fantom

Sharing

General

Target

Desktop.rar
Size

8.2MB
Sample

241120-ap12jswdmb
MD5

711d6b60aea58d7197caeb75f51ce0e7
SHA1

9eba8bbcdc49ee3df32b232d32973e5a95d91426
SHA256

b8c1f3abe165e1bab5616f0b739f1cb53c642c40ffc92f9f26aec1a73eaf0de2
SHA512

6e73ffd540e9fddcf92fc119f71c38b02f650bdd9cb04fe425693d2f1746c0518413173d27baa439c253841e76c0ebea3ca928fc99ec1a403b7f59126ff6ca6c
SSDEEP

196608:gJ+x3EIGv3a0E4CdR1QcihIB5bEFwYBCxTYAwX/RLer+Z7c:gJHdv3ncd41hIYiYBCr+Qag

Score

10^/10

fantom seon sodinokibi 28 1155 credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Family

sodinokibi

Botnet

Campaign

1155

Decoy

awaitspain.com

domilivefurniture.com

cotton-avenue.co.il

datatri.be

fanuli.com.au

kelsigordon.com

jlwilsonbooks.com

charlesfrancis.photos

fi-institutionalfunds.com

techybash.com

avis.mantova.it

natturestaurante.com.br

ciga-france.fr

mollymccarthydesign.com

crestgood.com

haus-landliebe.de

advesa.com

so-sage.fr

cap29010.it

line-x.co.uk

Attributes

net
true
pid
28
prc
dbsnmp

sql

msaccess

xfssvccon

wordpa

firefox

outlook

powerpnt

synctime

infopath

sqbcoreservice

ocssd

tbirdconfig

mydesktopqos

mydesktopservice

encsvc

steam

visio

dbeng50

winword

mspub

oracle

thebat

isqlplussvc

excel

ocautoupds

thunderbird

agntsvc

onenote

ocomm
ransom_oneliner
All of your files are encrypted! Find {EXT}Wannadie.txt and follow instructions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
1155
svc
vss

sophos

memtas

backup

svc$

mepocs

sql

veeam

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>gPUp/OAfOBFu9WCSYBGcfVbcc3BPjkXPPrqWeIwIOpskGE3jUFsTngjB2PFDT6Y8AHIL2SDABIbyAQ1hgujBT3KCSPwXv+rmbBWGJeuqdbVuA35l7zJX/4+4AH9vEmcxqAyMOvEXvxaxrt3/vn7uGZDx6MQuPoVIPEgr1I+3BZeo6flvy3FoPDcnJFaDrDGOA9fw30X7zdXajQbuEv00oAvuZrxS8l533f9/RP/j7Fm6qtb7vMI16x4IydwwVxiLmDypcjTVuGCOA7c6Nr1ffmFf4zTkD2N24BtrihMqUnxX/yYNdJsukmvkbN/+OTF/Imi0A2iucd+0iJSvweDIDA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\Program Files\How To Restore Files.txt

Ransom Note

Important !!! Your personal id - h0ztyx-5W+Wz7ph7 Warning: all your files are infected with an unknown virus. To decrypt your files, you need to contact at [email protected]. The decoder card is received by bitcoin. You can buy bitcoins from the following links://blockchain.info/wallet Do not try to restore files your self, this will lead to the loss of files forever GUARANTEES!!! You can send us 2-3 encoded files. And attach for testing, we will return them to you for FREE

Emails

[email protected]

Extracted

Path

C:\Program Files (x86)\How To Restore Files.txt

Ransom Note

Important !!! Your personal id - aZT4cQBr2pX6ftpG Warning: all your files are infected with an unknown virus. To decrypt your files, you need to contact at [email protected]. The decoder card is received by bitcoin. You can buy bitcoins from the following links://blockchain.info/wallet Do not try to restore files your self, this will lead to the loss of files forever GUARANTEES!!! You can send us 2-3 encoded files. And attach for testing, we will return them to you for FREE

Emails

[email protected]

Extracted

Path

C:\Users\zp0dhh67wnWannadie.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension zp0dhh67wn. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7270488ADDE07765 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/7270488ADDE07765 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 30afJOW5q5dFl8y1WEDzzV0MUO7F29bI+B3doS7/svtKQ/UcuWl2MwPPHMaBVs6z SSTSD389t4QgkJ+4+4bCkJmXsSu2mxzDfm+ytMB30bFpa0QlO13r6gd0cIRnMBen c1F5GrdMS1ELncIHuotKb1vesm0Re7drSFHc9vyvMy8qXFp3UEcDzjA8UH0RhtA5 8R16Bb1sgvpgCHsgzm0LB4I81L/VLAK/DLmACy31Q9DH0k4RrVt/YYOscEqg/pUZ vLYjleh8DiF4qi6iiknMD4Vsn5UNzJIfh1EY5YFJWQIfUGCJ0G2Q6RHmg9xNyPVU eDYFAZHVFnqZf65DdS6s08WBmB6fEZ9rsSjqgDCZv/vK7sqfkF4CRla8S3viF2qO 6wHr92tkMB+RlPqhY0I/DdlVZm9XF7CLTFbReLYcaNsm6+xIGL9DmfsLjod0Yw9K PGPVhj+WNazdp7r1UaWnm3rmoEHbPy2/V8BBfJ2NGLBDx4lCUloibYO463brmkmw 5XQnEK7QIJQPtFHLTevU38intNXsHff/fBVcQevzDCxMq/NNt2+rgA2lDFa1HbOm UZMe7AJLMVx35YPR46rCOJv5obaWn6mK4dXx+u/BSXjSqatzv5Qr141JjXuo5VpD FSmCBG/kEWJHvpaeCPQIn1xjYzja3iQBRXoaVN9NvBZvl1h7bg/ygVCk4xuFOTVA BujVlhsWLmKRtr26SYK4lynrRSOXNGnhlO0Uf+6+fmYY6mt1e/aoJAR3ILsBVzI7 EC+GoXgOncdyIYca8ZDeQ0fYJE9OJgtBvMWXCxHa7IEP7SMTeUw9igrOqQjoYWD0 Sfk7LxASBFfRBnrit0ENXX/SrXpWHf/qEqHsjiR+8n+PXs/I8UXkVnaSVEYoVnrG tEhb7JjZ6bO1lE9QDGd/DqCO0UxV3UjWg4qCUNOOqDOgBZKNoRIDMg2XZ9xqFSPI PoyfzheHtHRL83L9Fl0l85fe2ptjPZd0DobQ2+nPzeJsKPM/LMS8HIb9NRF4Vsfs zJglYaRffHkfZBVGJvKjoyvfZSFMgHdgSD7KDC3iMFIdjgCOz7OzMvjWnGtciGb1 X9J+TU18FpNQ5EZvwLynYSSOeJaIu3woFRBQTELbXqviXDr1D/QGT6Y1ks//lmVt Z8uMDBiEbxwPMrrPRopyOsuisOqVmXzES11/vwoqARS46T0JGRyMtXrtscNCcL4W p5we90uQxahLb6ekUjxOW/vJDvs= Extension name: zp0dhh67wn ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7270488ADDE07765

http://decryptor.top/7270488ADDE07765

Extracted

Path

C:\Users\9micftzarWannadie.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 9micftzar. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F3850925E2EE4773 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/F3850925E2EE4773 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 65StlJFemZSDE4IviMaksfzLvw5VlXCtvo/R/AkoKMlVwQxl4OrGqHQg9LY+a0r7 qWKNauXaRcFjPrhFE1AQuj4DUGcrfJUFxUdzGpjl6dHQPSeV0lsWJlOUrepjHbE4 DjCMwlYC939fRssquU2tirTllG6O46VXS5Gj/jvzOiAjGsaiAdrewO9ncum5l6hA 8G4irptdAWYU7Z4mK4fsrAgjpqjhJl0ChVFjDXXXpDc8hjIsbqZv2BS/+6ar6PDH 1S1eUtm1bpbCEYwDtJiHv//VpENchLU89OJ53sol1kDI1fVivEvMtuwndg+IcxdO I3WPv9hHe+wMuoLa/0KZtIME8gJd7n4V+NVLsNshWPXbNL7Uk1mrwtwH9cLjViTe 2DlXTENfDOEjKpgFQzGBUMjGFNZ8r4Ensh06TRSpJkYcyhcNJehTxUo4QJ9qnNd+ KpXxfrbBLtP/Hs5bhhwuVNrDsutkfodqvGcilsWc1QSJ9xrBNSH3Zj9A/kLGD1GZ peoMS4QNCkM7ExqS2aaikKeHnyXuSLpxSLJcVpKwub6l/KnPO5IghvsP3C0EPVTF ZHXfHGZUYpbxUwsrAIh9TjxarHE9TkFBFdKwQc1TGFYZHn0P3+ujXInMJkHFvxiO Ul7b8GsAH/icl5ni5nE28h8511dV/kfVxUplTE1tZfjXrnRg9J3VISGcXl+tUeUV VggycfWYCsiNDjsA2kwAuPjUbACC2yObTR23A50uDXqyDhdp21EUzTbi50BCf3Ua ZR9c7T9ogvtFkfHhyc01Hi4fCLltmQWNVSu11vzI6o6y1KysIQTBcLqb3efPT/Xa y/Hp9Bae3jFXn54oTYS3kd3Yn6jonXE6MdYDU345z0HnQnTyxhuDbowJ7l5nKB1c +5g14zUcNWYqCLr/9yO/GOqvrUJpOuuiwc+u5oY8GuXh/2kPJFNSzVIv0Fktrq4b bADGi7r9sUQuik+t+a/VeLwwCZABJMFvgPPZBQNQpRhGt9vnLhxa/CPoYUmzgLYH 7zapqSRCWNuVVMvQevW5YwNDCItu3sr1qgq7xNq8QZ8wVwK4cajkwUFJUTlyS6eC JAjvqLulal+9AI85bioqN+R80/teeKL/TsGSnnil65TldA3akXvT92NtMMiu+tdU TxRcw9zbd7DJfNT54newHKZuetU/ftIRoB3dTcUuBbnMK3GmAbvyIxm4xRK+TqDq ++tEFYalk/cNLtTrcGo2u14GE+QZaIR6 Extension name: 9micftzar ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F3850925E2EE4773

http://decryptor.top/F3850925E2EE4773

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>XIjtWDVWi2c6crYVjwP6hJMJtIM00sZGPOFWj2pCR6pn4NdCcM3x/mqVGunM4Jdd2UVdI35BwsPT/yCeYyAxnjVARLd+nXdSVIm0PzW97zYO0Mwhhd4upgA8IpUpSIN3o7wvqWTOKz4udmBuUNC3m8AQIPnI/MvYgEttXgAoyjOULALIj1sAveOQ62aDciMyhtrC2+GL+O9/huj15knXu6W4dsUkFm1AV65edMAeX2/I0P9PtyyKAdMDnc/0K9Wrutgc55f5+9LARQNrsVu/eSKNrJxqyJdc3xaH45UVDFvpqaK7fTpMdgWKuYZffitDtqsrDBUVlP/k/dRyqNL8bQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\MSOCache\All Users\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note

SEON RANSOMWARE ver 0.2 all your files has been encrypted There is only way to get your files back: contact with us We accept Bitcoin and other cryptocurrencies Do not try to reinstall operation system on your computer Do not try to decrypt files with third party tools, this can lead to data loss You can decrypt 1 file for free Our contact emails: [email protected] [email protected]

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme.hta

Ransom Note

All your documents, photos, databases and other important files have been encrypted and you can't decrypt it yourself. No one but us can return your files. Free decryption utility does not exist. Each file is encrypted with its unique key, cryptography based on elliptic curves, key recovery is impossible. Focus on the problem, follow your instructions and everything will be fine. DON'T PANIC! YOU CAN RETURN ALL YOUR FILES! FREE decrypting as guarantee You can test decryption 1 any file for free (with help our special software " SEON Decryptor "). What to do? First you should write me and i'll send you a special software " SEON Decryptor " (this software needed to decrypt encrypted files). To start the process of decrypting ALL files, you need buy key to the " SEON Decryptor ". Contacts E-Mail: [email protected] E-Mail: [email protected] Attention! Decryption keys are individual, the keys of other users will not work for you Do not try to decrypt files with third party tools, this can lead to data loss Do not try to reinstall operation system on your computer

Emails

[email protected]

Targets

- Target
  
  Tear
- Size
  
  261KB
- MD5
  
  7d80230df68ccba871815d68f016c282
- SHA1
  
  e10874c6108a26ceedfc84f50881824462b5b6b6
- SHA256
  
  f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
- SHA512
  
  64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
- SSDEEP
  
  3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi
Score

10^/10

fantom discovery evasion ransomware spyware stealer
- Fantom
  Ransomware which hides encryption process behind fake Windows Update screen.
  ransomware fantom
- Fantom family
  fantom
- Renames multiple (2804) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2
- Target
  
  adochi
- Size
  
  4KB
- MD5
  
  9a984b955c2914344529ea1017406445
- SHA1
  
  7e3df631e6c83f369ee60be7619759b04a15a646
- SHA256
  
  a85426622aa9bd49bcf17d259c28964bcc50b5bccaff2ba50c0a67c734b3d048
- SHA512
  
  27ef0f563fa0d01061df7360d19499a21f305973288f10c2ea1f21ddbf7019014d717f5b35864687c349d0b25754c96bd98d273c907635b39a413d86946a526e
- SSDEEP
  
  96:Z1wT/W2VCC/Ho94yg+vHXASo+9JGHn33X3Hn33X3Hn33X3Hn33XDEQUm:6uvC/IRvHQSFaEt
Score

7^/10

discovery
- Deletes itself
behavioral3 behavioral4
- Target
  
  autoit
- Size
  
  755KB
- MD5
  
  8a94444f516ae796c6a9b95182b537de
- SHA1
  
  3f7dc2fb25ab8a493bb64a957df89a7ac45337fc
- SHA256
  
  fd37685a99f5016d6537ce588e39d16ad8079d5ea7194f6cd4a0adff1cfa81b4
- SHA512
  
  b50318f529726469e440e4d12e5a33c2a3afc3cbd30f7a899a168e18c95dafe152c34dfe8df6d44d2d1a1dd1380bced5e29eafe3a2ad85c281067c66761c0536
- SSDEEP
  
  12288:/hkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aIbd2IMxIfQdCli:FRmJkcoQricOIQxiZY1iaIpIxBb
Score

10^/10

discovery evasion persistence trojan
- UAC bypass
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral5 behavioral6
- Target
  
  autoit2
- Size
  
  380KB
- MD5
  
  6177f9bde1fd578165974ceddcade3d9
- SHA1
  
  55998f23b74366042c4628c391e94d25c39523b0
- SHA256
  
  1cfb58fcaa04794556d5195a979839b3ef74533845e6f9becf4c547f6b60f29e
- SHA512
  
  aa9bb6cfa3d0c902c463c6e13540182820d1474223fa658a82d4fbafa8c06614d34406b9ca55fc11462d44d4309fad086e2779d36d93aacc8eda164204911f3c
- SSDEEP
  
  6144:Uzv+kSZBbdH19ex4T02J4fqz22tvymTiB62iKnWKKmDTcNwjreOwIrn8m/EBLKVB:UzcRD02J4Sq2vHGB67KWKKmDT8m/ExKH
Score

10^/10

discovery evasion persistence trojan upx
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Drops startup file
- Checks whether UAC is enabled
  evasion trojan
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral7 behavioral8
- Target
  
  autoit3
- Size
  
  380KB
- MD5
  
  d68dda9d50ec5f965948e8b2d9ad17b9
- SHA1
  
  e16d8603132c4763e4fa87bf806d491920548686
- SHA256
  
  28bf399a594b68b00aeede888e147f1602eede821ec9780418e739f31b3eded6
- SHA512
  
  092e6d9b8868b85f45732b43b98ab91b8ac8000e03601810e0b54abb84a45a80c3c020db219be358900d1ad6ceb76de329b0f6007cb2928b3d469e07a86c593d
- SSDEEP
  
  6144:Uzv+kSZBbdH19ex4T02J4fqz22tvymTiB62iKnWKKmDTcNwjreOwI6yGdMKxVusp:UzcRD02J4Sq2vHGB67KWKKmDkMKTuqRf
Score

10^/10

discovery evasion persistence trojan upx
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Drops startup file
- Checks whether UAC is enabled
  evasion trojan
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral10 behavioral9
- Target
  
  deviation
- Size
  
  224KB
- MD5
  
  9c5d6dca97dd4caf57cb3f82e03f795d
- SHA1
  
  c5c0ad6b16db6355a564e95398471608398e3076
- SHA256
  
  ee955b991c99a9016da0b39bc1c0e78a66990573501513ea9d287ebbe577084e
- SHA512
  
  5d1b0807954231f5868c0a612704904653921953708192cc99126f0de0dfeb163aff5cf5cb511a6f6cc6d50620284799c17d8dd26f761e74b04e8d58bdcea8a3
- SSDEEP
  
  1536:IWFmDx9+Uxtwt7HELWUkH7QXPuc0rsOB4Nx3be3/B1zC+IInU4FxOxM:SRtwZkLWc2cJOu3biBBZIiGxM
Score

8^/10

discovery evasion
- Disables Task Manager via registry modification
  evasion
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  encoder
- Size
  
  10KB
- MD5
  
  f1927e7f90416bf39fc7991bbc57e1b3
- SHA1
  
  2367249568ca4a34f8824a9313b03d16d1d7c0bc
- SHA256
  
  539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505
- SHA512
  
  a0ac1811c8944165ba1939e40fe965bba3f7473819cb6f5d1cd4b4e7c203685baec055a6c73359dd1b3ddc79cb05b42d8c7541c29ea466120233423c5a5fcc60
- SSDEEP
  
  192:yrj2/2OzcYKNEmkmTjtiIKZIF/2oQlLkMBBm4C:j/2OzcJNEmkmTjkI/92oQjBU7
Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan credential_access
- UAC bypass
  evasion trojan
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (9715) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
behavioral13 behavioral14
- Target
  
  encoder2
- Size
  
  328KB
- MD5
  
  3ef478a7c898e91f09385da44555d986
- SHA1
  
  07c1f289891b59892ae45253ffdc969f11267ac5
- SHA256
  
  1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4
- SHA512
  
  e67b411fbc1a05a6482b03d8320fad0bd08836c5fa651b435473ee3233bb62240c1ffaab1ede7f58fee9eee70f4e313a230411a143495e2d30826546148cd4d1
- SSDEEP
  
  3072:uhl75wtMO7RTbcA6Ao7A75PeunlG7m//5/vZ/5TVk5ixJNe4yg6bMtJWPhyhMvcc:E5sRXcTAmEFRJ/525caYzfpCHFc8j
Score

9^/10

credential_access defense_evasion discovery execution impact ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (7779) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral15 behavioral16
- Target
  
  encoder3
- Size
  
  164KB
- MD5
  
  7518ecf9cd7d3f204de349103bd95c54
- SHA1
  
  417df7e036285c9409affa1e9bef8634d8994869
- SHA256
  
  14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632
- SHA512
  
  71a181e597a5d9eae8ccd22683b650039f2506ba502b44a2da4f786e8884a1538603df9ab57d19c78d9777cb8f643ec78439346c32611776984acc569dbaba32
- SSDEEP
  
  3072:FHixaVZFiOCDJtOicNDWEzZQjnS2C/vbgnB:FHigLF5CCj5zZQDV0bq
Score

10^/10

sodinokibi discovery ransomware spyware stealer
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Sodinokibi family
  sodinokibi
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral17 behavioral18
- Target
  
  encoder4
- Size
  
  5.3MB
- MD5
  
  4c2fdadb29f624ff540c0e2790b60987
- SHA1
  
  e4b95dd05aa80f8380554590359ba63036c76e69
- SHA256
  
  b3dc1bb1c72c6bda1a7508147b2c92021aa18eb99d419db7e8245f32979cd01b
- SHA512
  
  03a26f8769f46ca5b8bdc9fb44b8ed4a56dfab21a8948516a2fabdbbde7f9c73f708c11c1540ce8c2e0ff47ab539e0780b202c249fe3ebd5423ae31e922294b3
- SSDEEP
  
  98304:z4ARSOULuXDTLjEGxGUiibSpRZxP4BPXWtqZLr8U+GzNQ12Pe7Xw1:z4NOUL+PECGUiUS1xgJge7xwa
Score

5^/10

discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral19 behavioral20
- Target
  
  encoder5
- Size
  
  62KB
- MD5
  
  1a6820fec1c45cd9c928533090e7908d
- SHA1
  
  9df9d1e4579a0f759db01951ff616019c6c9196e
- SHA256
  
  a89591555b9acb65353c2b854e582bc41db2fbc0eda2210b89a877d1862084df
- SHA512
  
  c6eed68a0fbdb05bf504676e1c0816660f856ae768b7340678b9d84d909fce267066b2e314148521563309c466fdec7d74f00d1addb1a14abe15163d2203a81a
- SSDEEP
  
  768:hK3mGmDuuNXM1KPptWOahoICS4AIA4DZqB87pdMFtb8cmY11f3qrVBUoxygse3l:hK3UDugp88ICS4AR4tA8lCFtb8If6
Score

10^/10

seon discovery ransomware trojan
- Seon
  The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
  trojan ransomware seon
- Seon family
  seon
- Renames multiple (259) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral21 behavioral22
- Target
  
  erebus
- Size
  
  1.2MB
- MD5
  
  0ced87772881b63caf95f1d828ba40c5
- SHA1
  
  6e5fca51a018272d1b1003b16dce6ee9e836908c
- SHA256
  
  ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791
- SHA512
  
  65f3a52930dd560cf27a9a6e7386ae1bba22d663a1112b44fa1db043bd0b980f7dcb1d5fe21b873bb93db69c5c4d0b3c7dcf13ea110836970454b56dc16e57bb
- SSDEEP
  
  24576:DxIWmj1GwuqWt6GoXrxv7EJoD7p1YQzA+GdctrOvpk5P4TB5tP9P6F:Dnqqo5PzA+Gda4TB5tFP6F
Score

9^/10

defense_evasion discovery execution impact ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral23 behavioral24
- Target
  
  myxaha
- Size
  
  425KB
- MD5
  
  c44b71932e47cd323f03f3e6949cc9fd
- SHA1
  
  f011c627961fea886483001c1766aefec6fbd1a9
- SHA256
  
  be139b39ce0de52d7d486d25eada2bf18c24afb8ca111f62a1f0762bfc642ea9
- SHA512
  
  682e572eb2cfcea4642f8ac4409c57472ab171e3e5d49b552893c6c2851270a08efb5496a047de36f844ac67f25b6b02b1780ad9defda75a6b425880eadbf281
- SSDEEP
  
  12288:hVL+LDunkSvLR83sBPNLfe2Q5NO1cPOLfel8ozmiTh53:hNnkSKsF6i1eJfj3
Score

7^/10

discovery upx
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral25 behavioral26
- Target
  
  $LOCALAPPDATA/ConduitInstaller.exe
- Size
  
  275KB
- MD5
  
  ddd4f06b739a5cac8e93ee0e5c2d654d
- SHA1
  
  cdb4be6861695a82e23c06fc9ae83ef595335673
- SHA256
  
  19e303979fd9708c965026b88a15bd2366e0d3ac162938466f90ee3d6e091f78
- SHA512
  
  ca61cf6c220da2578dfdc565088bf84b91d2f1b46d9ca051e4a2ff5e1d4fa3d79860c00e2c522ddcbaed52516083741eaf90f62a328bd8a75ca1097103595290
- SSDEEP
  
  6144:gXRuR5lmIMLPkuWCgXmyaun3sBPV8aspReyM8oyasBPV8aspReyM8oyQg:WslmhLR63sBPOLfef8onsBPOLfef8odg
Score

7^/10

discovery
- Loads dropped DLL
behavioral27 behavioral28
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  9384f4007c492d4fa040924f31c00166
- SHA1
  
  aba37faef30d7c445584c688a0b5638f5db31c7b
- SHA256
  
  60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
- SHA512
  
  68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf
- SSDEEP
  
  48:iV6pAvmNC6iMPUptxEZK65x/AmvycNSmwVsOYJyvrpXptp/JvR0Jlof5d2:2811GED5ZTvycNSmwVsTJuftpZR0Sd2
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  c17103ae9072a06da581dec998343fc1
- SHA1
  
  b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
- SHA256
  
  dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
- SHA512
  
  d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
- SSDEEP
  
  192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
Score

3^/10

discovery
behavioral31 behavioral32