gandcrab

Sharing

Copy URL

Twitter E-mail

General

Target

1.rar
Size

1.6MB
Sample

241120-qek6ca1qhp
MD5

72abd1e699045795972df38ef40d0c30
SHA1

f2b9040f8fa4ccbad006eb8fed6020fe3f40d08f
SHA256

280268db673f66dc31e54d86de101cf8b5d52c583a9282d9c7ccb4475612a8e0
SHA512

3890b4d31f26dcdf6efd80816668b6617a2b93534c158d6302c1544d132ea03d23981472de9524a44601b36415adaf744f9fcbe4bd5ba75a3a743b1facc9bd06
SSDEEP

24576:WMdC2A/fFIf0fepeWD37XFmGFvE54ANn7Tzz7tWOr8NV6hxChSAwn0FMv0ksG5Q7:1+/dIfgeLL7V254A1zMMhE9wnoW099cC

Malware Config

Extracted

Family

sodinokibi

Botnet

Campaign

Decoy

alaskaremote.com

epicjapanart.com

narca.net

mediahub.co.nz

mustangmarketinggroup.com

alcye.com

reygroup.pt

letterscan.de

jax-interim-and-projectmanagement.com

unislaw-narty.pl

justaroundthecornerpetsit.com

bescomedical.de

bertbutter.nl

parksideseniorliving.net

reputation-medical.online

biodentify.ai

polynine.com

nvisionsigns.com

luvbec.com

hospitalitytrainingsolutions.co.uk

Attributes

net
false
pid
13
prc
mysql.exe
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
49

Extracted

Family

sodinokibi

Botnet

Campaign

1234

Decoy

hameghlim.com

rsidesigns.com

goodherbalhealth.com

tbalp.co.uk

designimage.ae

elex.is

innersurrection.com

chatterchatterchatter.com

catalyseurdetransformation.com

mollymccarthydesign.com

gardenpartner.pl

cops4causes.org

gatlinburgcottage.com

yayasanprimaunggul.org

awaisghauri.com

amorbellezaysalud.com

unexplored.gr

fi-institutionalfunds.com

zorgboerderijravensbosch.nl

ingresosextras.online

Attributes

net
false
pid
35
prc
visio

synctime

mydesktopqos

agntsvc

xfssvccon

outlook

firefox

dbsnmp

ocssd

sql

oracle

tbirdconfig

excel

steam

thebat

powerpnt

dbeng50

ocomm

onenote

mydesktopservice

msaccess

winword

isqlplussvc

wordpa

thunderbird

infopath

sqbcoreservice

encsvc

ocautoupds

mspub
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
1234
svc
svc$

sql

memtas

veeam

backup

mepocs

vss

sophos

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\UONNYODF-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .UONNYODF The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/91f1a8a1ef4f068c | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAGTBWxmBHljz+VczfobxqwrTUAohNHi3b5vBIcE5ltxDABMBCBuiBDQ33CFPBwn+Kk+Dm7sOi/oCmmNaPZJVeogSLlmM0xfropuO72PePWBJKWTaj734ik6yOh9IuQHBTioFVdwXjR+/WSEq4EsHljm+kVIOF6LRln0v30al86rN18UskZeTX5iaJW7Ke6aItW+/V8X7OI6/qnZ/TWj7zII9tY8D3VrTp2N2U8ngHd2zT4DZK96dIszS4kSzsfxU6qoQDhUPpeGQM9kGTtNJAqAUvRZUU50J60ijfaLpZ/yZ9vq5HesKUkH4q7UIopvO2Cu6T/sza5EdRWn89FAfjV5g06gMg7MDf9zjMkyvuAYotxn2VVGGz+e+L2+9itWfjWXjGHRKWIGbKlxfXIqgKzLr8zY36hDUq8j2osyAusfPYB3TJVeLWErWDjcfZM6lSytZKA+/UvDoq/VTSJSHbua/VdZIlvF6Sv9lOGxilbblzdNqcrmVVtf82k5taPAf62eJiI5jFmaQr48Te6YBaQZeuZsYvVLcuaRbHz2lVwi5Wc3O1+5MX4EtDnnCTcGFsEhYNynaD35miszv6DSBtvZuHVMK0bb7NJ/ywaNou3wNZHHgFSI8lRsto0/6t+bga59U/Kv006+/5WK43ubZLmxdyu7SwMU3UpQwdtFgbwGdQCIBt8trAeCkBSHoWdQpjR42TXGljDpmmV5L2TUbs41kSuesR80C2bSgWFaaAe1ayaLbgWRFoEtQ4SNH/Pdy+HTIS76mQMj4SmqdiJHeI+bXOxmj+4liHfYpnF+GQ6ZHb/EjRlKdiIwyWijrhfleYE3bFtMIcmjGWOpJl0V3T0eHwt2StbUbQWjdwx/ItZntCYCEHNfD2VNgHQI7AyI6BQALrgI57oHn6J3UbIVe4ZTazdFkPJbQ95G05Wo5U43MWQnLIy2AUtqF4twAYiOOUnMnDZi6LoRsu6HymYMLOynTRyp+8TzoYnSFVWgMl2V22kby8kfF/NyimdrvWESr7q9E+igrEi0E7utaboN4MUIqNE3WTcK1YAE+ylPlPdmDBq9OQ4CZCClEPDWT9VPGBRxJTPfJRuZ5vZGBTmgD56Iv78F9zVnEwRmzkh1OVWv+g9zu+zaFmfxq2E/9LmkOPNsOWyZnV1yAIU81310BcfnTksjGenI2BMhj9s0oyuyqZSaYhIofkrMShxB9irsbZHHAKSDlqZtL9DFGhC3HRnOoVEW5d8kTr1JhyK4b3QMAwR77KlX+TXlWNQc3F7Ey/vZmKL89f99lKUHfNuui5QpxQtpaslYWG3go5CL+H9CkBhuT9YDgoOexESYpO44rUDG2UBiMR6CZYMg/qv3UngbijJw1H3msvQfwqJBtEBW21LLmI/lFJOWRPrXJOwYj11VwZPQPKnHkaIuaPAkJi6Mu/SkTjx1Ae96uTpA8BEi5tRQ9sI6BJKvBY5txOwqYXLFR/wkQv6CmYa745DusGSV0QWvzsd4mf5+DA5ooGtXWq2duWpPTDkAA0l2FMrBpGSIsU0L4Nv4e0WgxtncqvRjU7bYXTQWZRq1IEFf8l5uP411XmEpARgou1F0VBKJrJS8kObiwu9LzCkO98dCLJ/MU6LEDpXIRvmkX+jI/H5yMKGKPgA/L8/bnPLXHlTRbyjOscUvZQtCHk+Tu09q9PqLdd/H5EQHsVYm3vS7487sAglvfFrIMDzD1y1pJdS9WFNj0h9GoTogwqraOm/gIiWjsu46F1BDBysRXd8Q2l4hZ6n/bKFOnaJv3ZDD0sXVagr4CIMoixuOffkBdIDWCYrJdtzw1e1nAFfjiNrJTrPCSUZQslvs7OO0uWofc9y62reSyHKG2pO7wXxNEhq7DhFqIdW9+MlNyPpPzChMqgJUqx1t+0ArCH2+AQXUxot+HapCfm3WOfii4kB8rsZDhmmdGby3iG0Hb8+6f4D6t9gCeySVtAtxmoHPIaGYhdbGvlVZfqZJeRdx5o3l3MDfH+UDxGOwZ2dhufEGuMP9htG8YZfJmoj9DL3iZnLnTFT4hegg4IFX9M/oG8cWPmaJWOj0GdemE6ey58N/PrlMkVCi3GStLI3sclbNjlHQbYp2O/gp4lXPKwlQlf9EGIbx8dXnK+Ha0HyOnR8qmar/veA5g0i7kU9/lTJ88HpLYY7LQ2O5RD2CBbt5XaTcXkxlls5RPX7Fpba+XxW3xWGwx8VsdSffB/k04R8wj0M+pygZM86We750= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD89N/JJJDIAu6Vo+DLRW7IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSDyDEtOyJfNBcBixq/8Y/R7W3Z7HImYKRjEeGP9Hyr/NzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhqApoTPFpp2CPDOx6ihEudzoNVoM6j2VyOmqqBlvZbwDrtsypS8B1filVjmQ7q14GuxOgTOwQUyhb/ofzNwkLQejqrjTwFji9zPbKPSghI2dWKf+5gkQvDGihIFfEv5EsSM5AN7hzdQVIFj1CUHPyeWMbZ0I1gk/7uRQeyoEinT3CrvrP9dFPEuVLsovLqYb4AnecHqVubCDEZSsSLSNnIyaZEI9b5008FGYczrSlaIGDBHFzoGoqA9wiUaNxMzG ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/91f1a8a1ef4f068c

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-1163522206-1469769407-485553996-1000\SKGLVWLLTO-DECRYPT.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .SKGLVWLLTO The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/e9758a5490ed8c0c | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAG6IP0lE9YK26z39J7bDyePD/QCTfoGQra27EMdk52koH8r4sUkhwBAww8mANVmArYr/lTv07MnUMSubiuTUqVwBRai0T8yXretKyGwVa9WQ3sJL+Woz1xTl9MzM9v0mzVDfRCneebWaM4Lr7QqlEZI3Dr2V9Bvd53rP4nHcLYGdl+/zWAiu2maF0IuHZjAtTRy4Z74rpgw9LqQtf+LZk5SSavdAp+8b70O2AOSOAOgRBSgHtexIa793ZNEbJhijMCwXkaYzNy0dB2YB5cdk0fSK0HoZ61cuhYwD3gQlWApabWs0b3BAiNwND3xk5YF0xIYluIXqImEHu57MM705y7fN+kMghA8fXr29gX/YnLcH81yT4cugfB+lAB+bv7r79VWkoznl8RkISLY4fU3JSHVbjpZs+6qR1YAALu3RmtKMvMvJ4zIQUzia4kTQYqqTnCV8ED6mgtdRbu613OqRXXXoU7WMAj/f9agDrLliISRsSRawqR0pjjHcZQCPHT5TIK/+tAL5O6JLzY+j/0lWqUn5awsWARrOUsiKeprVHmhoBeiIjA+B+jjqHvkYZvrp1LwoofeAzkpwD5bVXWcNVxdYOueSfwrecHOGKjX/KmgHiJjEFiTsvQ/a1arqAwqUV0kkqhaZLkrCmNsz5mltpRfm0tPPqq5dl8xFkKSkEBafim5xiMsJBvksYjxWf1xXLw2DNrNQ1QGGla2zKz0MgIJ20fWTNJXnNQR00fRxv8h6Fjsy5oxWoWCcomNxCcQ/+b/4X+MWekvOdJcruHWsBgo1OyljFxAsu1IXVnIQermP0EB++u4ddWqR6vQgzyp8Rn9lx9qTZKfKAmxuTeEPWF9BlHBY1AkuqHFGcFVGX/FM/S/xxBm+BXTxR+B1h2jLrk9s384waA0pEYFWIho4/TKsTM01eqQHAu+LaYd0Lha4bQDqBtsOm31YA+B00Dgbr39CDluES2g20waNQkNPDJFD6cVI40YyUy+bF7q9RdFA8BrT+7Q7XoQJKo8OPnf2RYCmij/txfTswntV5deW3AZfShbJBU+T5phZc6/Vs4VCfRsod5+U/96h8E28C7bWurT/7flADrymEfp1UFrxLjia8+tYLa9GoaeqNPuhASoYEOF9nsBG6hG7OcKTdgBfZLOkEpfHYl3O0pI7SpL25+Zev9LqvG3ulDbYQxEmqOvZHREjZppj/XRPk6K+fp5yBNuEVqxlbSmNwjh8de9karnVryM49qJpDP+Tdu/+Tk1HuwL6PKdjjUDjIUQWk4KLREjv4xF+lIJ39d7qFVE7Cy4HYt9anJIpkUNSVBMbhW3YLvWi7PBf+tt5EKtc57sb3Sa6eGy6NJGrxI5O264TpuHwYop+9eEAkYtOd0BHjRqNN5GUaofnXWnzedUeFVe41EqYALsFoqrukzO2+zNs0ntcWmwEmTospTBlwVDtGp42b5YgRw+iB5msEwIUaRsP85WOqSD7KWF1vOGb0CjLYEbn2jh7FKzBPmoz1G9hRBrYhOJb4aI0fKSJjWzxbo1Ikv43KV8NGkdC7nx0sSLTNMmMY0BRFQ3D5htevIqvYVLX0rswlyOP3VtP3URh/JiaOjB9fTAWahR2MRU8QWEtxjCU/7JZZ1+sR1PFSMSd+KO0yo0XboyxkQGCLpibStEFJpXAbg1t5xnoFEy9NV4hwNpkp0AR9gNriyT8tFVI6Aw144P0v5ep48/ZNsVHi5vMYGMfCDvWKj/E1Ho9qPcuMxBmCn/SO7pRTD3MeTtk0Nkkwhv3itDQ1njEhTZIPihZkCXh6mXpvR63nxSeb58EAFZzq3/XNUCVg5feu5A3hvGHDsYFG7Zjh9PRxr0l7Mi8srGMUPSZUTuhni1zhQ+5HzITJgFBOlHl4hvUaI9L3H5R9jY6qIdfN7d16+E5klVgyfjVZhL2VbT1uWcCWXqE5+HBqInCmYCDsaBUa+TIfAdhSquGqK1jYeiGSqiaqOLlRIaNWsrKu3MVV7dhY642/dwN2RXf0y06zs8rYhF3CYH+XECIaKl5AOv6l9iELsOvpx2h+fJAWSnEIK74D3G362BD4k25FVdgtQLqs6i7ZmO9EvPV0VNjjsZBLQ0LBsNqFbVRbcVy1jb9zXfPimZOxtDvm6bIMpyINtkCURScbrlOVRP1bUogSO0Dny4WpfIFtfu/b5xgmbVh7+CTKe9VigbI+ogjbUX0Ey9/iEF0jgASXPOEnURCcnxNJ9oKiJzwCXPWd1s= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDu9NbJP5DJAuCVqODSRXvIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSUyDMtL2JeNAFBnVqq8Y6R+m3MbGZmYCRhEfTP9nyr/NzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhqApoTPFpp2CPDOx6ihEudzoNVoM6j2VyOmqqBlvZbwCrtMyqi8O1f+lVzmV7q94GuxOgTOwQUyhb/ofzNwkLQejqrjTwFji9zPbKPSghI2dWKf+5gkQvDGihIFfEv5EsSM5AN7hzdQVIFj1CUHPyeWMbZ0O1h0/u+RWez0Et3TBCrbrZtdLPEKVKMo+LugbownacGyVorCfEZOsGrTWnJ+aY0I1b840tVGNczDSjqIBDEPFw4H0qABwhEY= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/e9758a5490ed8c0c

Extracted

Path

C:\Program Files (x86)\Internet Explorer\How To Restore Files.txt

Ransom Note

Important !!! Your personal id - JKJLA6J6GW71kQtt Warning: all your files are infected with an unknown virus. To decrypt your files, you need to contact at [email protected]. The decoder card is received by bitcoin. You can buy bitcoins from the following links://blockchain.info/wallet Do not try to restore files your self, this will lead to the loss of files forever GUARANTEES!!! You can send us 2-3 encoded files. And attach for testing, we will return them to you for FREE

Emails

[email protected]

Extracted

Path

C:\MSOCache\All Users\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note

SEON RANSOMWARE ver 0.2 all your files has been encrypted There is only way to get your files back: contact with us We accept Bitcoin and other cryptocurrencies Do not try to reinstall operation system on your computer Do not try to decrypt files with third party tools, this can lead to data loss You can decrypt 1 file for free Our contact emails: [email protected] [email protected]

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme.hta

Ransom Note

All your documents, photos, databases and other important files have been encrypted and you can't decrypt it yourself. No one but us can return your files. Free decryption utility does not exist. Each file is encrypted with its unique key, cryptography based on elliptic curves, key recovery is impossible. Focus on the problem, follow your instructions and everything will be fine. DON'T PANIC! YOU CAN RETURN ALL YOUR FILES! FREE decrypting as guarantee You can test decryption 1 any file for free (with help our special software " SEON Decryptor "). What to do? First you should write me and i'll send you a special software " SEON Decryptor " (this software needed to decrypt encrypted files). To start the process of decrypting ALL files, you need buy key to the " SEON Decryptor ". Contacts E-Mail: [email protected] E-Mail: [email protected] Attention! Decryption keys are individual, the keys of other users will not work for you Do not try to decrypt files with third party tools, this can lead to data loss Do not try to reinstall operation system on your computer

Emails

[email protected]

Extracted

Path

C:\Users\Default\ql853zd91-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion ql853zd91. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E145A8A07E32043B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/E145A8A07E32043B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 5Ci3yGO7VPOHz4y5/gE5JUP8oVCRJXtl6igOdTNpYI1ZseQlquV9MKse52CMe39Y 20jdSu8Te0aFff3jAOEcUVBFeOe21TG+OupIQYe00a5pi4nGX0p74nGwg5YK/4Q1 YX0hM/A5jHSncJijfSeZh+kriTayeLQsp70XyFzAG9gzPnSwNnQvag+pjBQoIseb ObNubHXnfqfB8ZkkO9nDlDPtml7Reefxh5oulJbP3eOPbDyvcV9f1MP+Os6zQZTp CLJwaNXIda2vHoHKts2SKQoE6Fww3zoVwjTpuzPN1dwB6EDYCKyzz8DpkaGtTchm ZKtDuSzddRk4HmaWg6libi7Q/y/MLc6Q4Ql4nh+2LPbN69/yFEPyRBtYdIzRLcok vWvu8eYG0VokT0vbuWCUEcCm0VlkGQXHruCumdC5m8h6S4GTrDLSvX4G00MRmY3l XovkIdSHvlvOAyDEp/+P1tPuR+FbfWNbTo5TfFLMIenaN9txHIZqR6WhowlkF4qz OlVhLzmsX6W3n7tY6hCpvir1wOogUY+DkQdMInSuqNKfK8Yy9AhinjzRoS0ojPH7 GxenaFOKAU8ObCm5OdtHf9tD5LFVlwnEL2Bx91KAVXiHztx8zuVGH4yz7x4pJJ6R twP8pk+oeqkAktARjAy+Ka1xHhliOLDOHBI6DRLqopzsWTQpZIM9SAiaOFg6qzDq rUeG7shl4jSFhK4FNBxlATFhRaPVmQQtO63wgcw9pgb/iDcVgJ22mPq0hHuUETjY bfQmItD25s4CH2i/ox5HEtMtA2oYiGeHfahpS5M+lL7RhaJRCZNtZvmrcYw6HRnb T93yiry7ROfeoRLZjgd/dboNDF+labX6D0UtyjUSBYEh23XmGuxzIkvEYvEF7gRs 76d11FSdSJ+OMLGyLH6pDp0UBT08KtEEa9FQvf4FvO2XsSUn7H8K3kFsiAR1/dN5 ILtT6JKSp6nNpNSV0Ve2FQTsIrrVRAFAWgg4opQzLrwM4dGTguRGwkB+EkBYIwQ4 Tlw1vj8cEejjdqoUC5PnQ5+hj3qyAuq4XHcFnUmwvqIplg9iw1gE+Rpq7OAHqg2z 3EPZhFhmzheXyJEBP1JopQpopKOAHDFoiNqfn0kZMx3955DrWzMx0KK89nYLIYZr myZpHMBUhbAVrHNNpKP6qjUqrfCk34TYCEU= Extension name: ql853zd91 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E145A8A07E32043B

http://decryptor.top/E145A8A07E32043B

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\HYRJAC-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .HYRJAC The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/508ee86b4c4cf791 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAK4/gCZukIleFX785QYIntbU7gg4Y/7GJkUNX2v8IYypHp5NCpOgFIsRkZJTnamP5N3Gg8bN9oSylItN8oAOO7bNZs0MpieA0FvhZFrM7V7vB+vqwIpCoqH7Y8B60pYtw6kqLMSN22b89tVFuREt8/ibeiLVCZdVH3x3iy4jYyq2KIOuxZ8FhEuofA4E3kBIT9QkO+4HUs7iuFBdeCsBLHvDr4G/Vu8NxZwq+8GOnOXxIO/qplBbsPHNalhjyCfhA9/kdx2XUUNIUqUiNiuK/1c37wTQyTfzkPh4EdgHif5OOA3HdRSpDSbPslDjmVZrfNVDsxN5luEu74U7ZL0VYpAdBGN9rxmB3h4tSweF0z9HFWp9yNRw+XYpAoxYc2lnWMxMFSi/jDiaGp+Ao+MBXfujfjoNU076HwcmXmWuXWIw6R916Fqo6bRN+NTJm3/THOeyHWAan7/Uc6MmMw8brB9rqsjGwiG0YRn5lZFhRLGRcSiVmYO8rDddT8Xq2qw5q/FDLdiN5dlfWPWfJFgg0TnY6RJ9b7FIpOrWZHVridGODCdCCwJaIx3F6QDEtvD1mSZtheCOAC6APltpV0ZpsXQ2JBhOPew0AACpV8duVJJYw9Ej4Yu68DmZznOmgizWrvyle/DUr1uDtvjr/FFKmhxV9BgLlQxZ2soY9I0aNeIWppT4CcDs6K4sYDZ8/rRjl1ySVcWjWkRdGVo+97aQjgiJn0ub4k1rVh/+ZhjrZQdIYbOk076havw0IlAyRTm9GyBdbpjkQUYQ38QWiVYJWyGQshoiw4W9j45/ZYUR8NF0jakE11R1RHTExW8BQ6rp69dJQ5vNaXaqzGiVTTjvlBvAT2LXM1G2rUiYc7sICxu/R+J+T/hXl1x7Q1rd7CUfcSL83TmJYUdqBic2yRhiS9N0LMeY/hyMXdNSQhqGKudeN8epm/V2oNmxgx8M3mWwSrqR2xnAFXPHdah2pKSm1qlA2jWpu2Ba0HHPCIDwTQbi0+7ObnD8txi/SIYJoncWOA/StmyUVSWOLDm1M12DR6ZYK3KbBVHgr0aZbx/R66mfdDfkoWGZfK8ZCLikklLMWP4JrOM8303fO5MSzEGA0m7h20Han+euEIfyGS+BEqVZvVlHvQhQMScyLam6Onp/GOYUGMhayXe5BNN95EzikeKa+/ubdasxS3Ve5ZcZ4f1Bi2Ajh1pPJA5Mm8UjaT2QVVIPLe6Ddy2ZtZUy6uh8JKVIEHmZn1H2fIZCNdpjwhzVEeTdzFa/BbTLEfGu/kCUXelvUx6+tivg30gfLmDn+FCAEdp+ZVijMYby5U+KA8PF3cCfKGrJDAT9sQNAbk2Qk10AhPzfZT+Yx8JRfq8Lg9N9qzhl+WAhq2HldPMkbgtzMUNYDySHJDfo7wkk+aFHUKfv2cdgBkBOyeRPGv85q1O5wkeyWernJmvEvYC1hZPzOJSdD3ETrabg25B84iF/yoe0Y9paRauZ2ySVQFDlfrqU2DhOLe5ARv9/yi4/r9GLPcsUF24xcoWnF8KdR6GwVpBKsDvrPbimKVimE/K9kATBA0sFhHcorRSHO5fP9CDZpRoPo4oc8srOyl1/gxpjEoi1qx5ZMciqZodEidPUOBUDqA7m4gSZ9duB/N5WsrW2Te9kGVV5qqdsqQg3iqcl1aEQod4CPKL2ugiym7MuUU0qvVdwVaAsCDRHLOeg/7ZAFDSI5Q6lmFlKf4cQs/Bqm4RRZ5zLRYE4EfjeJfHonllus4/iny0DiLw6dYfpCeiAF+IvQKC1RxNeTLc7zzy9wHv1l+P2pdZNdPrathzCQleg38QDYa4IqWp0s50OiBb5FYOOexHWbH+5z6HiZCnvkutjm/7beZFpHgD+Gc+yqek8XlaSUHHGdlOp1FfgJaMu5cFm+Eowde/ZbYDlW9o4B3uSRzzOBb3L74ysU8ma0YG2gkhxBO3lSFV6YpSrX7HxcwowDKEbbLqQaWB/hoGD7nW7yx+mnSjLVklGBlPnUkwMxN5Z5E9o74Wiksn515rIr7CffeT3ieBqiBgPBvoQKQTnhy4URnfILudRCs1mq5UUO/98CJbGz/NF3moGeUvKPEwbEx4JCIV20/vqvsAphCgSVM/UBgAGVhFmWf/yTQlf+G6ZTao+ifDWRvgN9Yxc/uQ9rTfomCcqjKti3dY7EhZJ8cHRzQzKV+tdgT5uIjGQP2JuIhIjnoquPeOIzV+INeaeTJndh+uNNe2Eozq/YyhC7XA= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDw9NLJJZDQAv6VpODIRXvIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSAyDFtLKJKNBYBixqqMZsR+S3YrHImYeR2keHP9Dy/fNzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhqApoTPFpp2CPDOx6ihEudzoNVoM6j2VyOmqqBlvZbwDrtsypS8B1filVjmQ7q14GuxOgTOwQUyhb/ofzNwkLQejqrjTwFji9zPbKPSghI2dWKf+5gkQvDGihIFfEv5EsSM5AN7hzdQVIFj1CUHPyeWMbZ0I1gk/7uRQeyoEinT3CrvrP9dFPEuVIMooLqYb4AnecHqVubCDEZSsSLSNnIyaZEI9b5008FGYczrSlaIGDBHFzoGoqA9wiUaNxMzG ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/508ee86b4c4cf791

Extracted

Path

C:\Users\e99x17132-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension e99x17132. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/064E0B6786239CD7 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/064E0B6786239CD7 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: pSiqBwJWhWHI4qA9U8RiWbbgqGCD+tj+aoTbB/Z2af7oxKKKOls5zgT0cBeQBJDw yw86Bod0EGyMnZ4cXRXRu+MwuwH3H7v3XUCatDQifbyShEFxgYvcRhdJQ8GWFiXn qra1B8NYit5OgtBvKL1ff6+Sem0FNTvJfTRtDgLALZbQyfYZjNJFpeUjiuhhYua0 eQwxpN6pksIDdYvxdp1uO4r3dvJEXvGhqfmvFIDRGmhQY1D4HFuf5lk2UCv5HfUD ZyDVrprvi1gnn7Brkg2m0CJTW/g0dld5266K4oKWFrDxMetgMCklv2dDIMWusEjm qfDbw5FjaI1Z9DJWLpquF1IbWXVL0jy7Fb2gT4zSjD4JxfIWvvttoI6dtbC5o8fx 4XhBtnbsdFaKjX/Kd+WEvt+UVl94qPCQSiK9VFlbh2BUXPRI66U+s0Q3Db02wVpE kbziG6tzJ/BHn57l3CHqkPJTMmNXsJzwSmSRb1YIY7FWMnBszyyxP1uqqHq0m6kf ExGDiErcq1vm3P+0hI/ajd4B1p6olCFg8PjVgfc4CihdCpE9kkE7bUUQPH+ampXh H6SBqjXlHhILN8Npm7CguCqZ6kSFOhnzukrkASVncZL1D35CN81dYalXdcx++pb9 w4mi0vLaqfNulWzZ0ItJnbM0XgI7IIO779xRtT0GCNRdrfdyg+AvlGKMzawvPv7N el95dmTkhKCc9G6AVvQJpqXdQQ5Mp5wj+yzwY0HR9byBEutwbHgjnaLsCSi6xcDy ZGnks5vhotFpj2X4lqxdU2pk3AadWeNvuWx0pzaY/9IJGeP0f3wZk3Jgf0oPVhwx Wvzzj41zzKC4WHy6ow/D75vVTx2qxcGY0VDkVRNUe/AvyWk4QxV9z2pshY3RCjJz SGIKC3Gtec3Q9537nhFWWzvzozry+ZWQGl9APWyc8kVVtWVOwGtac/HpqyHzs5iX MZfJX8dWiglijYIafHWqYkkb7Nnx2bu58ApFIWf7ZLXfuub9wYyM0QqRFjBRGmMS Tb5GlKuxLq8JMeeemySnAfRsuvU47sLYWZM5z6O5c/37UkXPXOG/Kot39HNKAB5/ X0CgpR3OkgKPabjtLao5Koaz+zJpmMqwoeuXlKhorP5h1m9jgeywrisUIIRZOpVd DqUfCEy9+2OdCpC3gEhMxOPE4y8X9pVOkjaQWZ/1NJygHv6AAu01R23tsZSiCKv/ F+cSJewpwjHnCz/U+/B4p3l6 Extension name: e99x17132 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/064E0B6786239CD7

http://decryptor.top/064E0B6786239CD7

Targets

- Target
  
  017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6
- Size
  
  97KB
- MD5
  
  125923ce61dffa8276a2a77e84d2832a
- SHA1
  
  1801bb09f18b2b491e0e1831c2765a96efc1e493
- SHA256
  
  017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6
- SHA512
  
  aac5ef5260702228a165e72f4721d7df414e33b92a64c8b00c440c9e15ae85aead9fe2d978eea72733f1df84eea9d06fdff04e69ff4f67b0592a1c4a3ae1b433
- SSDEEP
  
  1536:ufuwLvvKeqM0TRl79lvhWAwVl5OpqIyedIVjC3E87zcrHuTcxLUllPR:umwLXnqM0Nl795twDIyeeB8+HUiUj
Score

10^/10

gandcrab backdoor credential_access defense_evasion discovery execution impact ransomware spyware stealer
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (285) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral1
- Target
  
  05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb
- Size
  
  16KB
- MD5
  
  ffe4f9b654ff2900c2361444e1b8cc11
- SHA1
  
  e19af8a7a59f36f6dc60fccf3fed14558485400c
- SHA256
  
  05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb
- SHA512
  
  0c6b6103ec9666dd55549e9825d1b22705eb113ca3e323f4d39ef375ab58280467bc0b2677345929f46f1d558a58d356a8e469b020bb184710b18ee1220a3413
- SSDEEP
  
  384:CaeADspZKz4N+D8eoeH2uA1L7P+TPXHTBO:/spIz4N+9F2uA1nqP3g
Score

3^/10
behavioral2
- Target
  
  0a025116a860d7568fbda8ed84925cac06b13d6441eddf7428ac79359cd09b57
- Size
  
  96KB
- MD5
  
  ed24f730485f03e084a017d79d899d5a
- SHA1
  
  b29bbb2c510515c07f5c8f0b08a2c1cbfa56ec04
- SHA256
  
  0a025116a860d7568fbda8ed84925cac06b13d6441eddf7428ac79359cd09b57
- SHA512
  
  16365869fb6655b91009135c8edd3998ac8b62c2e2bb546b6ca337c504094de0aac7364da7cff7b1e1768695088911440b7f51fdf46fe71355e8ca19585055b8
- SSDEEP
  
  3072:hCunH3YQ4TgvMvPQDeqgKJ+BCnwvG6Q5X1y:hCAX3vMvPQNgKLX6Q5c
Score

8^/10

discovery
- Downloads MZ/PE file
- Loads dropped DLL
behavioral3
- Target
  
  1
- Size
  
  104KB
- MD5
  
  5e488441d160b82bdf55b0547f8cb28f
- SHA1
  
  f3dc1a56e21b25849e97d32be01afa8e8e0b6269
- SHA256
  
  39f3c5f6717bd58b4bd299d6b0ea2eac3c2b62eaa1207b1c15d3e3d09589d6d2
- SHA512
  
  85fe28c8b1cbeca5805c305fab96d6eb03bade72e82fe23ddbe7e89b1d29315bb0ded0f1adc41c1c8cfd8e8b888ed1ab03d77cb571912695389d3c064e4dc713
- SSDEEP
  
  1536:/e8f5p+nyS3pPEnFZ60oYJjEiVf5ppW0S3pPpnW:28Wny4p2TpjEiVRW04p5W
Score

8^/10

discovery evasion persistence spyware stealer upx
- Disables Task Manager via registry modification
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral4
- Target
  
  18674bbd9af6e4e7396363a4f7d72312a50514f72ee4c4ceb131738801100438
- Size
  
  96KB
- MD5
  
  9953c9961814c8e1c88346415dd208c2
- SHA1
  
  bb2daf108ac562e5163e74ba57278857f720d212
- SHA256
  
  18674bbd9af6e4e7396363a4f7d72312a50514f72ee4c4ceb131738801100438
- SHA512
  
  75985b7c5e41dda0bb83ac34338bedccd14c9deed13c983f8afa1afc083ebf55217aaa69e19c9a195faf8479c0ccbe55a384dbd15a2a44ba89971ac502767027
- SSDEEP
  
  3072:BCunH3YQ4TgvMvPQDeqgKJ+BCn2S6Q5aA:BCAX3vMvPQNgKL2S6Q5f
Score

8^/10

discovery
- Downloads MZ/PE file
- Loads dropped DLL
behavioral5
- Target
  
  234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2
- Size
  
  93KB
- MD5
  
  bdbca2193b35706fef4ce9368af7a886
- SHA1
  
  216e8cf79eced5dba6365b1648cb8ca126ef0cae
- SHA256
  
  234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2
- SHA512
  
  af70ab8b4738a2c5a7869f202a850357d71cb43d67498b87525924dfbd2f456254d0ecb4c2651797b2ec75c3717cf0a4433a7d7573a27bbb55ac644c75009a49
- SSDEEP
  
  1536:7w2p3ieRXCkxEoSXf6GizDhp2keW8PaoYEXOcrHuTc+N:cSyex5yoSPmzKkeW8iEXjHU
Score

10^/10

gandcrab backdoor credential_access defense_evasion discovery execution impact ransomware spyware stealer
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (277) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral6
- Target
  
  2ae06537d1e90d4ac1d2bca7c6309c9d1958f3e1ae9d7625bd914b10609d41b6
- Size
  
  96KB
- MD5
  
  0c74ecd25840e903ab3d53064ba46c65
- SHA1
  
  3a8a88c03c3172dde5aa20dc558089a6a936e3a6
- SHA256
  
  2ae06537d1e90d4ac1d2bca7c6309c9d1958f3e1ae9d7625bd914b10609d41b6
- SHA512
  
  3c6a31a0abe35422fbdef1bfafcb85cba495d0e0a976c7c9549a87d987958f10b6911ca6899e24513b31373c957acde1bcd3a78b557b575f387a0806b5b1ab2a
- SSDEEP
  
  3072:qCunH3YQ4TgvMvPQDeqgKJ+BCn2W6Q5+W:qCAX3vMvPQNgKL2W6Q5Z
Score

8^/10

discovery
- Downloads MZ/PE file
- Loads dropped DLL
behavioral7
- Target
  
  2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291
- Size
  
  149KB
- MD5
  
  7b104c571efba855a2e0ef211450fdac
- SHA1
  
  eaf61901c6e2e148c5e089a52cc2606217a41cfa
- SHA256
  
  2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291
- SHA512
  
  92263ffc40fc03c51c5e4b48a9a813721ce80353674979213fae27b49f7b420d5bb35817232069030b812d9dfc44fd23b4fce3186feaa874ae6c8dd853ce69c6
- SSDEEP
  
  3072:R3FfHgTWmCRkGbKGLeNTBfn+TwnDqKBtv/p50oUJiTZxt09W96NXP:J5aWbksiNTB/+Twn2KP/pOS+y2
Score

7^/10

discovery spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral8
- Target
  
  3
- Size
  
  157KB
- MD5
  
  4bd82da426f6b59e08b40044adb5a3d2
- SHA1
  
  097db21cb36c15979730a775ac6bad1240d75275
- SHA256
  
  add230a2e7aabf2ea909f641894d9febc6673cf23623a00ce3f47bc73ec9b310
- SHA512
  
  77dc3f9089bb1877defa28e39a9c3a615efed7975dbbe3a4d3af942a450776cf2935d164059d2519aa2d5105ab06106c39431e4baba82c42c3f2cbacfb82b630
- SSDEEP
  
  3072:wi8Iy8EytSLbi4eTMlwDCnuZ3j9ifgwbDJ1fMP:B8IUykbnWJZ3jkflJ1fM
Score

10^/10

sodinokibi defense_evasion discovery execution impact ransomware
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Sodinokibi family
  sodinokibi
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (199) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral9
- Target
  
  329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9
- Size
  
  99KB
- MD5
  
  78efe80384fa759964c9ea8bada3ac8d
- SHA1
  
  6300dca046dee2d99f8429bdb9b5f3edc4d5ec1c
- SHA256
  
  329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9
- SHA512
  
  faab33afd525d4dee0497096f8cd07c748d98d6b3337d0616740495e6dde2d3b6a4bfb4aadfc2ac032ea5d6e065fc17b0addb4a1fe01878868d39d5d7c282dbc
- SSDEEP
  
  3072:UKwH7Fxw0GQi8SHa0jNwriVcJLLfO1MYU:XG3wq70pwrimxLB
Score

10^/10

gandcrab backdoor credential_access defense_evasion discovery execution impact ransomware spyware stealer
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (262) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral10
- Target
  
  336fe6e8bcdbe46641a6124436547df8e1090d978e3777d220bfa7553c9903de
- Size
  
  96KB
- MD5
  
  4b8b656694ccb60ff4daa29923fb68f9
- SHA1
  
  8e6ecaf78bb884a795f8fb3148cdb9b4e2a52715
- SHA256
  
  336fe6e8bcdbe46641a6124436547df8e1090d978e3777d220bfa7553c9903de
- SHA512
  
  6e1ab2bb02d8058413daf833bad02f25f506d3749e73c7b01f8952117cacfdf43091cb0a4ea2fad3f3c1585356baf0d8c979a52ed41cd055438fa60d8db9e239
- SSDEEP
  
  3072:8CunH3YQ4TgvMvPQDeqgKJ+BCnc06Q5t7:8CAX3vMvPQNgKLn6Q5N
Score

8^/10

discovery
- Downloads MZ/PE file
- Loads dropped DLL
behavioral11
- Target
  
  4bd31921c87104105a1f11a3cbe3a93bf74593220f70bf70f678d2d468c991be
- Size
  
  96KB
- MD5
  
  0f66bea7be0cc2eaf33da37398375b8a
- SHA1
  
  5d72245db8614f528713fed551536b4cbec2b98e
- SHA256
  
  4bd31921c87104105a1f11a3cbe3a93bf74593220f70bf70f678d2d468c991be
- SHA512
  
  b7b9494c2155ed89afcfd79559e5eba5932c9ef04e4719a25f9206d657db7e670b488ce7de7e1fe99ac98a75905b9db08fb03438c08a52cea13ded3d5731b98f
- SSDEEP
  
  3072:oCunH3YQ4TgvMvPQDeqgKJ+BCnKp6Q5m8x:oCAX3vMvPQNgKLKp6Q5vx
Score

8^/10

discovery
- Downloads MZ/PE file
- Loads dropped DLL
behavioral12
- Target
  
  4e180437ef807b6ded234ad54f506d0cff518c980a055013871529b5905a46a9
- Size
  
  71KB
- MD5
  
  7d09bbc0aee91d29b3e62aa7889d75ac
- SHA1
  
  dcc48feec76915615fca1db6e2e726543fba9566
- SHA256
  
  4e180437ef807b6ded234ad54f506d0cff518c980a055013871529b5905a46a9
- SHA512
  
  3f476f40f9a17919946df05bca46d0169531fd32982cc7c62ec685aef680c2fe064361da928fb174274c88f25b64db75f9c996e271e5b3a0836aa4101649a275
- SSDEEP
  
  192:YKA9x8uHsLXl0Hjo7WLom8YHwOrDU0U4cbHaF55n3nN7a:YKA9WuwXl0YZm8eDr40/cuF73Za
Score

1^/10
behavioral13
- Target
  
  539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505
- Size
  
  10KB
- MD5
  
  f1927e7f90416bf39fc7991bbc57e1b3
- SHA1
  
  2367249568ca4a34f8824a9313b03d16d1d7c0bc
- SHA256
  
  539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505
- SHA512
  
  a0ac1811c8944165ba1939e40fe965bba3f7473819cb6f5d1cd4b4e7c203685baec055a6c73359dd1b3ddc79cb05b42d8c7541c29ea466120233423c5a5fcc60
- SSDEEP
  
  192:yrj2/2OzcYKNEmkmTjtiIKZIF/2oQlLkMBBm4C:j/2OzcJNEmkmTjkI/92oQjBU7
Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan
- UAC bypass
  evasion trojan
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (9704) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
behavioral14
- Target
  
  53bf3a0bfff30e863442524c66ee7ca463b473a9fef5f472b71aa7d5f8216d35
- Size
  
  96KB
- MD5
  
  9bb8c6e4403beb2c4a2630e97b899546
- SHA1
  
  3d4b331936b7e55db214fd21245151d810069dcc
- SHA256
  
  53bf3a0bfff30e863442524c66ee7ca463b473a9fef5f472b71aa7d5f8216d35
- SHA512
  
  21558e274b91eb369454075308ed6059b7c1ca4f6d1c850e2e77f5febda0758d6f0e3e3577ea108e0b6c5b8c43241f64a74ad95ecae8beef2945bc0b539d5cb8
- SSDEEP
  
  3072:GCunH3YQ4TgvMvPQDeqgKJ+BCnZr6Q5Rv:GCAX3vMvPQNgKLZr6Q5N
Score

8^/10

discovery
- Downloads MZ/PE file
- Loads dropped DLL
behavioral15
- Target
  
  $PLUGINSDIR/INetC.dll
- Size
  
  24KB
- MD5
  
  640bff73a5f8e37b202d911e4749b2e9
- SHA1
  
  9588dd7561ab7de3bca392b084bec91f3521c879
- SHA256
  
  c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502
- SHA512
  
  39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a
- SSDEEP
  
  384:wv1j9e9dEs+rN+qFLAjNXT37vYnOrvFhSL+ZwcSyekzANZBJ:w1AvEs3HBLzYn29vYh
Score

3^/10

discovery
behavioral16
- Target
  
  5d63c27043f11cd292e997fdee614389929b9af339ea45ca15159478307ce642
- Size
  
  96KB
- MD5
  
  52cdf9c543ac3b6cc334efff9cb77e73
- SHA1
  
  3d9fdff3b92edad431a1762429028d67d3d5397b
- SHA256
  
  5d63c27043f11cd292e997fdee614389929b9af339ea45ca15159478307ce642
- SHA512
  
  7343ba51da72e2b5e3cd86f9acd481a04d6af7e49e546c20ad6f8206bade19e531d19fcc9cf76b49430e03511be7068e811d69d5ae182982ecf09f01ac728b51
- SSDEEP
  
  3072:1CunH3YQ4TgvMvPQDeqgKJ+BCnlY6Q5uS:1CAX3vMvPQNgKLlY6Q5J
Score

8^/10

discovery
- Downloads MZ/PE file
- Loads dropped DLL
behavioral17
- Target
  
  $PLUGINSDIR/INetC.dll
- Size
  
  24KB
- MD5
  
  640bff73a5f8e37b202d911e4749b2e9
- SHA1
  
  9588dd7561ab7de3bca392b084bec91f3521c879
- SHA256
  
  c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502
- SHA512
  
  39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a
- SSDEEP
  
  384:wv1j9e9dEs+rN+qFLAjNXT37vYnOrvFhSL+ZwcSyekzANZBJ:w1AvEs3HBLzYn29vYh
Score

3^/10

discovery
behavioral18
- Target
  
  5d6e1eeab943b8b0bdb575aa61ac5353a841c402b36d9b455bb7f0cce5207b84
- Size
  
  96KB
- MD5
  
  13e8acb8c6b35ff046df57edf70d6f02
- SHA1
  
  025c1f2b7ac15493d019d583a0cbdb59d48c4807
- SHA256
  
  5d6e1eeab943b8b0bdb575aa61ac5353a841c402b36d9b455bb7f0cce5207b84
- SHA512
  
  ff89a7cd069d827fd3ac2a4c1a8014b30ed9d631f41dc439ef84eef442358a7180a9abdde5cc4030873c7a8123a455bcaadbfb024d79ea1ec33e1e99fe498ff8
- SSDEEP
  
  3072:ACunH3YQ4TgvMvPQDeqgKJ+BCnMw+6Q5+5:ACAX3vMvPQNgKLMP6Q5i
Score

8^/10

discovery
- Downloads MZ/PE file
- Loads dropped DLL
behavioral19
- Target
  
  63136e1d447b73dcb7405b6c7cbfcda31c705cfccaeef0e5df98c623520abfb5
- Size
  
  96KB
- MD5
  
  ada0aa5614efd3d173d441a6bd1b21ea
- SHA1
  
  b2ac9b32aa18f99c0b13a0e97d46c86c3f61339c
- SHA256
  
  63136e1d447b73dcb7405b6c7cbfcda31c705cfccaeef0e5df98c623520abfb5
- SHA512
  
  ff2d2053a45404f1dfb4af6c140c7f8f3497334192bcad65a032c74fe8a0ee0a77533c578528611629d7bf05380a1412afa85629b9d1b37e88290f4a4796639c
- SSDEEP
  
  3072:OCunH3YQ4TgvMvPQDeqgKJ+BCnIx6Q58u:OCAX3vMvPQNgKL86Q5j
Score

8^/10

discovery
- Downloads MZ/PE file
- Loads dropped DLL
behavioral20
- Target
  
  658110c0956289e2b829f018e2322196327e3ab022406c77b4218f963f56ba6f
- Size
  
  96KB
- MD5
  
  caaace62f50d1fed93ef88f1cb9c4b70
- SHA1
  
  aa4c8b9174115a1ccf2fe53d2a0b4562498ca2f6
- SHA256
  
  658110c0956289e2b829f018e2322196327e3ab022406c77b4218f963f56ba6f
- SHA512
  
  a54937e5025d06154af1588f6aa1d99e291b632dd11c4eaf625b455ed537a7c3202464fa0ae05285ef5154d1768f496ffc0ac662c07308522306c936cc728f2d
- SSDEEP
  
  1536:JYbUCvd81C7Ijj3YQ3hPuJb+doTgvMvPQJ7NeYRNgKJ+BCyn69gCZXy3oVfuv5Xo:DCunH3YQ4TgvMvPQDeqgKJ+BCnm6Q55Y
Score

8^/10

discovery
- Downloads MZ/PE file
- Loads dropped DLL
behavioral21
- Target
  
  74cafa416573d3b31e6b4f01e70da21aa8c11f744f784278960b728b9c6208c5
- Size
  
  96KB
- MD5
  
  b718f3b0c05b84ec01ccc2f375b48e50
- SHA1
  
  06df54e0605052da8967ca36dd49356e8e2e57d5
- SHA256
  
  74cafa416573d3b31e6b4f01e70da21aa8c11f744f784278960b728b9c6208c5
- SHA512
  
  7fa740bfb9182b6c0b8dbc8b9ecfa013f2376209cf70df9aaebae914cd76fb12d163bb801ccd7ab4e74ba8b6d6f0d0ffb25267d9f9da19261a73709fdabfaab5
- SSDEEP
  
  3072:1CunH3YQ4TgvMvPQDeqgKJ+BCn5jc6Q5Nj:1CAX3vMvPQNgKL1c6Q5l
Score

8^/10

discovery
- Downloads MZ/PE file
- Loads dropped DLL
behavioral22
- Target
  
  88bf025119fde24e63bbc878cd06f5e8631a6c5fd6b066adc6d9c28c6ca3a230
- Size
  
  62KB
- MD5
  
  8d6723c66f7e087ebfb41daab055e08d
- SHA1
  
  541c7f3fb01389fcfc145596e3ae925bfdd175be
- SHA256
  
  88bf025119fde24e63bbc878cd06f5e8631a6c5fd6b066adc6d9c28c6ca3a230
- SHA512
  
  3d40ead4602b82a54d7c4443854a2d2e8d41cd20a74b62b638583832b4683b8a5fabbb08c854146f442b75a2ca90dd15258fbb9256c0ef316c031c32c65cde71
- SSDEEP
  
  768:ZEu13lmPcOZiBuuFaySLuJR9jKvwj827FlKFti86aSMWaFe3cNAceSU4kBQqMw:Z91mPcOZUwLuJjjKYNFlAWaK2JUl9Mw
Score

5^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral23
- Target
  
  9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0
- Size
  
  84KB
- MD5
  
  79930adcabd0714d7c3d0c293d983a5d
- SHA1
  
  eb2cafb7776d40b36e175054d0e29cfe0071bf2f
- SHA256
  
  9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0
- SHA512
  
  00f951e4bb7c8f3416888ddfb12f6e0d2e1ff2ce0cefd2f1c7c5402f0e2399d2baab51ac449640b4dfc1d01b337920b4f3772fc50fc4760518b349da0da1510f
- SSDEEP
  
  1536:qqq+QPmPwFmlnHOPyL5XdO3WQbqephuLBXlap0+1P6OJNRNU1HAk1:9qDmPwFKnHOPyIt61HAk1
Score

9^/10

discovery ransomware spyware stealer
- Renames multiple (3462) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral24
- Target
  
  a89591555b9acb65353c2b854e582bc41db2fbc0eda2210b89a877d1862084df
- Size
  
  62KB
- MD5
  
  1a6820fec1c45cd9c928533090e7908d
- SHA1
  
  9df9d1e4579a0f759db01951ff616019c6c9196e
- SHA256
  
  a89591555b9acb65353c2b854e582bc41db2fbc0eda2210b89a877d1862084df
- SHA512
  
  c6eed68a0fbdb05bf504676e1c0816660f856ae768b7340678b9d84d909fce267066b2e314148521563309c466fdec7d74f00d1addb1a14abe15163d2203a81a
- SSDEEP
  
  768:hK3mGmDuuNXM1KPptWOahoICS4AIA4DZqB87pdMFtb8cmY11f3qrVBUoxygse3l:hK3UDugp88ICS4AR4tA8lCFtb8If6
Score

10^/10

seon discovery ransomware trojan
- Seon
  The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
  trojan ransomware seon
- Seon family
  seon
- Renames multiple (242) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral25
- Target
  
  add230a2e7aabf2ea909f641894d9febc6673cf23623a00ce3f47bc73ec9b310
- Size
  
  157KB
- MD5
  
  4bd82da426f6b59e08b40044adb5a3d2
- SHA1
  
  097db21cb36c15979730a775ac6bad1240d75275
- SHA256
  
  add230a2e7aabf2ea909f641894d9febc6673cf23623a00ce3f47bc73ec9b310
- SHA512
  
  77dc3f9089bb1877defa28e39a9c3a615efed7975dbbe3a4d3af942a450776cf2935d164059d2519aa2d5105ab06106c39431e4baba82c42c3f2cbacfb82b630
- SSDEEP
  
  3072:wi8Iy8EytSLbi4eTMlwDCnuZ3j9ifgwbDJ1fMP:B8IUykbnWJZ3jkflJ1fM
Score

10^/10

sodinokibi defense_evasion discovery execution impact ransomware
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Sodinokibi family
  sodinokibi
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (206) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral26
- Target
  
  c83bf900eb759e5de5c8b0697a101ce81573874a440ac07ae4ecbc56c4f69331
- Size
  
  97KB
- MD5
  
  cf90a464204a926eb549369ac7bf9bf6
- SHA1
  
  b6e9210c996d6e6bae6c4e996a00806607f6a6ed
- SHA256
  
  c83bf900eb759e5de5c8b0697a101ce81573874a440ac07ae4ecbc56c4f69331
- SHA512
  
  870f9b94ab07e87530693834c676d2c9b8deb5b5795361280c1ae21c9a136a9cdd620caec333c0c531fc360bce03e2d5940fc8b8abe2018a565d0eeb332734eb
- SSDEEP
  
  1536:ufuwLvvKeqM0TRl79lvhWAwVl5OpqIyedIVjC3E8czcrHuTcxLUllPR:umwLXnqM0Nl795twDIyeeBr+HUiUj
Score

10^/10

gandcrab backdoor credential_access defense_evasion discovery execution impact ransomware spyware stealer
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (313) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral27
- Target
  
  ccbf53569be6ca3b092de09ee3ee854c6481e5df8925d57ee4b4d9f0631fe371
- Size
  
  96KB
- MD5
  
  b331b57325e45c57fcb16d1ae4b7956f
- SHA1
  
  12d1ce5aeea622f6ba2060dadab9fa6200a5fa37
- SHA256
  
  ccbf53569be6ca3b092de09ee3ee854c6481e5df8925d57ee4b4d9f0631fe371
- SHA512
  
  cab2020253a96a16fe71c88ede0ca29f9502e39b4a2bea4cde026ff6681d70a1a848f74b0dbdc63629fdc5bb2acc242ce99100a054b3638efe92a3bea0ecb901
- SSDEEP
  
  1536:dYbUCvd81C7Ijj3YQ3hPuJb+doTgvMvPQJ7NeYRNgKJ+BCyn6YgCZXy3oVfuv9XA:/CunH3YQ4TgvMvPQDeqgKJ+BCnh6Q59w
Score

8^/10

discovery
- Downloads MZ/PE file
- Loads dropped DLL
behavioral28
- Target
  
  db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b
- Size
  
  164KB
- MD5
  
  9a2888ddc389ecde165446d6e3c27f80
- SHA1
  
  bf77c02c5a58b5efb29db4191f7e38853dcc3c90
- SHA256
  
  db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b
- SHA512
  
  9473b40f0b50d3960395e59ca23b8809cb982185f684989d1641c9193c8d2325d2d0843e66421bfdedac26e850bb3d4a9abae06741f7dfb11cf402abcfbdf3b7
- SSDEEP
  
  3072:FHixaVZFiOCDJtOicNDWEzZC6cau/SCBB:FHigLF5CCj5zZC1SC/
Score

10^/10

sodinokibi discovery ransomware spyware stealer
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Sodinokibi family
  sodinokibi
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral29
- Target
  
  e035a1741d10a75402359dec278717e4e32b9d2a9ec1e1834710a2b67aa21f5f
- Size
  
  107KB
- MD5
  
  6c34b57397081898a8e3b3f90671afd0
- SHA1
  
  9741b0ce05fe1f11c6a1b768c12960cdcfbcce8b
- SHA256
  
  e035a1741d10a75402359dec278717e4e32b9d2a9ec1e1834710a2b67aa21f5f
- SHA512
  
  7d63e95295273dead2498fe97465a577dbfd9ffb4cba9e37c5306e41083f6659d8f79653e226df2f059174f56985d23b56ce699316f477e5169d975781de7be4
- SSDEEP
  
  1536:tlDLR6JCLRMfXbOhHULmnPKZ61KiPlQI+2cCKNE+EkvOhEEq/D/fy:tlPOfXa+LmPK/0P+2wNgkGh1q/D/q
Score

7^/10

discovery spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral30
- Target
  
  e2f4dfe61de56a38c2218b601ee3f3e49b8dbe8ece3e9d98cdf8358b41da5ff8
- Size
  
  96KB
- MD5
  
  b4b373d16b50d4d12c5e771890483095
- SHA1
  
  a2eadbb5710b0d77d05902b40b3d2c05cb87322d
- SHA256
  
  e2f4dfe61de56a38c2218b601ee3f3e49b8dbe8ece3e9d98cdf8358b41da5ff8
- SHA512
  
  d207cff25242957774f53cccafd038ce0cbfe02ddc215d6b755f695cbde1a294b24d0bd2a7931966420fd23e2137dbe8c9fd26015f16f372baf92e1dbe77d58d
- SSDEEP
  
  3072:FCunH3YQ4TgvMvPQDeqgKJ+BCnzr6Q5rK:FCAX3vMvPQNgKLX6Q52
Score

8^/10

discovery
- Downloads MZ/PE file
- Loads dropped DLL
behavioral31
- Target
  
  f10e957b92fbb2bb57e0a51eeda99dedb1b0720a1be0422b53404d3252bef741
- Size
  
  96KB
- MD5
  
  1b18993f4b7b5b9500b0dfd055b60f5b
- SHA1
  
  9f70e8d99492fc252d1e408b1bf8baa92c78b056
- SHA256
  
  f10e957b92fbb2bb57e0a51eeda99dedb1b0720a1be0422b53404d3252bef741
- SHA512
  
  c41bb308251b27372ee8770c004d8d31b87c109ea168a746635b556829f87df6d6fbf92f941b3441122409b063018c18900b325b6caa32af23a5cf3b22c3e332
- SSDEEP
  
  3072:lCunH3YQ4TgvMvPQDeqgKJ+BCn0Y6Q5cp:lCAX3vMvPQNgKL0Y6Q5E
Score

8^/10

discovery
- Downloads MZ/PE file
- Loads dropped DLL
behavioral32