dharma

General

Target

RNSM00349.7z
Size

3.2MB
Sample

241110-s6x1bszcpm
MD5

ce578a409b49e9870972305ceb6dd82e
SHA1

8586e31e8289148c3bae3f11c342fe76a59eefd0
SHA256

22e288606f23126b617631adc3fc32a6cda176ab79b71f8b922a76afd283a931
SHA512

110b872a9280bc093fe64e6b799c16982f91cf80eaf44670d26f55dde091dbad8397f48b78d72c3c3c58c2c9784826c7bc19b7a50bf7fcca6d25ab3029554dba
SSDEEP

98304:P8Vo6nO7LpfAKLRPQDLvpm3gXpr62wF8u:EOPZRMLvpz5Wsu

Malware Config

Extracted

Path

C:\MSOCache\UEGMLNUIY-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .UEGMLNUIY The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/7800bb70bb4c78c5 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAALrMTJcuVenzuPrwzrx4CshFCp0RzJYTJ1jLpOLfCM+TuVW4iYSqGfO7IpwRE/YcRHGtqn5tVJIWuHWGq3LSK4LCYY8SkC1NnZZgDT4yhbn+AMY0H6JDkS2B/IbzaBOqbr001+4gDzjhevkBQ0WQNCRoMPffr1sXDdEz0AFw39NvBuhtbLM629fDqw8VxABJU2P62QLHzlVTS2Znb1WjbGaBzh/Jafj3skeU7cx+mTIJTXqkn+YxOgAuK+4KGBv+TwNkVZ7YBe+UdeZAE/CRK0YxJc7xLhKvPl8Awv7gRW2bb/lFfeSQAZpD6CJbRHAi9NXI/66wIkRnglGysq5euFzxz/9YXtd39/h39GhcttHeltBtHARa8Wi5lHBzBTP112gHHAKnZHuDcWA9MwOKlcLx1Ibpu8qdPt79Q3YKp4lE9vJkx0lQ6ACJutG0dBA5sU/f4ZB0rRaWQ1FLb5PVVCN/m5TMkGiTVQbHwCeT3XbVDZfIS0CcIcUOitWlKBrlUr+EkWTVSW7RIL3juLn64cpaEQFsKIMI1JIkPEkyprij34u0/s5RCTEAM7bStXvLEXiCmUEKFHXnvzj2hZf8nOiAB7mt6iLvQwbpXcwywA7NNgaZiCATA0ghblxikDW3SP9gMzB3fC6S3/VlZbcuqoJEON0t2+qPubQAryv5Pu9aSUfNXrL5CKiZ88fUnmzZZ1O7tW7Eammm/Fsuu/PoVo34ok6bIeWAnzax5lLIkFxPw20racbe+KIJj5Q7YZ5MmHFk1xvvCUl6RhzP8W4iv51uWGQMHKgKVsqDhw/4Io50qfJMxvE8o+I9bYOtO3UltM8q7hsOMLLWVvMXhmmvW3dPP4xLuvxPj0SSFeEIK3v+7hFtGpJTMm32HOKh5ZMDJghm8PtIIfOtF0OZgVQxVx2JX9jKHVPx+kVxEcKxWKPkyShBn2VADl/uQGWY0Mzh3qGt5jUsH0yzSr655UVgJTNScTzuZbXqpMZqxhMe0pj7FeiSImzZcmyp5QW4O3AzXUEVNHF6Tg9giiliNTfDKh2UbmiaPbJA6o9EqkOttBdFUQvYenrHR8Rb1mpEaau0RPWhgeQhX7iEKcFBOEDDaNSVtUrlPHbdk2ZgtL+vcZaBwfrZedZI1MOwhw0jhvK6oTuzd/Zynd7dnsQIjQf/ussObrxNOu6Z7x8wVcjy0ymIh4ZTwBehjGOVjOJI6uog3BtGKJvnHaiMprOaK1z1HdDZlIweCk5svuyMlJQ0qzlj9cWZIKkfM945vOXKRRWequJaXFr/XtznVXQdHVU5q5/XzCzEIxwlJtIDeG9fc7fjV0g9V+zPVCq2nraRNfhVVX8hpe+YIOkdvynRwKmdqtW/gWyk2rvNzJ+Q+9RlZmovcQFc0A/AeJLhQxpUD2q0F17a+g0gI95N7K/xOkjWhbPtv45ACPpsmix/PzbRxVamTLDDtXa4YRq+KOin77bLYJBlcV8oO7xvKy1OT33w/DvTgFr101x1FgwuUgLFh4shg5Yl/YDYvwPtJUnt1RPs2WBfOSqa60kjhfhQQED6U7LR+QqfsnDd2E0kqUxIMgYWSGZ9VSdFF3UBykeseOBUsWhsG59/OxVT5xg3B5IWhKTmhQvPCcEuwR2sAo5GD1Tgjc2naeg7Yd0MBiNm+BmfFOUQR0Q9uKzMpbYnEvxbbvjGAL9ztaXT7HqkKiIHi29m14drZobo7L+5szP51BGl4rzTDO9lOE4avCfWxJ0CmLOkLJQ+NbpjjDTFb4nhNC50qeX/9Yb81QPMkD0MuLhsmcL74QRZuw4x0jjcXTCn17ydaFwFZTw74f3Fetv1hcJx5lWhVVNPS1ZVhuWbpeWZLPjtVZbvg19VyJj8IyuNdOI5Hspma8KIAlGB7pG6CEe40V+Msv76rx/mYdTJUtKdMcB0C7lGe1m6W/SfnsVBZ1pcntjjXojuM6JiEPy1XCgwdVI8/v1JKaIWHrGXR5an7J8bUL5VIe905m1rr5SYJqQQnZlUS3Uc6hy6QunJctKE6f9G82QL0JYf/k9OeM/5JlgypUuu4odyY3x1CFhQnjGQZGZQUgXsf7+wmOgNZYu2dPjeskOKd1dMomTJ8LWjY9uJT19WeYSDmRMXrCqY6dj7fnlQ5JCLE1JYxzAt/QBjyLAJzBUtbp7+rnEABQhNoGNmOnuVobzbsUZEo9jpMi9VdFL3XwkoLAwAkQaPcJBn8hXxfFt00L0XicHc2zxS1Ni/Ymo= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZaTo9Rr3YZ7nZWvbfZTHWHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi5LF6kUjB4OL2/zQ2FusmGolYPlqHBnTtqhHeEYobpCcE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9KxQ7+Zi7pCxFF3vXLN+at1wYZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMb5H3Hp8Oar+NRZwP9okRV/rusrPFzM79OnYMh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhPlLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/7800bb70bb4c78c5

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

wetareska.com

bergesoma.com

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Extracted

Family

nanocore

Version

1.2.2.0

C2

lawwena.ddns.net:9874

Mutex

bfa89e19-b489-4adc-ba9c-0b3f79e0dab8

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-08-11T22:38:12.268048836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9874
default_group
New Logz
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
bfa89e19-b489-4adc-ba9c-0b3f79e0dab8
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
lawwena.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  RNSM00349.7z
- Size
  
  3.2MB
- MD5
  
  ce578a409b49e9870972305ceb6dd82e
- SHA1
  
  8586e31e8289148c3bae3f11c342fe76a59eefd0
- SHA256
  
  22e288606f23126b617631adc3fc32a6cda176ab79b71f8b922a76afd283a931
- SHA512
  
  110b872a9280bc093fe64e6b799c16982f91cf80eaf44670d26f55dde091dbad8397f48b78d72c3c3c58c2c9784826c7bc19b7a50bf7fcca6d25ab3029554dba
- SSDEEP
  
  98304:P8Vo6nO7LpfAKLRPQDLvpm3gXpr62wF8u:EOPZRMLvpz5Wsu
Score

10^/10

dharma gandcrab gozi nanocore troldesh 1000 backdoor banker collection credential_access defense_evasion discovery evasion execution impact isfb keylogger persistence ransomware spyware stealer trojan upx
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
- Modifies WinLogon for persistence
  persistence
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Troldesh family
  troldesh
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (302) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1