dharma

Sharing

Copy URL

Twitter E-mail

General

Target

2.rar
Size

18.8MB
Sample

241120-qdrazaxfqm
MD5

be4e87444b469c24ae7b2ef8b0c37bfe
SHA1

d2542528a6ea653ce6b69fb4e6e8254e45c9bb24
SHA256

58e30f939535c1c2d65fbab197f4a6816931522b8513d8261154eb86f6e28579
SHA512

6106ef253673842e35e3dbacf4517c6f5014ce62f402dac571a11f36e214f99f3a265f790361f12e5165cb1001c701d162e2094fe29260908b3d975fc422266c
SSDEEP

393216:Fmid41hIYiYBCr+QaLd41hIYiYBCr+QaRuO2rC4Qa+LP1IrsOCEC:FQRzORz6rClOrsOU

Malware Config

Extracted

Family

sodinokibi

Botnet

Campaign

2083

Decoy

kristianboennelykke.dk

mustangmarketinggroup.com

globalcompliancenews.com

chainofhopeeurope.eu

ncjc.ca

tothebackofthemoon.com

quitescorting.com

theboardroomafrica.com

julielusktherapy.com

wyreforest.net

indiebizadvocates.org

ayudaespiritualtamara.com

universelle.fr

gosouldeep.com

epsondriversforwindows.com

dr-vita.de

thehovecounsellingpractice.co.uk

alcye.com

speiserei-hannover.de

fridakids.com

Attributes

net
false
pid
26
prc
ocautoupds

thunderbird

dbsnmp

sql

encsvc

onenote

wordpa

isqlplussvc

ocssd

firefox

mydesktopqos

mydesktopservice

excel

xfssvccon

agntsvc

powerpnt

thebat

oracle

ocomm

steam

outlook

mysql

infopath

visio

mspub

winword

sqbcoreservice

dbeng50

msaccess

synctime

tbirdconfig
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome Alliotts. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
2083
svc
vss

memtas

mepocs

veeam

svc$

mysql

sql

sophos

backup

Extracted

Family

sodinokibi

Botnet

Campaign

1155

Decoy

awaitspain.com

domilivefurniture.com

cotton-avenue.co.il

datatri.be

fanuli.com.au

kelsigordon.com

jlwilsonbooks.com

charlesfrancis.photos

fi-institutionalfunds.com

techybash.com

avis.mantova.it

natturestaurante.com.br

ciga-france.fr

mollymccarthydesign.com

crestgood.com

haus-landliebe.de

advesa.com

so-sage.fr

cap29010.it

line-x.co.uk

Attributes

net
true
pid
28
prc
dbsnmp

sql

msaccess

xfssvccon

wordpa

firefox

outlook

powerpnt

synctime

infopath

sqbcoreservice

ocssd

tbirdconfig

mydesktopqos

mydesktopservice

encsvc

steam

visio

dbeng50

winword

mspub

oracle

thebat

isqlplussvc

excel

ocautoupds

thunderbird

agntsvc

onenote

ocomm
ransom_oneliner
All of your files are encrypted! Find {EXT}Wannadie.txt and follow instructions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
1155
svc
vss

sophos

memtas

backup

svc$

mepocs

sql

veeam

Extracted

Family

sodinokibi

Botnet

Campaign

1140

Decoy

neonodi.be

anleggsregisteret.no

jonnyhooley.com

verbouwingsdouche.nl

kelsigordon.com

mrkluttz.com

agrifarm.dk

triplettagaite.fr

futurenetworking.com

schlagbohrmaschinetests.com

arthakapitalforvaltning.dk

edrickennedymacfoy.com

kdbrh.com

encounter-p.net

skoczynski.eu

bakingismyyoga.com

hutchstyle.co.uk

secrets-clubs.co.uk

wrinstitute.org

pvandambv.nl

Attributes

net
false
pid
37
prc
sqbcoreservice

encsvc

powerpnt

mspub

onenote

steam

synctime

infopath

ocomm

visio

outlook

winword

thunderbird

thebat

isqlplussvc

xfssvccon

ocssd

oracle

sql

msaccess

firefox

dbsnmp

ocautoupds

dbeng50

excel

mydesktopservice

mydesktopqos

agntsvc

wordpa

tbirdconfig
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
1140
svc
sql

mepocs

sophos

svc$

veeam

backup

memtas

vss

Extracted

Family

sodinokibi

Botnet

Campaign

Decoy

pharmeko-group.com

liverpoolabudhabi.ae

sachainchiuk.com

spacebel.be

kenmccallum.com

mercadodelrio.com

tothebackofthemoon.com

simpleitsolutions.ch

awaitspain.com

drnelsonpediatrics.com

thehovecounsellingpractice.co.uk

babysitting-hk.helpergo.co

5pointpt.com

fascaonline.com

globalcompliancenews.com

wademurray.com

teamsegeln.ch

fta-media.com

koncept-m.ru

kamin-somnium.de

Attributes

net
true
pid
20
prc
sqlservr

mysql
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
45
svc
sophos

sql

veeam

mepocs

backup

svc$

memtas

vss

Extracted

Family

sodinokibi

Botnet

Campaign

1322

Decoy

alltagsrassismus-entknoten.de

frameshift.it

purepreprod4.com

catalyseurdetransformation.com

quitescorting.com

oscommunity.de

ced-elec.com

alisodentalcare.com

patassociation.com

teutoradio.de

fann.ru

berdonllp.com

girlish.ae

production-stills.co.uk

miscbo.it

mbuildinghomes.com

b3b.ch

lovetzuchia.com

astrographic.com

renderbox.ch

Attributes

net
true
pid
41
prc
encsvc

visio

dbsnmp

mspub

msaccess

mydesktopservice

oracle

ocomm

steam

thunderbird

onenote

synctime

dbeng50

excel

xfssvccon

tbirdconfig

isqlplussvc

mydesktopqos

sql

thebat

wordpa

sqbcoreservice

ocautoupds

outlook

agntsvc

ocssd

winword

powerpnt

firefox

infopath
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
1322
svc
sql

backup

sophos

svc$

veeam

mepocs

memtas

vss

Extracted

Family

sodinokibi

Botnet

Campaign

Decoy

secrets-clubs.co.uk

latteswithleslie.com

dcc-eu.com

goodboyscustom.com

11.in.ua

coachpreneuracademy.com

akwaba-safaris.com

aoyama.ac

redpebblephotography.com

lsngroupe.com

amco.net.au

rvside.com

jax-interim-and-projectmanagement.com

oraweb.net

brannbornfastigheter.se

saberconcrete.com

ijsselbeton.nl

buerocenter-butzbach-werbemittel.de

signamedia.de

t3brothers.com

Attributes

net
true
pid
20
prc
sqlservr

mysql
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
46
svc
veeam

sophos

svc$

vss

memtas

backup

mepocs

sql

Extracted

Path

C:\Users\cu8z42a5-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension cu8z42a5. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/28F6B0076A27A84C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/28F6B0076A27A84C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: DAzS/xUck60SJPx1msd72+F4S8PVquz+lUhu7CDcln7KT3ricZ3Sda11jXcu5OIU s+SnSw6Lb26Q/uq1RwlUsISt6iakTUa67o9f1V0wOee5YnXhHAGaEE3FnYvnPgQD qDHUFqbtgJyVCKayyWExz4a+egpp9xKMCoNuhGbSCHyQpafbeBcQkoEdr2iSU6Gk pU//EjDuL+bn1e/Y/JkbA6JTaSq3dOERosl1nMkchuXfsY4OILXiBqlSYPJrJD67 RORzMptBB6ixQegrfTnGxh5M/3aBT4zYwGRNDYJ5n7tMhECMs3CKUwjjURCaIocy Rgfj4GqD4322Dt3jNoZHuWnX4sDsEqBR8LwsckkQfVHsZnbThlnCShV7xs7fEaMz K60f37SLiHTksCDm11fUfEhPxC9LaTr4Z8qUpAZBHMje+kbFC3xLeUSahXl+UKDX zpfTtZgpvUcg3tvUrJOYA1pcsdRN/2od/oOqs066DDC6UQCl9tAKoW7vAgQUhIET 4InJD3ycQJyIViYREmu1vulBN0bRZUyFrhYqdnN7Q76znGNJUuSYPrnL3orjsqPr KjafO/oeplfU4uIPGm7RhNmozYU+psF2x2JgBSVYybX3nleDgZIVOs4Ssk7hq2lD UyLBCIFheri27ljO3RiFHWKRpDdEGxuXuaLH5s/tjPJ9a9xYUp5by6KkE9P/qsX3 JmgRNlO7pwS5++u8jlXlTWBcO3g3jUyx2bdcTzxTl60mlbFVASaj0HlYg+eDykwl VXmiCpK5u5k0JuYjK1Faim3nZuUp5XmQhib+r+Oq7azBmHyDo7tBSVUBTBsPVZAu FHZrvZO/aih72P/o2MwRlAqLLSFwUFbmZey75POK4LNRyr9+6NkoE64/CaMGwvFO kPAtFqqTj4GTH2lhu6e+lyINS6IbWujB0M9JNVPvva4wb3EYAhGiDvrNB041oRRd IKzxi4YiQ7Q6Lg0dZGLQ56fCqHg6O3uijNrtc8HxvMlUdrZJFu5XZ5vzAFOZLzQK Go23Y04NRauIWpPVOS6OxqCU9x5SgKPbHB91E+5VM7+FqDYKHjdgsN5b8ijJGKzJ 92eJvGLLYyAArQGgZ+fnnKImavI0jDZYchiXklTHTr3K/tEbbNI+b6t9u9612+OG x00I+Mvj6suAsN+x3ae526k7iTv8IenYFkRPyzBOfdcsqN2k/X/+RJUj9R0iVa7V zMwd0kOZMBs+AZ3lPcaofw== Extension name: cu8z42a5 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/28F6B0076A27A84C

http://decryptor.top/28F6B0076A27A84C

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 5642763B In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Path

C:\Users\54z17cg33-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome Alliotts. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 54z17cg33. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/328660EF4623E3CD 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/328660EF4623E3CD Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Iqw9BqJhAVFLyAHquZTGL/vZzv71f54K5DtqDlRqGdSA6VJuRyq23MjRf0z4pDbU 82+wzvgXNhREfsyTXg1iKkWz5ScZZqkcUOgYpMLuteRtY93czmehmCJi9t6Sg2Om jAW7LPuUQEB3rBWcDkcCRYVIDyyxDUwRxP+8Va28BKIkhpkdr/HequShEuwjWco6 ssfQZNqkvQ82kqB0wKJuCVTYkKeemTAADNcEJU0AeUBlnWWHo2cloNhHC9q7PCWM QdfEgxVvNZnKF/H5pj9YzZZr8JqrlNgmjGo0RAYmw+E7YhwiucTG75/iJ19HTarG hEXyhw+Ma16LmxBaKU2Ns1uwYbo5W/8/EwC3j0QZTBjGBxkyOBHMNnpLQkeDQu1n 3II89tmMVAr1kENOehw5aOOhnqpKWgvHpaL/ijywJYHixTYhVCPL81IPf6J8afFK 1e5UL2c2/HiKAsP2StrfPTgWZMnZcUE07SojX3TIMyQ00YvBSxDF8Bsppm5pVF6N En7tPFyqPW95UuU3YDNAp0Z1uC2EDOiYwmfk7GW4j2flJ3Uo9/9HBGFqYYQOH7CN pOej+r22kkeym5FNlidG+9lqUVeVnBJYbsGvmnzn6m3XcjbFs78Slo6FH9F3BbEj XW4y+rhRRkd9tyQ7ul/tCluKGdRVO+9SZZNa+LIIPuPc65EZGo/Ko7685KjcMxMa EQ/foPwcd9boY/HRY8XF+TF3hs9Vr4k9BAwjCemD83y8uxPMLkejfH9bIXxxAqhg SybqjrOzimeQY1I9kp+UFfvCCgCErlQNoW0L4o1MJ1H9Z3EhsU4CMLV4G2K2R9Lq ftn61/1LmI7hvcrA2ryDCM1YwXwhtXlX9SvFKLwB71ZfVUMYdvZjOa0t3ulMtQWF SCRFXEjnWZrJRcf19jD4k+lLWkNDXuzspj6FjklIS3lYaAfi3+0ZLoXg8YmJEYAX ofdmQvxD7veF5VjxFu06Dcc+c9T5f/qr00eTKGyj9h9qda4xXIKmJoKzc0IRPzxg C3kx6BNZVUb1XcmnCJchAG2Ytj5dsrWyzJDWo5CMY+WXHn9e7AYi52bjHtj2QK11 RsLmxtxCYQl+FNvx9Bm3zbZYIe7sxH9gEZuPt1dckTsmAIWG1NOZoYv354U+U3v2 PQKPOQG5epTih5DHoyGaZuqtRYF+UlN4Udt4/Bi0AJ/EGxIFN9hVkvikmm1aQOrw w4u2Xx4qMsdjDFzoCt7WI7Qb Extension name: 54z17cg33 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/328660EF4623E3CD

http://decryptor.top/328660EF4623E3CD

Extracted

Path

C:\Users\11xy9-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 11xy9. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/120D228E2FAC83AE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/120D228E2FAC83AE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 6+9RDy0E7vweAW0axGvieRQq2Hl5FsjM+gVZljQX50vThrQE2vbGDIkoaxUXFAz4 G8QqvgO8NbsDDbRq4kXotVONwcXI2YLIfXqHFtvx7caIopcxwlljmNYLXBzv9kx5 hV8xqRHITEoeeaEyOq0LcXCNv09SqB1oRXbi1JauUXvsoxoVptdCWB/UsLhWI846 fwhiQ7Z71gXHF7M71mjEwJTXIdicq5HcnIvanyBnSuHSDtJgHp2cXAKSrDesOD0t dUIpov32v5wpV4WGHTGtkWwj0lPjOdYNCbF7+h3LotsGnjtRp1N45bKLzktiRgId F2y7ojzySvm6aDCAM9nFSUGLZpVc+fBan06cv9X/jhGCAB3yXCUculdZqRyxbdN6 47b04IMGO6b0tHcoZYGYnrKq0X5Ia8RwPi+WHQuT+V5QajZrj9aycT0j9pya2Eb0 4zpxeO6/7/xHGS5gRLs/J5Nw7654MITAh80HGWg3bHyfskP/LU9lDfWwJ5XK9vLM 4dAqTTrIQV8RrvZs4g1gIo3zeq/jxuCv8GEXsU63VvTE9GXYdBi6baup+vN4QZcL NZ2AQYRAGS34aRB3s3C1P8h0N4/Hi7O7NovqlEn+XSKOP2BNSdMORu2tkMtksC87 r21HzNvH1xwONLaOdDqjMU9wrw6Dq+oD6j7Fm0RNr8BY513KBuYL3DpIMYaepQCt 9ez7tCOBCT8F2rcz5NZ+TaLEzFeHaOQ5uwkoaIdEl89RDw3rbklkOfl8sSBFGjBy skPBJernUj9ZVPD8FPW73DUSJaxmxYo1bS7a6LawRn2i1veqn2FioRds4TtAXvpp IZVw0a4h9+2f2oSGs5aD9zNwwe+yLSgcv3zERqaKKHXKaHosFcqfaUnD8rsruRt9 /1GDQMbU+7R0bVFVh2lJ9bUJtCQILpLWKhrKjus+lmbGBvsSDD4ELWEVMdlr18Em EXMM3rsJ8Wm6wp5hmMXfn9CzRZhkm8VPg1krGvOoT7yEEV/fExxFx+Uyl7ACjU/b 59IyF6miNxIdJo+v3sMFEhKd+la1CU0CfUxEe9zH5hIi0ArTeC3yEfeFM0Rooffz y8nd6og06TRelR4DNV1oGbkOTQ4JThwwdQtEdbMgtz++H16ZEfVfi1EbI/NLODDu R3+YPrb8z/tmdb6BXTABSofiWA8BerKI0WnZv5e2KBHCE3H0eeTj2rYEAnwoTf+2 mD7DwOjw Extension name: 11xy9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/120D228E2FAC83AE

http://decryptor.top/120D228E2FAC83AE

Targets

- Target
  
  0c3b09213f642af5d6bca1708d167052f7fe198e5eced0e78584d8eb910b8d3c
- Size
  
  201KB
- MD5
  
  b841e09cb1d9ca9a6fec8864c53d081d
- SHA1
  
  7a5ab9d9b6a2844844a28adca60e0333784ee55c
- SHA256
  
  0c3b09213f642af5d6bca1708d167052f7fe198e5eced0e78584d8eb910b8d3c
- SHA512
  
  37ef73037af203b5622bacd67750fd9d5104d753609fe4940e70759d29129cfe4a0f6ad1c9940ef481d5a0fc29953a7528fc30ae372d4849bf1474164e0ccd75
- SSDEEP
  
  6144:hCAX3vMvPQBgKLAe6KVxU3yH49/6RcxE4cWl+25/:hCUf8YBtAedTU3R9/c2/l+2R
Score

8^/10

discovery
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
behavioral1
- Target
  
  0dab0428b414b0440288a12fbc20dab72339ef72ff5859e8c18d76dd8b169f50
- Size
  
  179KB
- MD5
  
  6a37119a7900d7c994cafb86166c3a78
- SHA1
  
  39e3d7eba4333f2fa4ff9a9a24ca8e84b2ad47cf
- SHA256
  
  0dab0428b414b0440288a12fbc20dab72339ef72ff5859e8c18d76dd8b169f50
- SHA512
  
  dc9df8dc9d52e477634f87fae065fac74440a0fdd8758a617fcf327b983476edc57e3ecd4b171206a36be76792a8f28662b65a5cf9f3cc61c32fdd28b391dc89
- SSDEEP
  
  3072:kEa2d8CfSXceqmPDu4lPZU/CZtpysa8ustqzhyb4lJklds:iCqlPDuGPG/abesYzgaJkld
Score

10^/10

sodinokibi discovery ransomware
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Sodinokibi family
  sodinokibi
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral2
- Target
  
  14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632
- Size
  
  164KB
- MD5
  
  7518ecf9cd7d3f204de349103bd95c54
- SHA1
  
  417df7e036285c9409affa1e9bef8634d8994869
- SHA256
  
  14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632
- SHA512
  
  71a181e597a5d9eae8ccd22683b650039f2506ba502b44a2da4f786e8884a1538603df9ab57d19c78d9777cb8f643ec78439346c32611776984acc569dbaba32
- SSDEEP
  
  3072:FHixaVZFiOCDJtOicNDWEzZQjnS2C/vbgnB:FHigLF5CCj5zZQDV0bq
Score

10^/10

sodinokibi discovery ransomware spyware stealer
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Sodinokibi family
  sodinokibi
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral3
- Target
  
  16c49d677559071b3fc71fb4bb1a3c85cdcf7c4c27454010f69bb0bd04b1c456
- Size
  
  201KB
- MD5
  
  ffece9104fafbd75ac60f80feb5732a2
- SHA1
  
  8618e39b26fbbf22ccde353fe71c1a2f08bbe176
- SHA256
  
  16c49d677559071b3fc71fb4bb1a3c85cdcf7c4c27454010f69bb0bd04b1c456
- SHA512
  
  9a7fc3e8c24c8c4f54ebe077acdf115841f79afd29c5cf59762c1b65c9f6a0e4e42b778b590d2d726c98762fec2c0db0626961b545e6201b9846df118d498e97
- SSDEEP
  
  6144:UCAX3vMvPQBgKLB6KVxU3yH49/6RcxE4cWl+25Z:UCUf8YBtBdTU3R9/c2/l+2j
Score

7^/10

discovery
- Loads dropped DLL
behavioral4
- Target
  
  1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4
- Size
  
  328KB
- MD5
  
  3ef478a7c898e91f09385da44555d986
- SHA1
  
  07c1f289891b59892ae45253ffdc969f11267ac5
- SHA256
  
  1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4
- SHA512
  
  e67b411fbc1a05a6482b03d8320fad0bd08836c5fa651b435473ee3233bb62240c1ffaab1ede7f58fee9eee70f4e313a230411a143495e2d30826546148cd4d1
- SSDEEP
  
  3072:uhl75wtMO7RTbcA6Ao7A75PeunlG7m//5/vZ/5TVk5ixJNe4yg6bMtJWPhyhMvcc:E5sRXcTAmEFRJ/525caYzfpCHFc8j
Score

9^/10

credential_access defense_evasion discovery execution impact ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (7831) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral5
- Target
  
  2
- Size
  
  370KB
- MD5
  
  d607888bc583a5712928c7c02555930a
- SHA1
  
  76963321489e6ac40ed10b54cc233e6e3a031235
- SHA256
  
  410ee08c8a84fbb947d5f4635c95c6c8d244a51855afd4f6aa0e82dba1c38a59
- SHA512
  
  3ff95cbaa21d56b51946a88f7034a812b6941f0f18c67694d7c2a53605a7475a04c2641c524c6dabc529a00b8b46e7e091b600b902973aa68410f1132b3f7f6d
- SSDEEP
  
  6144:Us/n1Xe/+6AZbw0aeBQMZb+zpnBvkgr4YXNgyt5lcFT7GeLhLZYl:z/n1O/+6AZFaem8O4YRliTqe9Zu
Score

6^/10

discovery persistence
- Adds Run key to start application
  persistence
behavioral6
- Target
  
  287a6b75d1776f89502a1fd0ec571adebff878becb0ebdcec703e8fc6e3885ad
- Size
  
  397KB
- MD5
  
  60c40af102c485d0464236fe672d302b
- SHA1
  
  d4a5a0dae3fb0274c48828e84ff8f960c7463406
- SHA256
  
  287a6b75d1776f89502a1fd0ec571adebff878becb0ebdcec703e8fc6e3885ad
- SHA512
  
  4d22a012d1da6878e3a1f0a726a303084e1f775281f7518bf6712eb80b8fbbf5ef4c659a4be5d8e53ad9c2e0005ec8a3454491dcae4c517f4db7a81fcbad0dac
- SSDEEP
  
  6144:34OusAhTGvRi52AHAio3Ez2Ual3kYqUXK19KfFxmrAEkmB0aiA5:IOk8Q52qAio3ECXQfMfForBku0aiY
Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (326) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral7
- Target
  
  35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282
- Size
  
  2.8MB
- MD5
  
  6999c944d1c98b2739d015448c99a291
- SHA1
  
  d9beb50b51c30c02326ea761b5f1ab158c73b12c
- SHA256
  
  35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282
- SHA512
  
  ab883364a8907636c00a4d263670cd495d0e6c521283d40c68d47398163c6ee6647cfbbc2142005121735d9edf0b414ddac6ea468f30db87018c831eaa327276
- SSDEEP
  
  49152:0u1ImfQE5L1PtWHeHoQAOs1dKvHHg/o2S1pj798JGKCO8C/eZRwCr:dzV5JPtWHeHoIs1dGHHx2S1998JGKCOC
Score

10^/10

credential_access discovery persistence ransomware spyware stealer
- Renames multiple (9828) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral8
- Target
  
  39deb2f02fee04a430cff446b35b0984a66b563552775eb1309d35acca3a209f
- Size
  
  201KB
- MD5
  
  cb20cd6ecda6c480e0be79194e914cc2
- SHA1
  
  3112b90cdaef9592426a831a2c0962cbb8762e82
- SHA256
  
  39deb2f02fee04a430cff446b35b0984a66b563552775eb1309d35acca3a209f
- SHA512
  
  3c4febc9d639db2eb4184a6c9efc4e6237cd637bc7851beaaff8f6578b457ea5ba88823fbd5a10c92c790d72647313246fd34cc964bfe36f2404d2ab8d48b920
- SSDEEP
  
  6144:/CAX3vMvPQBgKLr6KVxU3yH49/6RcxE4cWl+257:/CUf8YBtrdTU3R9/c2/l+2x
Score

8^/10

discovery
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
behavioral9
- Target
  
  4
- Size
  
  201KB
- MD5
  
  ffece9104fafbd75ac60f80feb5732a2
- SHA1
  
  8618e39b26fbbf22ccde353fe71c1a2f08bbe176
- SHA256
  
  16c49d677559071b3fc71fb4bb1a3c85cdcf7c4c27454010f69bb0bd04b1c456
- SHA512
  
  9a7fc3e8c24c8c4f54ebe077acdf115841f79afd29c5cf59762c1b65c9f6a0e4e42b778b590d2d726c98762fec2c0db0626961b545e6201b9846df118d498e97
- SSDEEP
  
  6144:UCAX3vMvPQBgKLB6KVxU3yH49/6RcxE4cWl+25Z:UCUf8YBtBdTU3R9/c2/l+2j
Score

7^/10

discovery
- Loads dropped DLL
behavioral10
- Target
  
  4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333
- Size
  
  164KB
- MD5
  
  96b14c03ea5bb2e3f554f378a2d913aa
- SHA1
  
  7cb414191f445d1bd8ef54e99b4b033b80f61075
- SHA256
  
  4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333
- SHA512
  
  76633a9a18e9cc40ba76754ad547cf048935c127e6646a0d288d82909ac42cd811826aaa33d764f1d3a3ea42b672267aeb09f9a2b065549ffc29028357ccfea9
- SSDEEP
  
  1536:FYVLroT4ciMeW75jVZF+pWGRjICS4At+GbvF0qcX8opz25maL3SUtNDWyPwop6is:FHixaVZFiOCDJtOicNDWEzZgJ9bPuEB
Score

10^/10

sodinokibi discovery ransomware
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Sodinokibi family
  sodinokibi
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral11
- Target
  
  5
- Size
  
  2.6MB
- MD5
  
  8795b9dc143cc722309f169b2c0d03dc
- SHA1
  
  9b059d1369cab7737df0e6a71c661538010c4a66
- SHA256
  
  378ecdd05f86116341b66cd65cc2099418df21fd4ae740b2bb7a172127fc6266
- SHA512
  
  725c65f51cd419fcb8423a5d527b22b179812b2dfb5bf2a54a1bf1330c64994a76f3ded5cdbc68cb42a09a59c4c78706ae7898b12aae52e56a1beec80967acea
- SSDEEP
  
  49152:Zkky3SUp+YA1iSuei6ZbSXo/LLAxjVH7fLxmal7+hUnWB:OFB0sV6Y4vgZ7LxmQyaI
Score

8^/10

discovery spyware stealer vmprotect
- Drops file in Drivers directory
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Drops desktop.ini file(s)
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral12
- Target
  
  53bdaf567e302201ef06847d8914477e9a3852fc57d8e50606eab6bcdbdda8fc
- Size
  
  201KB
- MD5
  
  ee6d0cd946e5f848101020236c378587
- SHA1
  
  1dfd6d9e1efc92223ae6223b34b59c91adb7e5b0
- SHA256
  
  53bdaf567e302201ef06847d8914477e9a3852fc57d8e50606eab6bcdbdda8fc
- SHA512
  
  3bae7a2ef5a8161cfd9440c5f8b14e2927e40ec4ab375e8e768209abdc75ecea93828f6be833ae6b9c14fcca22761bde57408977d6bf2e2367b8f38778913bb2
- SSDEEP
  
  6144:oCAX3vMvPQBgKL3X6KVxU3yH49/6RcxE4cWl+25t:oCUf8YBt3XdTU3R9/c2/l+2j
Score

7^/10

discovery
- Loads dropped DLL
behavioral13
- Target
  
  6
- Size
  
  5.3MB
- MD5
  
  4c2fdadb29f624ff540c0e2790b60987
- SHA1
  
  e4b95dd05aa80f8380554590359ba63036c76e69
- SHA256
  
  b3dc1bb1c72c6bda1a7508147b2c92021aa18eb99d419db7e8245f32979cd01b
- SHA512
  
  03a26f8769f46ca5b8bdc9fb44b8ed4a56dfab21a8948516a2fabdbbde7f9c73f708c11c1540ce8c2e0ff47ab539e0780b202c249fe3ebd5423ae31e922294b3
- SSDEEP
  
  98304:z4ARSOULuXDTLjEGxGUiibSpRZxP4BPXWtqZLr8U+GzNQ12Pe7Xw1:z4NOUL+PECGUiUS1xgJge7xwa
Score

5^/10

discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral14
- Target
  
  646677375bc0ecaad279751d8d09220d5d44e20570548f8475f36803affda636
- Size
  
  285KB
- MD5
  
  0dd4bcb59beff511516725118e7b2f80
- SHA1
  
  db47da18c18d029d52d652643d41a54b5251cb1b
- SHA256
  
  646677375bc0ecaad279751d8d09220d5d44e20570548f8475f36803affda636
- SHA512
  
  4ecc53bd201cadedd413fa36eb5879fbe954400f8e2f69d74a44b5c15e53b9cb9ef3afc53f5d699b89a970e223482beddb3c9efa2dddb1a57ca1aa60e4695f85
- SSDEEP
  
  6144:Ikio1/AqFDgwMo2jmRA30Ieyj+8qUyJbF7F6s9uArvGGNGY6xx+xO:Iq1BDgSjRKxeyDktFbi
Score

9^/10

defense_evasion discovery execution impact ransomware
- Contacts a large (7701) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Sets desktop wallpaper using registry
  ransomware
behavioral15
- Target
  
  6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8
- Size
  
  1.6MB
- MD5
  
  d644eb3560601aa504917b281306a350
- SHA1
  
  b43554ea4fa8eed7a9d36e4172546487b627a45d
- SHA256
  
  6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8
- SHA512
  
  c9a2100bd23d583d63c5fd37251b81407036f422d5cdcf2386419d78eaf25fbf2fa7bc6d34ef33f2b427ead5004ce92da9184a70d5c202d2dcb12571b403fc46
- SSDEEP
  
  24576:9CfBXFlrGTi+VIeTZBClhojLEObk5HW3x0Ea0R5fVAM8lP8bCtkQtdMVW30Qx8fZ:IJvGTiRl2U+kHa31LfVAMd7BW+AamO
Score

6^/10

defense_evasion discovery persistence upx
- Adds Run key to start application
  persistence
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral16
- Target
  
  7
- Size
  
  397KB
- MD5
  
  60c40af102c485d0464236fe672d302b
- SHA1
  
  d4a5a0dae3fb0274c48828e84ff8f960c7463406
- SHA256
  
  287a6b75d1776f89502a1fd0ec571adebff878becb0ebdcec703e8fc6e3885ad
- SHA512
  
  4d22a012d1da6878e3a1f0a726a303084e1f775281f7518bf6712eb80b8fbbf5ef4c659a4be5d8e53ad9c2e0005ec8a3454491dcae4c517f4db7a81fcbad0dac
- SSDEEP
  
  6144:34OusAhTGvRi52AHAio3Ez2Ual3kYqUXK19KfFxmrAEkmB0aiA5:IOk8Q52qAio3ECXQfMfForBku0aiY
Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (322) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral17
- Target
  
  71a20e270052665d18bc0fe4d1f9608e51f4fd427442e7abc3e5d43c4e987bdb
- Size
  
  2.7MB
- MD5
  
  83cb5b87a786fb135a11bc133fb4d4d6
- SHA1
  
  f0fced87788092368e1360dfaf830e6ea1f1ef1f
- SHA256
  
  71a20e270052665d18bc0fe4d1f9608e51f4fd427442e7abc3e5d43c4e987bdb
- SHA512
  
  dac2ae2129d2dd477cbd84e2464055cb298407a06fd7fd24c54cb38f692914e9f9cdb8320e23861f25642316b05de411d840021bb7b0a15ab21a035f0d68fe12
- SSDEEP
  
  3072:BttFWSfQySeFOHcjyPHkxrahs1nP2omHDj7X2SrhL4:BLXfQySDHcwkEhs0jjKWhL
Score

3^/10

discovery
behavioral18
- Target
  
  835b0ef8f5cfdc2ca8c0d3deccbafc48604e4a5356f0104cedfdfa20b20c2735
- Size
  
  201KB
- MD5
  
  8d356b8729a03d419371c74c9359f70a
- SHA1
  
  b2456b26506ba60bc61a0b640ad6a354ab32a288
- SHA256
  
  835b0ef8f5cfdc2ca8c0d3deccbafc48604e4a5356f0104cedfdfa20b20c2735
- SHA512
  
  abf13a32decaa7e2c96d1a0ea1780fb3e4207677c2bab54cf6c904c1f3e264c0509fc6b050bc8312e7a285231251bfd987caec90f0a831f9fe6b6f5f0c064efb
- SSDEEP
  
  6144:1CAX3vMvPQBgKLN6KVxU3yH49/6RcxE4cWl+25g:1CUf8YBtNdTU3R9/c2/l+2q
Score

7^/10

discovery
- Loads dropped DLL
behavioral19
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  16KB
- MD5
  
  c8ffec7d9f2410dcbe25fe6744c06aad
- SHA1
  
  1d868cd6f06b4946d3f14b043733624ff413486f
- SHA256
  
  50138c04dc8b09908d68abc43e6eb3ab81e25cbf4693d893189e51848424449f
- SHA512
  
  4944c84894a26fee2dd926bf33fdf4523462a32c430cf1f76a0ce2567a47f985c79a2b97ceed92a04edab7b5678bfc50b4af89e0f2dded3b53b269f89e6b734b
- SSDEEP
  
  192:A+6KSH9582ppDQdmVl4SZ1t6C+2BxN40bBB3wIuQGEG2l2VLsQKBvrrDzN:hBeR0mVeSZ1t6QBvv6o2VATz3
Score

3^/10

discovery
behavioral20
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  11KB
- MD5
  
  da979fedc022c3d99289f2802ef9fe3b
- SHA1
  
  2080ceb9ae2c06ab32332b3e236b0a01616e4bba
- SHA256
  
  d6d8f216f081f6c34ec3904ef635d1ed5ca9f5e3ec2e786295d84bc6997ddcaa
- SHA512
  
  bd586d8a3b07052e84a4d8201945cf5906ee948a34806713543acd02191b559eb5c7910d0aff3ceab5d3b61bdf8741c749aea49743025dbaed5f4c0849c80be6
- SSDEEP
  
  192:+sIDDUfZsODh1vS4yWkYinfY0kfPIQUl/58a9sSI:+ISOzq91YinfYBPUl/58a
Score

3^/10

discovery
behavioral21
- Target
  
  b15b78937cd33dfaedef28385b293c92b999f37b2a97d01d516f6189a6afefac
- Size
  
  201KB
- MD5
  
  f8728b83a71b43e96bd6fde3bb39790e
- SHA1
  
  05e5aec5537a436b65b9bd07ab0730827d915ae2
- SHA256
  
  b15b78937cd33dfaedef28385b293c92b999f37b2a97d01d516f6189a6afefac
- SHA512
  
  f830c1e1121d6e90b4078ead4fd17dfd4779fea6dc5274d841510f80baf1094d82eaadd44b94b47289e59019c344e740e3a3843f2c17c511e037ceedb72768be
- SSDEEP
  
  6144:HCAX3vMvPQBgKL/e6KVxU3yH49/6RcxE4cWl+25g:HCUf8YBtmdTU3R9/c2/l+2i
Score

7^/10

discovery
- Loads dropped DLL
behavioral22
- Target
  
  $PLUGINSDIR/INetC.dll
- Size
  
  24KB
- MD5
  
  640bff73a5f8e37b202d911e4749b2e9
- SHA1
  
  9588dd7561ab7de3bca392b084bec91f3521c879
- SHA256
  
  c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502
- SHA512
  
  39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a
- SSDEEP
  
  384:wv1j9e9dEs+rN+qFLAjNXT37vYnOrvFhSL+ZwcSyekzANZBJ:w1AvEs3HBLzYn29vYh
Score

3^/10

discovery
behavioral23
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  16KB
- MD5
  
  c8ffec7d9f2410dcbe25fe6744c06aad
- SHA1
  
  1d868cd6f06b4946d3f14b043733624ff413486f
- SHA256
  
  50138c04dc8b09908d68abc43e6eb3ab81e25cbf4693d893189e51848424449f
- SHA512
  
  4944c84894a26fee2dd926bf33fdf4523462a32c430cf1f76a0ce2567a47f985c79a2b97ceed92a04edab7b5678bfc50b4af89e0f2dded3b53b269f89e6b734b
- SSDEEP
  
  192:A+6KSH9582ppDQdmVl4SZ1t6C+2BxN40bBB3wIuQGEG2l2VLsQKBvrrDzN:hBeR0mVeSZ1t6QBvv6o2VATz3
Score

3^/10

discovery
behavioral24
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  11KB
- MD5
  
  da979fedc022c3d99289f2802ef9fe3b
- SHA1
  
  2080ceb9ae2c06ab32332b3e236b0a01616e4bba
- SHA256
  
  d6d8f216f081f6c34ec3904ef635d1ed5ca9f5e3ec2e786295d84bc6997ddcaa
- SHA512
  
  bd586d8a3b07052e84a4d8201945cf5906ee948a34806713543acd02191b559eb5c7910d0aff3ceab5d3b61bdf8741c749aea49743025dbaed5f4c0849c80be6
- SSDEEP
  
  192:+sIDDUfZsODh1vS4yWkYinfY0kfPIQUl/58a9sSI:+ISOzq91YinfYBPUl/58a
Score

3^/10

discovery
behavioral25
- Target
  
  b3dc1bb1c72c6bda1a7508147b2c92021aa18eb99d419db7e8245f32979cd01b
- Size
  
  5.3MB
- MD5
  
  4c2fdadb29f624ff540c0e2790b60987
- SHA1
  
  e4b95dd05aa80f8380554590359ba63036c76e69
- SHA256
  
  b3dc1bb1c72c6bda1a7508147b2c92021aa18eb99d419db7e8245f32979cd01b
- SHA512
  
  03a26f8769f46ca5b8bdc9fb44b8ed4a56dfab21a8948516a2fabdbbde7f9c73f708c11c1540ce8c2e0ff47ab539e0780b202c249fe3ebd5423ae31e922294b3
- SSDEEP
  
  98304:z4ARSOULuXDTLjEGxGUiibSpRZxP4BPXWtqZLr8U+GzNQ12Pe7Xw1:z4NOUL+PECGUiUS1xgJge7xwa
Score

5^/10

discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral26
- Target
  
  b4e3091d3119268dfc8ac3caf2d5d02fd4faa360f822a87b50110b805e465181
- Size
  
  164KB
- MD5
  
  921b05d4fdd12c986bed19ae96d10fc4
- SHA1
  
  b6cdb9f5693da24b95fb479b191504f7e22cf717
- SHA256
  
  b4e3091d3119268dfc8ac3caf2d5d02fd4faa360f822a87b50110b805e465181
- SHA512
  
  72f5dc8c1c205cba6bf89bc274beb57e31723736a9040c4231a12b8c2ff0095cf35201e993ee88b636165da465d5516dfeae50b1d332ba15c8a739a479c0ff21
- SSDEEP
  
  3072:FHixaVZFiOCDJtOicNDWEzZz61d7canxB:FHigLF5CCj5zZ41
Score

10^/10

sodinokibi discovery ransomware
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Sodinokibi family
  sodinokibi
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral27
- Target
  
  c1b35d3d70c59a66a35ab7e4981ee3459571af1e43997a334bac1c073485fec3
- Size
  
  164KB
- MD5
  
  2fd61f699532fe2b0691422aa285ba17
- SHA1
  
  bc9996b712c71319508a946ac2a004a131592438
- SHA256
  
  c1b35d3d70c59a66a35ab7e4981ee3459571af1e43997a334bac1c073485fec3
- SHA512
  
  2f3788cdd321836901b64797854c0c9074fb3c7abfcce11a026087903171aa5df9e2adb7affd4d0c4e06cd1218e5b86d121e96608a728690160df88d2a51c5c8
- SSDEEP
  
  3072:FHixaVZFiOCDJtOicNDWEzZwb6KoGXHIENB:FHigLF5CCj5zZwOnGXH
Score

10^/10

sodinokibi discovery ransomware spyware stealer
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Sodinokibi family
  sodinokibi
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral28
- Target
  
  caa5f52a7811c49ae830606f01fd70d846fe53e9858603886f504e984fb2bc78
- Size
  
  164KB
- MD5
  
  c4afb5d2f4bb0c266db26f5f25819493
- SHA1
  
  6795a2ae5c68886de7fdf4b3709034d6d7cbde94
- SHA256
  
  caa5f52a7811c49ae830606f01fd70d846fe53e9858603886f504e984fb2bc78
- SHA512
  
  ca0ee738604ff97441ee279af93920ad915a350329229921fdbe093fe2d0de02296bdd57a81096eb3f62510ef5903a72249395129cb28838273d13fc530c7425
- SSDEEP
  
  3072:FHixaVZFiOCDJtOicNDWEzZEHHiR29t0VB:FHigLF5CCj5zZSK20j
Score

10^/10

sodinokibi discovery ransomware
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Sodinokibi family
  sodinokibi
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral29
- Target
  
  d2878de61ff17b2ae8cd556a6935af332955f07acf1991ab30ddeba9a5ced20b
- Size
  
  201KB
- MD5
  
  4a3790949a4c0498657a4cb57b306d46
- SHA1
  
  588adcebc9dc82b4b57674d861c7ea593f3bc96b
- SHA256
  
  d2878de61ff17b2ae8cd556a6935af332955f07acf1991ab30ddeba9a5ced20b
- SHA512
  
  eb4ca5892940aeccd7cd033ac137a25aa0be1f3c5f1a72afcbb9b464cbb1c4e462471d565318dd30e0980a268c5308efd932d4a8a9091439f7d59f044b70279a
- SSDEEP
  
  6144:bCAX3vMvPQBgKL/T6KVxU3yH49/6RcxE4cWl+25Y:bCUf8YBtbdTU3R9/c2/l+2W
Score

7^/10

discovery
- Loads dropped DLL
behavioral30
- Target
  
  dbadeff4af3fa7785d54d177db9608f24d405971cf642ca0759a203d9e895930
- Size
  
  198KB
- MD5
  
  09689a0fa6c7adbee9dc77881cdbf205
- SHA1
  
  7b9f5faa34f5b5dc83cacb2cbd82cdb8a9aa251b
- SHA256
  
  dbadeff4af3fa7785d54d177db9608f24d405971cf642ca0759a203d9e895930
- SHA512
  
  e17f40848451b35791918478dfe1069b2f8ebbbe272da67b99298ca0526a76b44deb6adf729ee2b29eeccd13da78d9156dc22f03f3ee843143575eab71c08aca
- SSDEEP
  
  3072:bYm0i/Z/t3E9gyN9HLSvdN4vKijSVuwbXiz:bF/9E9Vf+VS9jELiz
Score

10^/10

ryuk discovery ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Executes dropped EXE
- Loads dropped DLL
behavioral31
- Target
  
  f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9
- Size
  
  401KB
- MD5
  
  5a131b48f147586afa20b0a1a00a1533
- SHA1
  
  35d0125d8ca6457ff4604d5e245b2102a9ec4a6e
- SHA256
  
  f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9
- SHA512
  
  0d01c70c6dbf948ce29491bb81df5bb58e010e775456a168db93973b4dd9fc4a518fff68c7480cb4a79a52b2a8070253b3f06d32e0ac0ecf1c4b1541301a32ee
- SSDEEP
  
  6144:KzLr0iArBI4BdswFu+eW/9QF6nJ9/SAtKOqKojDEjm7Bx3A4vhvGGnCA9CJYNc4V:kXAik2yuRe9BXrTyDnBxLZmA9C1
Score

9^/10

discovery ransomware upx
- Renames multiple (230) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops desktop.ini file(s)
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral32