Target
  
  RNSM00368.7z
- Size
  
  22.0MB
- MD5
  
  d728ec40b45ff477b64c06d87cc208c5
- SHA1
  
  eac93b8463f9eea61fba9a65b5702cac14659df7
- SHA256
  
  dd766a85145f448ac53d6332470c564d49f434aeb3a13ea56c4823159462cf7a
- SHA512
  
  28adba96fe00430b6a6e4e48b23540cc88b58077d38e7d6e1a3f9fa1373fa87d599d9ce16e4bfb83b3b18e5e3b6b940424b28fc52240c0841e144e0a6fb1a86c
- SSDEEP
  
  393216:mEaxbeX1ozG2HCXS/3HamRok531B/02FsEp1M44JT3cdXH4Qh8j8cGwjY0hd:XaxyQG2iC/3HLRokN04p1MnJT3cp4o8j
Score

10^/10

azorult crimsonrat emotet gandcrab gozi sodinokibi zgrat 1000 20 7 44 474 aspackv2 backdoor banker defense_evasion discovery evasion execution impact infostealer isfb persistence ransomware rat trojan upx
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- CrimsonRAT main payload
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- Crimsonrat family
  crimsonrat
- Detect ZGRat V2
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
- Modifies WinLogon for persistence
  persistence
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Sodinokibi family
  sodinokibi
- Sodinokibi/Revil sample
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Zgrat family
  zgrat
- Contacts a large (7891) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1