Overview

overview

10

Static

static

1

RNSM00317.7z

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00317.7z

  • Size

    4.5MB

  • Sample

    241112-xvp8kaxray

  • MD5

    1f0a3c0d633cffdec981a36b868af1ab

  • SHA1

    d04f70e113bdfe863c2658d6ad4c1ddf5412ecfa

  • SHA256

    e4517fe3680c52565d854d2242d9ba7eddf25a80509eed18525ec428364761b9

  • SHA512

    156b8bade296be4f6653f6f13bac1ddc0b5280c0092b09743ad5d4a460060b8e4cf198fcb5fe1e77af1962f46f8ea7caf1afb3fdc63fb9700027d6a004d50710

  • SSDEEP

    98304:J0V1RCjxkSb5i7yKRQc/W3yT8m6rpGDx3pz0Z9qOcU0SzlqgMAVEStZ0:SEtkSc7h/GsNxM0gMXStZ0

Score
10/10
adwindformbookgandcrablokibotxtremeratdabackdoorcollectiondefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwareratspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

da

Decoy

citybudgettree.tech

anamikabaruah.com

woorobo.com

physics.center

formerworld.com

mckpr.info

rexo17.download

butthole.online

999-dvd.com

mykinwallet.com

energiin.info

stoneboris.win

tlbfp.loan

kinder-laender-zukunft.com

alinebaca-lep.com

veretium.com

villa17home.com

6m1six.loan

dichvupccc.com

affiliatelecture.com

Extracted

Path

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\!HELP_YOUR_FILES.HTML

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'/><title>DECRYPT YOUR FILES</title><style type='text/css'>html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px;background-color: #bfbfbf;height: 100;}a {color: #426BBD;font-family: Tahoma, Verdana, Arial, Helvetica;font-size: 12px;}td {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f0f0f0;font-size: 14px; }.style1 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 48px;}.style3 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 60px;}.style4 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #28caf9;font-size: 14px;}.style5 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 14px; }.style6 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 14px;}.style7 {width: 685px;height: 30px;background-color: #393838;border: 1px solid #565656;font-family: Courier New;font-weight: bold;color: #f0f0f0;font-size: 26px;}</style><script type='text/javascript'>function init() {var xtime;document.getElementById('fe_text').innerHTML = '00:00:00';xtime = Math.floor(1731438706 + (12 * 60 * 60) - (Date.now() / 1000));window.setTimeout('update_timestamp(' + xtime + ')', 1000);}function component(x, y, z) {var res; if (z == 1) res = Math.floor(x / y);else res = Math.floor(x / y) % z;if (res < 10) res = '0' + res;return res;}function update_timestamp(tstamp) {if (tstamp < 1) {document.getElementById('fe_text').innerHTML = '00:00:00'; }else {var hours = component(tstamp, 60 * 60, 1),minutes = component(tstamp, 60, 60),seconds = component(tstamp, 1, 60);document.getElementById('fe_text').innerHTML = hours + ':' + minutes + ':' + seconds;tstamp -= 1;window.setTimeout('update_timestamp(' + tstamp + ')', 1000);}}</script></head><body onload='init();'><div align='center'><table width='700' height='100' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'><tr><td width='415' valign='top'><div align='center' class='style1'>WARNING!<br/></div><div align='center'>Your personal files are encrypted.<br/><br/><br/></div><div align='center' class='style3' id='fe_text'></div></p></td></tr><tr><td colspan='2' align='center'><table width='97' border='0' cellpadding='0' cellspacing='0'><tr><td colspan='2' align='left'><br/>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br/><br/></td></tr><tr><td width='7' nowrap='nowrap' align='left'>Open&nbsp;</td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a></td></tr><tr><td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br/>The website can help you complete the decryption work automatically.<br/>You could also send <span class='style5'>0.2 BTC</span> to <span class='style5'>1cimKyzS64PRNEiG89iFU3qzckVuEQuUj</span><br/>and contact this email <span class='style5'>[email protected]</span> with below ID.<br/><br/><span class='style5'>Write in the following personal ID in the input from on server:<br/><br/></span><div align='center'><textarea class='style7'>05CE14BD2FF240836A8F2B58</textarea> <br/></div><br/></td></tr></table></td></tr></table></div></body></html>
Emails

class='style5'>[email protected]</span>

URLs

http-equiv='Content-Type

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\jre\!HELP_YOUR_FILES.HTML

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'/><title>DECRYPT YOUR FILES</title><style type='text/css'>html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px;background-color: #bfbfbf;height: 100;}a {color: #426BBD;font-family: Tahoma, Verdana, Arial, Helvetica;font-size: 12px;}td {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f0f0f0;font-size: 14px; }.style1 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 48px;}.style3 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 60px;}.style4 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #28caf9;font-size: 14px;}.style5 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 14px; }.style6 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 14px;}.style7 {width: 685px;height: 30px;background-color: #393838;border: 1px solid #565656;font-family: Courier New;font-weight: bold;color: #f0f0f0;font-size: 26px;}</style><script type='text/javascript'>function init() {var xtime;document.getElementById('fe_text').innerHTML = '00:00:00';xtime = Math.floor(1731438708 + (12 * 60 * 60) - (Date.now() / 1000));window.setTimeout('update_timestamp(' + xtime + ')', 1000);}function component(x, y, z) {var res; if (z == 1) res = Math.floor(x / y);else res = Math.floor(x / y) % z;if (res < 10) res = '0' + res;return res;}function update_timestamp(tstamp) {if (tstamp < 1) {document.getElementById('fe_text').innerHTML = '00:00:00'; }else {var hours = component(tstamp, 60 * 60, 1),minutes = component(tstamp, 60, 60),seconds = component(tstamp, 1, 60);document.getElementById('fe_text').innerHTML = hours + ':' + minutes + ':' + seconds;tstamp -= 1;window.setTimeout('update_timestamp(' + tstamp + ')', 1000);}}</script></head><body onload='init();'><div align='center'><table width='700' height='100' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'><tr><td width='415' valign='top'><div align='center' class='style1'>WARNING!<br/></div><div align='center'>Your personal files are encrypted.<br/><br/><br/></div><div align='center' class='style3' id='fe_text'></div></p></td></tr><tr><td colspan='2' align='center'><table width='97' border='0' cellpadding='0' cellspacing='0'><tr><td colspan='2' align='left'><br/>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br/><br/></td></tr><tr><td width='7' nowrap='nowrap' align='left'>Open&nbsp;</td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a></td></tr><tr><td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br/>The website can help you complete the decryption work automatically.<br/>You could also send <span class='style5'>0.2 BTC</span> to <span class='style5'>1cimKyzS64PRNEiG89iFU3qzckVuEQuUj</span><br/>and contact this email <span class='style5'>[email protected]</span> with below ID.<br/><br/><span class='style5'>Write in the following personal ID in the input from on server:<br/><br/></span><div align='center'><textarea class='style7'>05CE14BD2FF240836A8F2B58</textarea> <br/></div><br/></td></tr></table></td></tr></table></div></body></html>
Emails

class='style5'>[email protected]</span>

URLs

http-equiv='Content-Type

Extracted

Path

C:\Program Files\VideoLAN\VLC\!HELP_YOUR_FILES.HTML

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'/><title>DECRYPT YOUR FILES</title><style type='text/css'>html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px;background-color: #bfbfbf;height: 100;}a {color: #426BBD;font-family: Tahoma, Verdana, Arial, Helvetica;font-size: 12px;}td {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f0f0f0;font-size: 14px; }.style1 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 48px;}.style3 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 60px;}.style4 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #28caf9;font-size: 14px;}.style5 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 14px; }.style6 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 14px;}.style7 {width: 685px;height: 30px;background-color: #393838;border: 1px solid #565656;font-family: Courier New;font-weight: bold;color: #f0f0f0;font-size: 26px;}</style><script type='text/javascript'>function init() {var xtime;document.getElementById('fe_text').innerHTML = '00:00:00';xtime = Math.floor(1731438709 + (12 * 60 * 60) - (Date.now() / 1000));window.setTimeout('update_timestamp(' + xtime + ')', 1000);}function component(x, y, z) {var res; if (z == 1) res = Math.floor(x / y);else res = Math.floor(x / y) % z;if (res < 10) res = '0' + res;return res;}function update_timestamp(tstamp) {if (tstamp < 1) {document.getElementById('fe_text').innerHTML = '00:00:00'; }else {var hours = component(tstamp, 60 * 60, 1),minutes = component(tstamp, 60, 60),seconds = component(tstamp, 1, 60);document.getElementById('fe_text').innerHTML = hours + ':' + minutes + ':' + seconds;tstamp -= 1;window.setTimeout('update_timestamp(' + tstamp + ')', 1000);}}</script></head><body onload='init();'><div align='center'><table width='700' height='100' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'><tr><td width='415' valign='top'><div align='center' class='style1'>WARNING!<br/></div><div align='center'>Your personal files are encrypted.<br/><br/><br/></div><div align='center' class='style3' id='fe_text'></div></p></td></tr><tr><td colspan='2' align='center'><table width='97' border='0' cellpadding='0' cellspacing='0'><tr><td colspan='2' align='left'><br/>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br/><br/></td></tr><tr><td width='7' nowrap='nowrap' align='left'>Open&nbsp;</td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a></td></tr><tr><td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br/>The website can help you complete the decryption work automatically.<br/>You could also send <span class='style5'>0.2 BTC</span> to <span class='style5'>1cimKyzS64PRNEiG89iFU3qzckVuEQuUj</span><br/>and contact this email <span class='style5'>[email protected]</span> with below ID.<br/><br/><span class='style5'>Write in the following personal ID in the input from on server:<br/><br/></span><div align='center'><textarea class='style7'>05CE14BD2FF240836A8F2B58</textarea> <br/></div><br/></td></tr></table></td></tr></table></div></body></html>
Emails

class='style5'>[email protected]</span>

URLs

http-equiv='Content-Type

Extracted

Path

C:\Program Files\VideoLAN\VLC\plugins\access\!HELP_YOUR_FILES.HTML

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'/><title>DECRYPT YOUR FILES</title><style type='text/css'>html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px;background-color: #bfbfbf;height: 100;}a {color: #426BBD;font-family: Tahoma, Verdana, Arial, Helvetica;font-size: 12px;}td {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f0f0f0;font-size: 14px; }.style1 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 48px;}.style3 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 60px;}.style4 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #28caf9;font-size: 14px;}.style5 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 14px; }.style6 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 14px;}.style7 {width: 685px;height: 30px;background-color: #393838;border: 1px solid #565656;font-family: Courier New;font-weight: bold;color: #f0f0f0;font-size: 26px;}</style><script type='text/javascript'>function init() {var xtime;document.getElementById('fe_text').innerHTML = '00:00:00';xtime = Math.floor(1731438710 + (12 * 60 * 60) - (Date.now() / 1000));window.setTimeout('update_timestamp(' + xtime + ')', 1000);}function component(x, y, z) {var res; if (z == 1) res = Math.floor(x / y);else res = Math.floor(x / y) % z;if (res < 10) res = '0' + res;return res;}function update_timestamp(tstamp) {if (tstamp < 1) {document.getElementById('fe_text').innerHTML = '00:00:00'; }else {var hours = component(tstamp, 60 * 60, 1),minutes = component(tstamp, 60, 60),seconds = component(tstamp, 1, 60);document.getElementById('fe_text').innerHTML = hours + ':' + minutes + ':' + seconds;tstamp -= 1;window.setTimeout('update_timestamp(' + tstamp + ')', 1000);}}</script></head><body onload='init();'><div align='center'><table width='700' height='100' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'><tr><td width='415' valign='top'><div align='center' class='style1'>WARNING!<br/></div><div align='center'>Your personal files are encrypted.<br/><br/><br/></div><div align='center' class='style3' id='fe_text'></div></p></td></tr><tr><td colspan='2' align='center'><table width='97' border='0' cellpadding='0' cellspacing='0'><tr><td colspan='2' align='left'><br/>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br/><br/></td></tr><tr><td width='7' nowrap='nowrap' align='left'>Open&nbsp;</td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a></td></tr><tr><td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br/>The website can help you complete the decryption work automatically.<br/>You could also send <span class='style5'>0.2 BTC</span> to <span class='style5'>1cimKyzS64PRNEiG89iFU3qzckVuEQuUj</span><br/>and contact this email <span class='style5'>[email protected]</span> with below ID.<br/><br/><span class='style5'>Write in the following personal ID in the input from on server:<br/><br/></span><div align='center'><textarea class='style7'>05CE14BD2FF240836A8F2B58</textarea> <br/></div><br/></td></tr></table></td></tr></table></div></body></html>
Emails

class='style5'>[email protected]</span>

URLs

http-equiv='Content-Type

Extracted

Path

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\!HELP_YOUR_FILES.HTML

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'/><title>DECRYPT YOUR FILES</title><style type='text/css'>html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px;background-color: #bfbfbf;height: 100;}a {color: #426BBD;font-family: Tahoma, Verdana, Arial, Helvetica;font-size: 12px;}td {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f0f0f0;font-size: 14px; }.style1 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 48px;}.style3 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 60px;}.style4 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #28caf9;font-size: 14px;}.style5 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 14px; }.style6 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 14px;}.style7 {width: 685px;height: 30px;background-color: #393838;border: 1px solid #565656;font-family: Courier New;font-weight: bold;color: #f0f0f0;font-size: 26px;}</style><script type='text/javascript'>function init() {var xtime;document.getElementById('fe_text').innerHTML = '00:00:00';xtime = Math.floor(1731438711 + (12 * 60 * 60) - (Date.now() / 1000));window.setTimeout('update_timestamp(' + xtime + ')', 1000);}function component(x, y, z) {var res; if (z == 1) res = Math.floor(x / y);else res = Math.floor(x / y) % z;if (res < 10) res = '0' + res;return res;}function update_timestamp(tstamp) {if (tstamp < 1) {document.getElementById('fe_text').innerHTML = '00:00:00'; }else {var hours = component(tstamp, 60 * 60, 1),minutes = component(tstamp, 60, 60),seconds = component(tstamp, 1, 60);document.getElementById('fe_text').innerHTML = hours + ':' + minutes + ':' + seconds;tstamp -= 1;window.setTimeout('update_timestamp(' + tstamp + ')', 1000);}}</script></head><body onload='init();'><div align='center'><table width='700' height='100' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'><tr><td width='415' valign='top'><div align='center' class='style1'>WARNING!<br/></div><div align='center'>Your personal files are encrypted.<br/><br/><br/></div><div align='center' class='style3' id='fe_text'></div></p></td></tr><tr><td colspan='2' align='center'><table width='97' border='0' cellpadding='0' cellspacing='0'><tr><td colspan='2' align='left'><br/>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br/><br/></td></tr><tr><td width='7' nowrap='nowrap' align='left'>Open&nbsp;</td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a></td></tr><tr><td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br/>The website can help you complete the decryption work automatically.<br/>You could also send <span class='style5'>0.2 BTC</span> to <span class='style5'>1cimKyzS64PRNEiG89iFU3qzckVuEQuUj</span><br/>and contact this email <span class='style5'>[email protected]</span> with below ID.<br/><br/><span class='style5'>Write in the following personal ID in the input from on server:<br/><br/></span><div align='center'><textarea class='style7'>05CE14BD2FF240836A8F2B58</textarea> <br/></div><br/></td></tr></table></td></tr></table></div></body></html>
Emails

class='style5'>[email protected]</span>

URLs

http-equiv='Content-Type

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\!HELP_YOUR_FILES.HTML

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'/><title>DECRYPT YOUR FILES</title><style type='text/css'>html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px;background-color: #bfbfbf;height: 100;}a {color: #426BBD;font-family: Tahoma, Verdana, Arial, Helvetica;font-size: 12px;}td {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f0f0f0;font-size: 14px; }.style1 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 48px;}.style3 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 60px;}.style4 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #28caf9;font-size: 14px;}.style5 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 14px; }.style6 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 14px;}.style7 {width: 685px;height: 30px;background-color: #393838;border: 1px solid #565656;font-family: Courier New;font-weight: bold;color: #f0f0f0;font-size: 26px;}</style><script type='text/javascript'>function init() {var xtime;document.getElementById('fe_text').innerHTML = '00:00:00';xtime = Math.floor(1731438713 + (12 * 60 * 60) - (Date.now() / 1000));window.setTimeout('update_timestamp(' + xtime + ')', 1000);}function component(x, y, z) {var res; if (z == 1) res = Math.floor(x / y);else res = Math.floor(x / y) % z;if (res < 10) res = '0' + res;return res;}function update_timestamp(tstamp) {if (tstamp < 1) {document.getElementById('fe_text').innerHTML = '00:00:00'; }else {var hours = component(tstamp, 60 * 60, 1),minutes = component(tstamp, 60, 60),seconds = component(tstamp, 1, 60);document.getElementById('fe_text').innerHTML = hours + ':' + minutes + ':' + seconds;tstamp -= 1;window.setTimeout('update_timestamp(' + tstamp + ')', 1000);}}</script></head><body onload='init();'><div align='center'><table width='700' height='100' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'><tr><td width='415' valign='top'><div align='center' class='style1'>WARNING!<br/></div><div align='center'>Your personal files are encrypted.<br/><br/><br/></div><div align='center' class='style3' id='fe_text'></div></p></td></tr><tr><td colspan='2' align='center'><table width='97' border='0' cellpadding='0' cellspacing='0'><tr><td colspan='2' align='left'><br/>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br/><br/></td></tr><tr><td width='7' nowrap='nowrap' align='left'>Open&nbsp;</td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a></td></tr><tr><td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br/>The website can help you complete the decryption work automatically.<br/>You could also send <span class='style5'>0.2 BTC</span> to <span class='style5'>1cimKyzS64PRNEiG89iFU3qzckVuEQuUj</span><br/>and contact this email <span class='style5'>[email protected]</span> with below ID.<br/><br/><span class='style5'>Write in the following personal ID in the input from on server:<br/><br/></span><div align='center'><textarea class='style7'>05CE14BD2FF240836A8F2B58</textarea> <br/></div><br/></td></tr></table></td></tr></table></div></body></html>
Emails

class='style5'>[email protected]</span>

URLs

http-equiv='Content-Type

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\!HELP_YOUR_FILES.HTML

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'/><title>DECRYPT YOUR FILES</title><style type='text/css'>html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px;background-color: #bfbfbf;height: 100;}a {color: #426BBD;font-family: Tahoma, Verdana, Arial, Helvetica;font-size: 12px;}td {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f0f0f0;font-size: 14px; }.style1 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 48px;}.style3 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 60px;}.style4 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #28caf9;font-size: 14px;}.style5 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 14px; }.style6 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 14px;}.style7 {width: 685px;height: 30px;background-color: #393838;border: 1px solid #565656;font-family: Courier New;font-weight: bold;color: #f0f0f0;font-size: 26px;}</style><script type='text/javascript'>function init() {var xtime;document.getElementById('fe_text').innerHTML = '00:00:00';xtime = Math.floor(1731438714 + (12 * 60 * 60) - (Date.now() / 1000));window.setTimeout('update_timestamp(' + xtime + ')', 1000);}function component(x, y, z) {var res; if (z == 1) res = Math.floor(x / y);else res = Math.floor(x / y) % z;if (res < 10) res = '0' + res;return res;}function update_timestamp(tstamp) {if (tstamp < 1) {document.getElementById('fe_text').innerHTML = '00:00:00'; }else {var hours = component(tstamp, 60 * 60, 1),minutes = component(tstamp, 60, 60),seconds = component(tstamp, 1, 60);document.getElementById('fe_text').innerHTML = hours + ':' + minutes + ':' + seconds;tstamp -= 1;window.setTimeout('update_timestamp(' + tstamp + ')', 1000);}}</script></head><body onload='init();'><div align='center'><table width='700' height='100' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'><tr><td width='415' valign='top'><div align='center' class='style1'>WARNING!<br/></div><div align='center'>Your personal files are encrypted.<br/><br/><br/></div><div align='center' class='style3' id='fe_text'></div></p></td></tr><tr><td colspan='2' align='center'><table width='97' border='0' cellpadding='0' cellspacing='0'><tr><td colspan='2' align='left'><br/>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br/><br/></td></tr><tr><td width='7' nowrap='nowrap' align='left'>Open&nbsp;</td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a></td></tr><tr><td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br/>The website can help you complete the decryption work automatically.<br/>You could also send <span class='style5'>0.2 BTC</span> to <span class='style5'>1cimKyzS64PRNEiG89iFU3qzckVuEQuUj</span><br/>and contact this email <span class='style5'>[email protected]</span> with below ID.<br/><br/><span class='style5'>Write in the following personal ID in the input from on server:<br/><br/></span><div align='center'><textarea class='style7'>05CE14BD2FF240836A8F2B58</textarea> <br/></div><br/></td></tr></table></td></tr></table></div></body></html>
Emails

class='style5'>[email protected]</span>

URLs

http-equiv='Content-Type

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\!HELP_YOUR_FILES.HTML

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'/><title>DECRYPT YOUR FILES</title><style type='text/css'>html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px;background-color: #bfbfbf;height: 100;}a {color: #426BBD;font-family: Tahoma, Verdana, Arial, Helvetica;font-size: 12px;}td {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f0f0f0;font-size: 14px; }.style1 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 48px;}.style3 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 60px;}.style4 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #28caf9;font-size: 14px;}.style5 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 14px; }.style6 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 14px;}.style7 {width: 685px;height: 30px;background-color: #393838;border: 1px solid #565656;font-family: Courier New;font-weight: bold;color: #f0f0f0;font-size: 26px;}</style><script type='text/javascript'>function init() {var xtime;document.getElementById('fe_text').innerHTML = '00:00:00';xtime = Math.floor(1731438715 + (12 * 60 * 60) - (Date.now() / 1000));window.setTimeout('update_timestamp(' + xtime + ')', 1000);}function component(x, y, z) {var res; if (z == 1) res = Math.floor(x / y);else res = Math.floor(x / y) % z;if (res < 10) res = '0' + res;return res;}function update_timestamp(tstamp) {if (tstamp < 1) {document.getElementById('fe_text').innerHTML = '00:00:00'; }else {var hours = component(tstamp, 60 * 60, 1),minutes = component(tstamp, 60, 60),seconds = component(tstamp, 1, 60);document.getElementById('fe_text').innerHTML = hours + ':' + minutes + ':' + seconds;tstamp -= 1;window.setTimeout('update_timestamp(' + tstamp + ')', 1000);}}</script></head><body onload='init();'><div align='center'><table width='700' height='100' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'><tr><td width='415' valign='top'><div align='center' class='style1'>WARNING!<br/></div><div align='center'>Your personal files are encrypted.<br/><br/><br/></div><div align='center' class='style3' id='fe_text'></div></p></td></tr><tr><td colspan='2' align='center'><table width='97' border='0' cellpadding='0' cellspacing='0'><tr><td colspan='2' align='left'><br/>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br/><br/></td></tr><tr><td width='7' nowrap='nowrap' align='left'>Open&nbsp;</td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a></td></tr><tr><td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br/>The website can help you complete the decryption work automatically.<br/>You could also send <span class='style5'>0.2 BTC</span> to <span class='style5'>1cimKyzS64PRNEiG89iFU3qzckVuEQuUj</span><br/>and contact this email <span class='style5'>[email protected]</span> with below ID.<br/><br/><span class='style5'>Write in the following personal ID in the input from on server:<br/><br/></span><div align='center'><textarea class='style7'>05CE14BD2FF240836A8F2B58</textarea> <br/></div><br/></td></tr></table></td></tr></table></div></body></html>
Emails

class='style5'>[email protected]</span>

URLs

http-equiv='Content-Type

Extracted

Family

xtremerat

C2

enrichosie.sytes.net

Extracted

Family

lokibot

C2

http://molinolatebaida.com/basic-jquery-slider-8ffe118/js/lib/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      RNSM00317.7z

    • Size

      4.5MB

    • MD5

      1f0a3c0d633cffdec981a36b868af1ab

    • SHA1

      d04f70e113bdfe863c2658d6ad4c1ddf5412ecfa

    • SHA256

      e4517fe3680c52565d854d2242d9ba7eddf25a80509eed18525ec428364761b9

    • SHA512

      156b8bade296be4f6653f6f13bac1ddc0b5280c0092b09743ad5d4a460060b8e4cf198fcb5fe1e77af1962f46f8ea7caf1afb3fdc63fb9700027d6a004d50710

    • SSDEEP

      98304:J0V1RCjxkSb5i7yKRQc/W3yT8m6rpGDx3pz0Z9qOcU0SzlqgMAVEStZ0:SEtkSc7h/GsNxM0gMXStZ0

    Score
    10/10
    adwindformbookgandcrablokibotxtremeratdabackdoorcollectiondefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwareratspywarestealertrojanupxvmprotect

    • AdWind

      A Java-based RAT family operated as malware-as-a-service.

      trojanadwind

    • Adwind family

      adwind

    • Class file contains resources related to AdWind

    • Detect XtremeRAT payload

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • GandCrab payload

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Gandcrab family

      gandcrab

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • UAC bypass

      evasiontrojan

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

      persistencespywareratxtremerat

    • Xtremerat family

      xtremerat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Formbook payload

      rat

    • Renames multiple (786) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3
T1490

Tasks