General

  • Target

    f30fb748ce4aaf203383bcfee0ff56b7de189f12b2f7c215304870acd6448115.exe

  • Size

    250KB

  • Sample

    241114-dt7lnsxmfp

  • MD5

    6456d2c7c6f5ce2c6a3abdf5ec10c8a9

  • SHA1

    4882ee914063914cde8e193a5430789014649aec

  • SHA256

    f30fb748ce4aaf203383bcfee0ff56b7de189f12b2f7c215304870acd6448115

  • SHA512

    5076c23c6611ea3764a4697cf240b9e3070b87972152b7659cb6a31aa06a7df365408135d0b1b991b026ee93639b59d7bc449cb39a42d6b59a9797b4a45820e2

  • SSDEEP

    6144:puaksu3JjylWeuYM+3UcUgtPRLr/45QKzmyR:pFIylWeJM+vlRHczmy

Malware Config

Extracted

Path

C:\PLEASE READ.TXT

Ransom Note
HELLO, YOUR COMPANY NETWORK HAS BEEN PENETRATED All your important files have been encrypted! Your files NOT DAMAGE! Only fully modified. (RSA+AES) They are encrypted with a strong unique aes encryption algorithm. ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We uploaded all highly confidential/personal data nd copy main servers. These data are currently stored on a private storage. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller, competitors, local government representative, judiciary, blackmail and attack intermediary So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or your business from destroy. For more information and decryption keys, please contact us: [email protected] [email protected] You will be provided with all the information about the necessary actions to fully decrypt your files. You can also contact us using the qTox messenger, it will be much faster, support is available 24/7. You can download from the link, or find the application yourself: https://github.com/qTox/qTox/blob/master/README.md#qtox https://github.com/qTox/qTox https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-i686-release.exe Contact qTox 24/7: 67AE4BA47BD1C91272A5A6EF56F76ACEADAFF01ABBEC1F6050F727D3E0703A4E305973486188 Your personal identifier: pAQAAAAAAACIRVKSHZTX40MkDENXY4H=zcjtm32RSqQ+JAd99ebS1eehuatuOem7L6xwncrPjqTKvvQZ+rqKaKjkMu3SZewniovG o1vI4oO97tWdpain=wZh1+FWZn9h92hGpWna=9291gr1TuMCxhfcMvXRT+HcG=X9VdGXTFnd4H2+vlupX1ZmrpF8ODwqIAORUl2T hV=WlW4LHKkg07UWBtkjt+tf52ZgH4Jn7gOcpoCyqsinmcne6TTBmJFdQpSDo6Yagqf48=SPUQsOVsNk+oAZf3qQqSZGMxFa7nkg kfJxe3VCYvrjBiGayzZ5RT44vWe2rcJBwlF842clMtzpVrFcF3DDTfAtXxflFtXkCJCf5EAZQceNGowobV56oG6p1PNFlXd2JKJj swQM8yGa9HQvLu1pwQ=g2d+rrwNLI8BIGcylf4E3Hplzca+68c0CRFDlDjEK6lIZIRdzCg+44GHJGl+sVNvOanX4i7wHXNbsAZMa SIT6PUyxGKJA6DNSWvx1d60UzISVSIak5AOpyPee5BRfk2y+byrQveU=UZ+sPTcjr50jUgLINjvlbRA8ICQ9oS+TYBCX84YzLlvb Kq4RMsKq2+lZwhRXK6I7Y8nC8lqA80FrX8NLhNt6taCZvJ6mddoxlQYQWaYgt=Mrg+vYa8UqVcdRqFOIMm10Xfm+hBSCY5od+1+8 =08z3JtvLr7Ea5T4OBOBjYSUV318cH76EE=eS2+LBHN4NL2DWHPgtgpIBlm5PJGNLThDJXIO1oLrhEEwYge6q1h9lzwArn9eVLGh 2D0CobBCPA4c5fkv5dWblxgRIrWL=GkbpkaXFWkssb+BP4JfPk dati19
URLs

https://github.com/qTox/qTox/blob/master/README.md#qtox

https://github.com/qTox/qTox

https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe

https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-i686-release.exe

Extracted

Path

C:\PLEASE READ.TXT

Ransom Note
HELLO, YOUR COMPANY NETWORK HAS BEEN PENETRATED All your important files have been encrypted! Your files NOT DAMAGE! Only fully modified. (RSA+AES) They are encrypted with a strong unique aes encryption algorithm. ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We uploaded all highly confidential/personal data nd copy main servers. These data are currently stored on a private storage. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller, competitors, local government representative, judiciary, blackmail and attack intermediary So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or your business from destroy. For more information and decryption keys, please contact us: [email protected] [email protected] You will be provided with all the information about the necessary actions to fully decrypt your files. You can also contact us using the qTox messenger, it will be much faster, support is available 24/7. You can download from the link, or find the application yourself: https://github.com/qTox/qTox/blob/master/README.md#qtox https://github.com/qTox/qTox https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-i686-release.exe Contact qTox 24/7: 67AE4BA47BD1C91272A5A6EF56F76ACEADAFF01ABBEC1F6050F727D3E0703A4E305973486188 Your personal identifier: pAQAAAAAAAA1owLlHZSJY0Q4DAR=o6xhzspt0CvJGQPS3aAVZva5M0pU+BbXdMp1rH9Vqp5WR04wlUjGUpXe7f+Wvx9pqxZ0yb8s TrYZTVVbpUq92vajM8NrMqJPir9o=pIwwudpn1shPqe=mm41i2mS4H1eqbh1SDanhslvqEElmkOg97etVj0WdL3KuD5xsGJ7l3Cx OR+C+fvZ=8DVlaRr21l+9OsBUgJb2bJzphsbgVJTsOkx5TN56fHronApszUqhWEyEVuxh6cjusa74WV=5JqhwokBib=Qb2HCc7UI 7IQY8TrT1Wr4w9gJ0UB356u7hK1=jjuRJTlLIWca3v7Grh92QNIeXrhYZl6IjKHDBjSXWVmNgLJwpcGkAJkJ7oIqwq1wyzN4uYA6 =k6wle4WrHQ6LNT+c5JiclOqs3XIgRQ=WAaE5BYoYI1u4PwDBGl8k9MSFskveav2UeQgQ9MwS2QNRABE9qL9Qkexj5q0cJU1V3ty DZm4wHOAeUCEoQjTrwvBph2HAWSgoFfP6ZyNEYsXUJcEU001t0OD+Hku5f6bBZ76JZfq5dkn7dJAkX=M4FE9WYpF2SFB4b41ai7+ m6BFbL4tQNGtvA4GIAQI4ktCXzDa2Hs2vGy74xFvFdu852RQBX7E5SmQJu7qKq=CQ=LIZcuFEv=K4gdAAuz9nvtgRCBA5B3JyToM reQvU2Ggv1OD6FLpvUXBJwpL2KDoU5HlUoRRvyZ4HT0Fs=N15AE63AIVCSwbwDbI3oJLS79EZHQToyL5kEtKG+oJxtDJ1zgUFw4w IF90Jn+IDdkXQ0sl0W22us=QEa0UYeFnlkkH5BaCzQE dati19
URLs

https://github.com/qTox/qTox/blob/master/README.md#qtox

https://github.com/qTox/qTox

https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe

https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-i686-release.exe

Targets

    • Target

      f30fb748ce4aaf203383bcfee0ff56b7de189f12b2f7c215304870acd6448115.exe

    • Size

      250KB

    • MD5

      6456d2c7c6f5ce2c6a3abdf5ec10c8a9

    • SHA1

      4882ee914063914cde8e193a5430789014649aec

    • SHA256

      f30fb748ce4aaf203383bcfee0ff56b7de189f12b2f7c215304870acd6448115

    • SHA512

      5076c23c6611ea3764a4697cf240b9e3070b87972152b7659cb6a31aa06a7df365408135d0b1b991b026ee93639b59d7bc449cb39a42d6b59a9797b4a45820e2

    • SSDEEP

      6144:puaksu3JjylWeuYM+3UcUgtPRLr/45QKzmyR:pFIylWeJM+vlRHczmy

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks