General

  • Target

    RNSM00346.7z

  • Size

    7.8MB

  • Sample

    241110-tgeywszhja

  • MD5

    dfcfe5e31652e77e5ce8e1147352b153

  • SHA1

    72b3a2b3db894426a1a31606a475aede7cbe546a

  • SHA256

    d9ee637eb3e5c900c4997f3d2dbe86883a86fa32064cf9f29d227fca7d9d429d

  • SHA512

    7d1d4693c5f85c354f784814b51ec955a834eba6e0d063138ffbaaf3ac7c7ca9dcc69cf90b1df6cff9edab9505e48f79ab4c05ba39f83da43da526ef92dfeb1f

  • SSDEEP

    196608:YFX30UAEo6Pd5lpAYoP8J9sTVPjz3izEbKPCHuvFFioCHr9nKM:YFX3plGp8J+TNjTizEbKPPTanx

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    osimiri@yandex.com
  • Password:
    strongnetwork2020

Extracted

Path

F:\$RECYCLE.BIN\SQAEVMXZ-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .SQAEVMXZ The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/1786662e82c401c | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAMVk0buegYqDAAmGTQlc4S4OUAj0reD737lc0moJUItInxjdq2EBbkD/pDUP3/0cNBmam3bt0ux7S5Ijc/pPC/aGCsKCmpNzqugizS9aYpUK5n1XPq8Jnbs9E0asZ3Sd1ws7GsERMcV4EzHSxH7MHW/O54S1OHfuHTXHwKq7XsOjoPvsQP9CnIn9zd5BCcg9D1bL4HXv0KLb7akG3L2zRPBilF5u//JG8IlLy5Ra7pJCkToKUvc+Fn+br+z4BhjJOxmKIWAxIzx1Oa38tJvj0yXSDezsT+r4sZOjVSSzIUsEDHX4zSLh3xN5gkRaBNzMrFYipoz14MiQxw+kDGos0j3Dws9guqrR35ZwvPb31gbxiYOIoiueDP8pp8DjhTH32PshGtvImirSt17HaD29VaSpilsetuLD7ov2wqT6MLHXyUTQGOiKV7pt/bA+e9CDKt+DBaVIhTgtmv3PkATNfkdgt7jUJUmWHY5CDGTyTjmnlOD03aZAJJvK2uJS6ntkJgBMZVZpDyAKYYTp+y9scIBHJGJrtOW/9lnXU/IV5WeOR0/68kyfYNIUWoPyLDZzgJsVNU8a+aWlenGTdheaUmF93K+UGzyOBG+P6+OX6N475VnFRT5BXsnxVdYn8SWo/iar47o8/DFr4hRYsC1GlBQAPL8qlsJ2+E5k2DOlcrUJhxo2AsBwvKTXMOFaxr1uSzjYhJUe4Ek0LF/3K7B9oZsPV1nURGUl3nKWtIfGcTZBztM5ZXtkATimfzg26O/Vs+un/LDYvP76XMt4tjNf+1hiMdoYDX9ZZ6QcDXtsCwlfJ8/MPgcO0Ak9GUcMO9wpdZLN8ep9LD3GZOx3PDOceWUr4qpdyN72t6MbLIHfRk8blJztlrq3wfzCmN5Y+Wg9W0amcH7rVE09PWyM5A/xxqD6GZBxVf8TJJVBfF8diaanbcOIX73F5iRBFvyP4bOWrCYVfY/cgmNt2pu71mCAQKvX5QnK4syYJtU2MX8vTPzyFQSrjUCTiTxGvcui70P7Wwn7+2MuXIMAqhqwyS+ydUim0rzDWF5PfJTO1kl4w/LytpQrJpEruoxubYo105naLtSCkXjWmwPQLlE5A0AydafyfDQ6kTBnRTIdPq1wz7NSfvFCENO2S7hVQwchOz4goGA3Ms1y4MU6j+grz29/ZCX1+QSQaawVLE7aaUvb2rzUVnj8iuQppx5NKmE0kklpk0rNqhZpI0+44xaqmiZGzBRL17g0BnO4PMdpgXmPVCHYPcMH7BW37mRSuGvbqhpvev38MR8e5zs6vQJYQCSLpncsORHtDQymQhNHLPtUmkuwl2yE6gsCcpEgtPsC09ynGbGkdnhb2Sj+IqHwSgBRQW/wAPmBSnsMkt54jVj3mLkbUZWsq2wCqSWw0z6E3OGQDNK2hOkGWzHHydCVy48/JK2/XaFWFf++J7OTentZKAMYblGT+pFB3+e4zpe9trzdPFzQZI+ScAX7g7Zr8iuDPcYL8iZoccK0Vupm+rqZydr+GnlF1SJUwGp6rn/n3tkPRiUlRYsMY3PiAjRORD8YMurJ+F8szTTgVBHUCrPQvSQktlUmKESgW0Evrf/LmccU0p93eHq4lITIRjHSTQol3O+wV40uijw/hYx1/sBaVaxyAQKagZHPU1ET0KinXEeLK5J7SwUX0EWk6pL1FPnjQa0Vrx8qFUjHQjUnXfST0IIRILGn3Y0OqVGGx6kI0OC9t5gHFNxl2M7tkdoqqUx+zQq96QDfnUtJgRxLA2ggCcGwDnWZiXqyM45m30fUOlaUXTZDSZ7YROHAucTsBEUinF9KD9G2kiH/2NM5w0Bg5bFBQhaXkiMLAFH5dkhu5EVIH6uhcKhRZcnINvCNeDkSolRqOlyZR44Z/JBzSnhXvgVHEav2o9bMAseQ37sRBRSJ88t9oWK4IBRfJyAIVRKWRoSXy4QzVVXeO2+3Bifrn57ZZMRU5LF3Y0ee93yuDwd7UpKrBYr6Ap1wnqUBLXSomJeRrd9NCG/l+TdAlk1yxIHparJ7eaOZcs0n0qxqhIUqID/CHF2s1ZVKjF4Fmkzks1noCHNaNPPYMwjK1ZSa7yQJLJO0iQtGKLLkEDI2n57cbZbKd8z7xp8bHXWKnjjdeQ9bbjR4+FYbx7Gyg2rOENdnHfJVWUAh8F3/XbalVrRLriB2ZF+wbz4DcQkbGIwWmTMv2/Gg9z0SFoOqlJvIR/g0ZCr8/2GlPLSa8mgoHSO2JeW0A40= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZCTodRsHYa7ntWs7fcTHSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi4rF1kUDB5uKi/2A2E+tzGtNYblrQBiPtrRHXEYobtydK4o24b6bsY7hyY4zV2QKiqZRuTRsqAVO9JIcJoJFowNooAhPLnKY+DO5bAL6fi2Epg65rKw3oxAhKxQ72ZizpChFP3vXLOOav1xoZR3QcRiOKBTm51iTgAH9imUrfmSz2QU5nmbImlsyw6XINVYbpeDfrfBUcfMBjP35Ni39QQ3bC3aZKEvXtdUj8BYRMbJHzHp0Oar+NRZwP9okRV/rusrPFzMP9PXYFh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhPlLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/1786662e82c401c

Extracted

Family

azorult

C2

http://admin.svapofit.com/azs/index.php

Extracted

Family

azorult

C2

http://allods-down.site/yumi/index.php

Targets

    • Target

      RNSM00346.7z

    • Size

      7.8MB

    • MD5

      dfcfe5e31652e77e5ce8e1147352b153

    • SHA1

      72b3a2b3db894426a1a31606a475aede7cbe546a

    • SHA256

      d9ee637eb3e5c900c4997f3d2dbe86883a86fa32064cf9f29d227fca7d9d429d

    • SHA512

      7d1d4693c5f85c354f784814b51ec955a834eba6e0d063138ffbaaf3ac7c7ca9dcc69cf90b1df6cff9edab9505e48f79ab4c05ba39f83da43da526ef92dfeb1f

    • SSDEEP

      196608:YFX30UAEo6Pd5lpAYoP8J9sTVPjz3izEbKPCHuvFFioCHr9nKM:YFX3plGp8J+TNjTizEbKPPTanx

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Azorult family

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Gandcrab family

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Hawkeye family

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    • Jigsaw family

    • Locky

      Ransomware strain released in 2016, with advanced features like anti-analysis.

    • Locky (Osiris variant)

      Variant of the Locky ransomware seen in the wild since early 2017.

    • Locky family

    • Locky_osiris family

    • Modifies WinLogon for persistence

    • Troldesh family

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Renames multiple (2032) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.