Overview

overview

10

Static

static

10

757e3242f6...b4.exe

windows7-x64

9

76fe72e0ec...ss.exe

windows7-x64

7

78d4cf8df6...B3.exe

windows7-x64

7

78d4cf8df6...59.exe

windows7-x64

7

78db508226...69.exe

windows7-x64

9

7965f6adf3...ss.exe

windows7-x64

7

7B75B33BCF...B5.exe

windows7-x64

1

7E3903944E...72.exe

windows7-x64

7

7dd9312307...ca.dll

windows7-x64

3

7e4c9a7e39...1f.exe

windows7-x64

9

80eb72d781...B3.exe

windows7-x64

7

80eb72d781...9A.exe

windows7-x64

7

845263c869...c8.exe

windows7-x64

9

8524224187...8f.exe

windows7-x64

6

86be3831f5...39.exe

windows7-x64

6

8791931bac...DA.exe

windows7-x64

7

8791931bac...69.exe

windows7-x64

7

87a4f3f9f6...88.exe

windows7-x64

7

89fb6d7ff2...f6.exe

windows7-x64

9

8c59148535...21.exe

windows7-x64

9

8d372fcf8a...e0.exe

windows7-x64

7

900.exe

windows7-x64

9

911d5905cb...b9.exe

windows7-x64

7

91d24e0657...eb.zip

windows7-x64

1

92ac6be4d9...5b.exe

windows7-x64

97512f4617...7c.exe

windows7-x64

10

98aadc95c5...e7.exe

windows7-x64

10

9943256.exe

windows7-x64

10

9B9517FA15...DF.exe

windows7-x64

7

9b7eaffe4d...c8.exe

windows7-x64

10

a322da0be4...44.exe

windows7-x64

10

a42252e674...34.exe

windows7-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Batch_4.zip

  • Size

    8.6MB

  • Sample

    241122-c7pscayngr

  • MD5

    3179e3edf25f87e78f2fd054faf6ae60

  • SHA1

    7648fb854c73c9a191b935278bcefd58cc5ad3fc

  • SHA256

    471f3fb1a953fab38be3081eb835574694bc72b94f239edc400d1ce3d7a8ecb0

  • SHA512

    b7d25a1a9008d363058192cd353fdd58c504db313bbcd9bf1090688c8af735f696c8a0551b3023f948de66f9f33c20c5cee18bde680afe7b2e2b60074f8abab7

  • SSDEEP

    196608:ttxPNvdJy9CNBi63RgR+itIShWmG9E6rHm5F2T97o:Vh7iCNveR+ipWmNEBo

Score
10/10
blackmoonxoristbankercredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\PerfLogs\Admin\README_HOW_TO_UNLOCK.TXT

Ransom Note
YOUR FILE HAS BEEN LOCKED In order to unlock your files, follow the instructions bellow: 1. Download and install Tor Browser 2. After a successful installation, run Tor Browser and wait for its initialization. 3. Type in the address bar: http://zvnvp2rhe3ljwf2m.onion 4. Follow the instructions on the site.
URLs

http://zvnvp2rhe3ljwf2m.onion

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\How to restore files.hta

Ransom Note
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta charset="windows-1251"> <title>GLOBE</title> <HTA:APPLICATION ICON="msiexec.exe" SINGLEINSTANCE="yes"> <script language="JScript"> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type="text/css"> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <div class="header">YOUR FILES HAVE BEEN ENCRYPTED! </div> <div class="note private"> <div class="title">You personal ID</div> <pre>0183888474050587583565227225768717908977834349867004609688057603256712204224845899417709671471504307 3445304746561955759365679657965086783538757499900543459869926578050002284945320662368228187787250083 0746841418163366532583394056997106747414259934414604851314293645197216019694420413633747471005203701 4410808676856836937935811516378809330026780131992619201682729129487284685255468204568891205472358674 4034702920844013997088282824414176255171909865964206894752586170856066648224556842597185185000942180 0758300807727834924159635550609269712194543457075151851716462571725340697733621498745696964231124309 811632150657227379</pre><!-- !!! ������ �� ������ !!! --> </div> <div class=bold>Your files have been been encrypted with a powerfull strain of a virus called ransomware.</div> <div> Your files are encrytped using rsa encryption, the same standard used by the military and banks. It is currently impossible to decrypt files encrypted with rsa encryption..</div> <div>Lucky for you, we can help. We are willing to sell you a decryptor UNIQUELY made for your computer (meaning someone else's decryptor will not work for you). Once you pay a small fee, we will instantly send you the software/info neccessary to decrypt all your files, quickly and easilly. </div> <div>In order to get in touch with us email us at <span class="mark">[email protected]</span>.In your email write your personal ID (its located at the up of the page, it is a string of random characters). Once we receive your personal ID, we will send you payment instructions. </div> <div>As proff we can decrypt you files we may decrypt 1 small file for test. </div> <div class="note info"> <div class="title">If you dont get answer from [email protected] in 10 hours</div> <ul> <li>Register here: <a href="http://bitmsg.me">http://bitmsg.me</a> (online sending message service Bitmessage)</li> <li>Write to adress <span class="mark">BM-2cUrKsazEKiamN9cZ17xQq9c5JpRpokca5</span> with you email and personal ID</li> </ul> </div> <div>When you payment will bee confirmed, You will get decrypter of files on you computer.</div> <div>After you run decrypter software all you files will be decryped and restored.</div> <div class="note alert"> <div class="title">IMPORTANT!</div> <ul> <li>Do not try restore files without our help, this is useless and you may lose data permanetly</li> <li>Decrypters of others clients are unique and work only on PC with they personal ID.</li> <li>We can not keep your decryption keys forever, meaning after 1 week after you have been infected, if you have not paid, we will not be able to decrypt your files. Email us as soon as you see this message, we know exactly when everyone has been encrypted and the longer you wait, the higher the payment gets. </li> </ul> </div> </body> </html>
Emails

class="mark">[email protected]</span>.In

[email protected]

Extracted

Path

C:\Users\Admin\Desktop\_XiaoBa_Info_.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>[email protected]</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } img { display:block; margin:auto; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHgAAAB4CAYAAAA5ZDbSAAAABmJLR0QA/wD/AP+gvaeTAAAAB3RJTUUH1gQdASckuERAkwAAHNZJREFUeJztnXmQHNd93z+v77l2jj0BkCAJghBo0SYJUpRKJC2Ksmm5Uo4kp2iplEAFoRy6kirFSUqp+A+XzUrKqaQc5yqVXFIYiSqKkhzK0UGTkmxLlERTRUEUBJIgQNyLvbC7c+7cM328/NHTM7PAAtxjZnYJ7beqa3r6eP26v/27X3fDNraxjW1sYxvb2AyIze5Av3Hw4MExVVVTiqIkgYTneUJRlLyiKIVGo5F96qmnFje7j/3EdUXwo48+qkaj0fcBDwN3AweAibfYbQE4Chz1PO+FarX6w2eeecbtc1cHhuuC4E9+8pPvAz4OfAQY3WBzGSHENzzP+8qTTz75ww13bpPxtiX48ccfV6ampj4kpfz3wLuvtp1lWei6jqZpaJoGgOM4OI6DbdvU6/VrHeZnQoj/snv37m88/vjjXm/PYDB4WxJ86NChh4QQnwHe2b1cCEE0GiWRSBAOhwmHwyiK0rXen5eyw5XnedRqNSqVCoVCgXK5jJTy8kO+AfyrL37xiz/o0yn1DW8rgg8ePDimadqfAwfp6rtpmoyPj5NIJNB1HV0PYZoRDCOMrofQNANFUbt2kXiei+M0aTZr2HaVRqOCbdewbZtCocDi4uJK0v1lVVU//cQTTywM5ow3jrcNwYcPH35ESvkVYDhYFgqF2LFjB8lkEk0ziURShMP+vKIILEvDNFUMQ0NRQFV9CXZdiedJmk2HRsOlXnfwPInjNKhW81SreWy7Tj6f59KlS9Rqte6u5IQQ/+wLX/jCdwZ7BdaHtwPB4vDhw38spfxTQAVQVZWdO3cyNjaGYYQZGhonFIqj6xqxmEEsZmCaGmKVZycl1Os25bJNqdTEth1qtSLF4jzNZpVMJsPMzAyu23auPSnlf7z55pv/w1a3zVua4EOHDlmKonxVSvnhYFkikWD37t2YZohk8gbC4SSWpZFKWUSjRk+OWy43yeXq1OsOtVqBfH6Ger3K1NQUhUKhvZ3ned+pVqv/5Jlnnqldo7lNxZYl+LHHHgvbtv0t4DeCZTfccANjY2PEYqPE4zsxTZ3R0RDhsN6XPlSrDplMjXq9ydLSHOVyhoWFBWZmZtrbOI7zk1gs9luf/exny33pxAahbnYHVsJjjz0Wt237O8BDAJqmsXfvXkZGRhkZuZmhoQlSKYvx8Qi6rly7sQ1A1xWGhgwURUGICLoeRtM8otEIS0tLeJ6Hoig31uv13z5w4MBfHTt27Jox12ZgyxH86KOPGpqmPQu8D3xy9+3bRyIxzOjoXiKRIXbsCBON9kdqV4JlqUQiGratYVlxpGwSi0UpFAoByTts2354eHj4y5OTk87AOrYKbDmC77vvvieEEB8BMAyDffv2EY8PMzZ2G7FYmImJUF+l9mpQVUEspuM4CoYRx3FqxGK+JLuui6qquyzLuvv48eP/F9gyjteWIvjw4cN/BHwafE95//79DA2lGB3dy9CQydiYtWrPWFEULMsiFAoRiUSIRCJEo1EikQihUKid4VIUBdd1V0puXAEhIBrVcBwwjDiuWycaDZPL5fA8D13X9+3Zsyd58uTJ7wFv3eAAsGUIbuWTvwQoQgj27t1LPD7M+PhtxGImIyPmqtqxLItYLEYsFmuTqKpqy44KhBAoioKqqui6jmmahMNhdF1HSonjvLWGDYc1XFegaUPYdpVQyCSXywFgmuZ9o6OjZ8+fP//aBi5Hz7AlCP74xz+e1DTtu0AS4Oabb2Z4eISxsX3EYhbDw28d/pim2U5Rqury0+omVnSpgG6pVVUVy7KwLAvXdd+S6FBIbZEcxXGqGIZOoVBACCEikcj7bNt+Lp1Op9dyHfqBLUHwvffe+yRwP8Dw8DC7du1idPQ2IpEwIyPXJldRFOLxOLFYrJ13FkKg6zqGYWCaJoZhtFKYnSlYpqoqQog22YqiEAqFUFWVZrN5TdVtWSrNpkDTIkhZp9FoUKvVUBQlnEwm3/nGG298C9hUz3rTCT506NDvCCH+DHwpvPXWW0kmbyAWSzI6qiOEL2krTbquk0qlMAz/JlAUBdM0MU0TVVVpNGyy2SJzc1mmptJMTaWZnc2yuFigWKxg2w66rmFZZtsee56HlBJN07Asi2azieM4Kx4fJKGQQrOpIoSKYUA+n8d1XQzDuDmVSmUuXLjwCrBp9eVNJfhTn/qUadv2N4Hhjt0dIZm8keFhHU27ukdlWRapVKqtdk3TxLIsQJBOF3jjjWkuXFhkfj5LOp0mn89QLGYplfIUi0UKhSK5XIW5uQLp9BKaJohGwxiGgRAC13URQhAKhdqlxZUgBBiGwHEsbLuGaWpkMhkAIpHIndPT08/X6/VNU9WbSvAdd9zx74DfAxgdHWV8fILR0b3EYjrh8NVDoXA4TDKZRAiBqqrtsmA+X+LVVy8wO5shl5snn59maekS1Wq+TW6lUqBWW6LRKFEup6nVCjQaTQqFJouLBSIRg0gkhGEYbe86sMtXI1lVBSBQ1SjNZgnbblKtVlFVNToyMmKdPn36J0C1D5fwLbFpBB88eHBMUZSvA4aqqm3VHI3GSSSu3q1AcsFX6aFQCNf1OHVqmrNnF8jnL5HNTlIu51hcnGd2dpbp6WkWFhbIZDJkMhkWFxdZWFigVCph2w2gSbWaw7Zd8nmXer1BKhXDNH3P3XVdLMvCtu2rkqzrgmZTIKVAVV2y2Sye5xEKhX6lXC7/MJfLXWQT4uNNI/jAgQN/LIR4GGDXrl0MD48xPHwT8biCepVeGYbByMgIQggsy8I0Ter1BseOXWBhIUMmc45SKcvs7AwXLlxgaWnpqo6SlJJms0mxWCSdTuM4Dqrq0WgUcRydfL7K8HAMyzIRQuA4DpZlUa/Xu6tKy6DrAte1aDSKSOlRLBYRQmjRaDR06tSpnwKFFXfsIzaF4EOHDiWEEE8Dlq7r7Nmzh1TqZiIRi0hkZburKAqjo6NtL1fXder1JkePnieXS5PNniebTXP27FmKxeIyUqWUjVqtNlmr1SYbjcYl13UrmqZFhBBaaz2VSoVsNoth6LhuFSk18vkmo6MxTNPPRwckVyqVFW8aRQHPE4CJEA2y2Wwg/Xvm5+e/W6lU5oGBpjK1QR6sC/8SiAOMj49jmhFCoSGiUXHVsCSZTLZjVV3XaTSa/OIX58nnF8hmLzI/P8+lS5e693fy+fzL58+f/9HJkyfP2La9TOx0XVdvv/322/bs2fNAMpm8H9Acx+HcuXNMTEzgeS6e53H0KNxzzx5M00BKSb1eJ5VKcbUQNxKBRiOGaUYZHx9nenoaRVGse++999Bzzz03CZzrzSVcHQYuwY8//ri2tLT0FSCmqip79uwhmbyRaNTCslbeJxKJEIvFMAyj7fC89tpFMplFstnJto0NUCqVjr344ot/ceTIkR8vLCykPc8rA3lgCcgBS57nlRYWFubffPPN17LZ7Mujo6NjpmnuACiXy9i2jWGAohhUKh7j4/F2tgv8gXvNZvOKvgoBvgbXkbJOJpPB8zwsy7r59OnT33QcJ8MApXjgBN96662/LaX8A4CJiQmGh8dazpVEiCtjTUVRGBkZQdM0wuEwAGfOzDI/nyGTOc/MzAyLi+2x697k5ORTzz///NPFYrGMT+Zs63ceuABMAZOt+QvAuWKxeOnEiROvJxKJZiKR+FUhhFKtVlvxrEBVI7iuZHh4CE3TcBwHXdcpl8vtuLl7UlWJ61rU60vYdpNyuYyiKKZpmtNTU1Pn8W+2gWDgBN91113/CfgVIQQ33XQTqdSNRCJhTHNl1ZxIJLAsi2g0ihCCXK7I2bPzLC6eIZ1eYHZ2NtjUOX78+P946aWXgpBkGigCi8BZIIufVXLoFAI8wMa/AU5PTk6+put6fXR09D1CCLVSqbQSIA5SRonFQoTDJpqmYds2QojLx2sBgRQLPE/gefX2DWgYRvTEiRN/D2QYkEc9UII/8YlPDCuK8nlAjUajTExMkErtJhwGRbmSYE3TGB4ebjtVjuPy6qsXyWZnKBTSnDt3LlCZ3okTJz5z5MiRo/hqeBaoAWeANKu/mIW5ubmfDg0NNVKp1EOAKJVKDA3FUBRBva6xY0eynd5UFIVKpbKiV+2nvEPUanlKpRLNZhPDMMYXFxe/WyqV8sBARoAMtLCqKMqHAANgZGSEUCiBqmqo6pVqTkpJPB5H07R2KnJuLkOlUqRcTnPx4kU8z+dtdnb2//30pz99BV8S54AK8Gbrd60o//jHP/7zTCbzv8EfNz01NUW5nKZSWWJ21s9SGYaBqqrE4/EV+65pXsvjjzM87A8EFUKo+/fv/w1gZP1XcW0YNMEfBL8YkEgkiERS6LoLXHmBVFUlEom00o/QaNhcvJihUJgjm81SLvsCUK1WT37/+9//NlDCV8c14DS+6l0vGs8+++yn6/X6z8F3ujIZ/9hTUxkaDd+5CoVC7erVyrlyj3A4RSKRaFexUqnUewATiG6gf6vGwAh+7LHHdCnlI+B7xZqmY5pRdH1l6Y1Go8seN1lYyFGtlqjViszNzQEgpbRffvnlL7iuW8eXXBvf3vYiuV+en5//A6ABtMZHF6lUlpif92u/qqqiaRqxWOwqUuxiWTE0TSca9fmMRCJ3WJaVoFUa7TcGRnCz2XwPrdg3Ho9jWVEURSCEu0KVhnbBHvxU4cxMjlJpkUwm0w5P0un03128eHEe30P2gPPAlbHLOvHCCy/8vFqtfgnAtm0ymQzlcpqZmXzb7gYOIFxZ9VIUiaIITDPK0NAQAIqiWHfcccd9QKJX/bwWBqmiHw5mhoaGsKyhq9rewKkKpDefL1GtVqnVltoeqed59Zdffvlv8J2qKr6XXOp1p0ul0p9KKatA63GWEvV6lVzOP1TgI4RCoRXOxUNVHUKhOPF4vN3m2NjYPfi+SLjX/b0cAyNYCHEP+CnHcDiMZcVQFAfP866YQqEQpmm2L9TCwhLVap5yuUyj0QAgl8u9lM1mgzDIAWaufvT14/nnn59vNpt/BdBoNCgWi5TLOebn8+3+GYZBOBxe8VwUxVfTlmW1R5pEIpG9gA7E+tHnbgyMYCnlveCX+oRQ0DTzquo5Go2i6/6wWNt2yGYrVKt5stlsu72TJ0/+Pb70OnRI7guEEP89mM/lctRqefL5GrbtH9IwDCKRSHtkSPckhIummahqJ1ETCoVuwZfe64Pgw4cP7xRC7ACfYMMIt7zKK1V0UCUKvM5SqYJt17HtOktLSwA0Go2Zs2fPzuCrZQ8/1u0bnn766ddd130DoFAo4DhNbLtGsdiJwoKRJFfesC5CSHQ91CZYVdXYjTfeeBO+J93Xp0sGQrDneXcF8wHB4CDlygQbhtH+n89XaDR8GxwMhMtms0fww6EmPsl9z+1KKf8afIfPNxVlCoXKMjW9sh2WCOFhGOE2wQC7du16B36iaXXDRdeJnlaTnvjdHTcJ1T0gEMteozDfeP2hkuo7jYlSE2W2RD1j0VSudHit4WFm5oba/2emMtRz85CZZ8L2y6lR97x5+wOJB0O6OLAzrs1HdKXRy/NYCUv2K+ai3AmAmClSr08znXkNZbZzquVikUqXGQkgpYFSr5MozTNhXwIgMVJ+3/vfn3THouqDcUutSnAV4V2iaf/kk98s9Kxu3BP18MTvjd0v4D8DD/SivV9y2ELwDEL7o8Nfm5veaGMbJviJR8f/ECH/gi0wQvM6Q04q8sP//GvpFzfSyIYIfuKj4x/Df+reT61bHjftahANewixJZ7ceNvAdQWFksrFWRPX9WmRklLZcd/9b76RPbnedtdtg7/8T1NDdVv+L1rk7r2pzt13S9L2DdjKUPuFJ9tYHaTXZFgsceCOGV74SZhsQUMIYrjiS8D7WV/hZP0EN2zt47TeSTUxYnPnAY1s4iF2v/NudGvoLfbexuWQ0qNRTHPx2M94+MF/4NvfjdKwBTFLedcj+0K/87ena9/CjxzWhHUT7MEjgX7/tf0V5pUHecfd70XYNcgMdNjRdQGhqFhDO7jlXe9l+kez7Nszxeun/LBq/7jxgb89XXsdOMEan1pcN8FCihtp2dlYUked2IkQGsweBz0BarjTF0ln/vJfeZXl7XXd53P5vldpV15l+2XrV9GulOAN8NGiZhVj/Hac8E5GkufbiyO6shOI4Bco1jTcZ90ESyHNQII9oaPqrabcOozdA9H9IL0WSW7r1+v67Zq4bBlyhXVd27TXt5YtW9/dVrBeLl8vL9uH7mV0HceDygC1keNrYNUIoWudQSiaKkz8hEiSQRHM5R54IGzSAem2prczufjbCMAb0CBI6a6gXdrQWEfWq3eZrLZaCwj2eHuT21ouNJADUtPS7erzilgzX70lWHJ9kQuA2rrwA4AX9KV36AnBEokMLoh0WtPlJGwCudYoRN8B4VvASIAa8dfbJWikoXwClk6Anb8KuZ6vouWgxqn7N1IvOe7toyttG+zRscGbQK4xCiMPQuSW5f3zWuPw1DCEb/Kn0d+C/BFI/wCaSywjt/umHQQCG9xDhnv8bFJgg7sleMDkJu6F1HsAAe4qi0zxuyF6O8x+Dcpnuo7VdU6DgPTH5G89CZbdk4N/gdzBkzvyfojsA7dThjxx6iw/P3ac85PTFJaKaJpKKplg/217ePe9d7FzYqy1pYCdH4WFZ2HpleV2eeAS3DuKe+hktTrVLcGDJHfoAFg3taV2enaeL3/9Oc6cn7qiq9lcgTPnJvmb773Ae991Jx/7yAeJhEP+ypFHoJmD6tnWMeyB2+Beog82OJBcd3DkGjtakuuT+4vjp/n8l79Fo3ntse9SSl46cowz5y/ybx/7GGMjraHKY/8Ipj8HTsW324Pyovtgg3tX8mnbKxe81hQQ3f3/inVd27TXBzdI9/rutrpuICkh+k5fLbsNzl+Y5HNPffMtye3GYibPf/vcV6mUlvybRAoYek+rT81OX/o++TdsL61wb2t6bRvcCtgHEQoZEyAscBu4zRqf/8pzNO21q9TFbIGvffv7PsFuA8Lv8L1tt95ldvo8eVtUgn2/ILDB3YmO1oS3fJ7LtsFbvt+y9d1tBeu9zrw+1iblxSOvsZhdWvd5/OToKS7NL/jteXbLppcGLMHBFe0Nei/B3mWd7ie5ElCG2gS/fOz0xrovJUdePd2RYnMX2OWOWen3FNhg7y27umr0Lxft9VEtt9fr+IUAB8f1ODu98eHRJ8/P8aFf39/6Z4LXs0ed3hqtXPQWjINbFz7wor0uSetnbllV2p5zoVDF8zZ+afJL1a4EicbAPGhonS9syTh4mQ1epnb7RC6eryVcv9LjOb2p+Lie226zfR4Dg6+bt54EBwi86EGQKyVQa0tbKiJaLy7d2CkMD5kdCXbyDC7JQccG9xB9yEV3O1T9JLclXW4dEGjAjlSYuezGXgl540ioQ3BjfsAqOggve4c+Z7L6SG7QnpMHEQHgvfuTfP2ljRF8/+3JDsHl1wZLcB/qwb2LgwMHZ6U6cD+L9V6uHdY8sD9GxFr/Axa37Qhzy4jaCZPKr3YcxUFMbXa3chzc9qJ7EecGTs7l64NlEuQSuBVwGwyZLgd/fX2fD7Z0hd//QCdpQuko2GmWxfQDmeipFPc+F92W0D5LroQO2Zk2MffdYvDhe+Or/joLgKkJ/sVvDjMa8fx2nAosfa/T54FOspdRUj9scKej/SfXax24Ap4Cnv/Sln98p8VIRPLki0Ucj2siGVH4w99MsntYAadle0vf8237oBHEwT0U4Z4V/Dv5l4AEdzDkBsv1JWg44Pqvfrj7BsEXV9H1ZFiwO+EGbxCF2s+gdmzj12Rd8K/hFpTgFkGye36A5AK+Ta6D6/8/NukGs9fEhYxLvlQnGW7pdGeBnhrBNaHrGvYIPX4EUIIiWG6LB0Fua77htW3x0anV1YOlhKMXGx3nSr3RP4fNmpCdiKQH6P24aEX4Q01Fi6hlvy3SRBe5oovQ7m0DckWL3GB/QWc50Ca3CTh+YaDpwutzq/945dFpjw/cGmSsxkDR2JQv4QjRc+XR42oS/nvtRbe6Dn4vUz/d66Vcvi3dy/y38fj/RecmobU82KZht+3o8TmNprt6gk8tQrnWJGq0jq1MAJfWcRE2CCVw/beqipbQiU8GpJaDbar1jnqeWduLCzwpODYjO2pajvnnMehJblEJ7sTmsiPBgSrup1oOtmk2oek/medKwbFLa/+28NE5jQduKPp/RBxUFQb9GorABm89L5qOClb8j0QNRC0H21Rq7RLfm+kQVXvtiun4okmj2cRUWzeREQdl/cN/1oXABveQ4N6/SEMRLRs8ALUcbBOMhnQb/PxSaF3ddjzBa/N6R003hzbJi+6tlt6QBLc74gFeIMGXqeh+qeVgm0Yd6uVWfwS/WFz/e7Z/Ph/hXaOtYT91C2IDfpGMEkhw2+ABndt7PejdiI5At7RV9AAkV3pQyrfLe+eWoiw11n9Kr6VjOI6NJjw/SrJNMAc4Jku0bHAPm+y9F60IX8ICR7btqMjOvJCt9cEy0SX1orNctJZfa5tCtqOeFzf2ju26q3IiE+6o6bo5eBXdYxvc+y+fKQqdsTN9lFw8Xz1Xcu1Dn8oPEdE2NsTmjWyMX4v7nwygJGB4gGpaBDa4dwz3juDA0W0H630mVwJLi8seEf2TX/1Rb84lSGLVgKYC1oDCpa2ayfK1SqA+la7Xs8hOVitQzzJYJrqcrVYoFKji7lBopW2C5blLq38GeL0oKhAalBQrdELH3qB31aRlEtxnycUDuw6FeXp+y1+OvAo71hd6rRmXedG9QB9s8Aqpyl6TiweaDvfcDyy0po0EE6s9pz6jdZgtEwdfgavGwRuIc6/YtwykQaRBD0ZQCq6Ltxkryta0wT664mDvAggXRAr/DXyw5vQjAmQT/xN/S0AeRBFEd1w6IMkaFBTYoja4hbYNngO3FWqggAgDUZAmCNM/rFBBKi0JbeJ/dsEF0QBqIKotgi/HdUZqN1ruy9YjWOKnKsFXM1eg6k+XcxMkvbr/L/v9JXvndHC+snf+RJ8keBvrwpauB8suG7yN9UEC7latB0PLZ/olU6u9hAy86K0YBwd92pbgDaD31653mazgZ0UnaxurQtsGb0EJ3rbBPYDcymOyYNuL3igCCd5yBHd3altFrx9eqx68NYoNK0jqtgRvDMvqwd1ZoPVf0+04eCuhD2Oyelts2PaiN4agHtzDyud2HLyVsJbXEqwSvX+6cDuTtX6ILZrJEu0ObdvgDaFVD+5lpLQRgtsP7ujCoVQp+71qjoKV2XjPfhlRG/Mfda7lqXkdTVizZXG9TW6E4JPA/QDzCxpl4zy18h2E5h4AMw/KgIaaXi/wdKgnmJ99k5Fwmukzna/YZUrO/Hqb3cDXR72/lkL5fYBjJyJ88KFL/OyV59l9wx3E4ykUpffj+a5nOHaJhfQblAvHmdDKTM75T2lISfPvTleOATbreO3Aug2mBPHZ3x17xdDEAYBIyOW9B8poEY2ybeB527Z4LdAUj7jVYGEOXnk9itu6fqcWm8/+1x/mvwqcAQrA2bW0uyEW/vWD8QP7x83vq4poPxRk6JJo2EXZVtFrguMISlUV1+1QUqx7Z//kO7k/q9juIv7Y4GlgcS3tbljMPnpn/JEHbjX+j6UpN2y0rW10kC67v/ifL+b/cqHkFoELQAM4zhrV9IYHE7+x0Jh85aL9g2RYMcKGEjFUhoQQ18Eg5cHD9ahmyu7rL16oP/2Zfyh8s9KUDWAG/x1Ck/ijF9eEXhlKBdgD3A2Y4zE1rCjbAfFa0LA9J1dd9qBVCV8tN4EpYF2xZ69JsIB9wDjr+Fr1NnDxB4iX8VVyCZhlHZIboF9SJoAwoPfxGNczHPyHVwf4PYFtbGMbWw//H4sSVoS1YoLgAAAAAElFTkSuQmCC'> <div class='header'> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

<title>[email protected]</title>

class='mark'>[email protected]</span></div>
URLs

http://www.w3.org/TR/html4/strict.dtd'>

Targets

    • Target

      757e3242f6a2685ed9957c9e66235af889a7accead5719514719106d0b3c6fb4.exe

    • Size

      18KB

    • MD5

      d8e99fcae9a469c2081e7ff01675c361

    • SHA1

      ef7c4358717ec9d04b9adc8e40b1eb928885ebf0

    • SHA256

      757e3242f6a2685ed9957c9e66235af889a7accead5719514719106d0b3c6fb4

    • SHA512

      cd75242646dde33b7c792e9bf9fe976ce7f2dd1b02c5c97a4cf2f9f80cfae1bd44463fc2b0f9e002d17087358fafa298ca0d4dc4aff17405df95f13099c79b02

    • SSDEEP

      384:rd7gYWDhghSmeSQjkCg3St1bVz1LTwbZxssimS8dHDT:6lg/eLjkCwQQFx8SHX

    Score
    9/10
    ransomwarespywarestealer

    • Renames multiple (786) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral1

    • Target

      76fe72e0ecdc389b5749df5fe406cb70110b1ef8b64e51cf0a96da2fa2ec5eb2_not_packed_maybe_useless.exe

    • Size

      89KB

    • MD5

      0af473977e2b58a3630dc2bd59245127

    • SHA1

      6b1086070e0918c428b4f6688fe2760c9ab9dfea

    • SHA256

      76fe72e0ecdc389b5749df5fe406cb70110b1ef8b64e51cf0a96da2fa2ec5eb2

    • SHA512

      d2f001ed413538368597585483c6745ab1bec058e227ada41937b75435f9456135b876e0ce40249389448b9769a37c3c06233c0d648cfaf9f613e42ad0b92450

    • SSDEEP

      1536:ef/SovFSSZtDgN+DpDkDEFtC+YF8965L+v:I/zv0SZtDgN+Dp+ErYF896W

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_Dumped_TDS=4F9911B3.exe

    • Size

      116KB

    • MD5

      5a580ab3f5b3806da853459e9ef7b368

    • SHA1

      df93c0f0dd694ab49646b539418b67d83eafccb5

    • SHA256

      5f60eed8e27867c843387fe7fece3af688586a40c8d3dd2c27647b23cc200fdc

    • SHA512

      91ecd8f00f4cd6c7d199eb365cb7cfa414bcab41b144fe7a5f43529e560201a81284cdb3a3d18d252e2eb4429a67f2db5718eacc8bf1eeb072958c0a4be20a3b

    • SSDEEP

      1536:tf/YvFSSZtDgN+DrDkDEFtCwbfF89lGL+vpCYC:Z/Yv0SZtDgN+Dr+ErbfF89llpTC

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_TDS=4FA04B59.exe

    • Size

      72KB

    • MD5

      f0b567179d42d5d4f27d6d9a7fcf183f

    • SHA1

      fb91a4f85ad3576110cdb476b0eb94c2e14a4e1b

    • SHA256

      78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b

    • SHA512

      ca5afd8671f79d1ee55d51aa75330daac87e4cb116b5b8f60d5be2ed1f21a1e0cbd9e4c613a3c20850bfd0bba78358e4289258f010b6d3c8c169b7a80998c64c

    • SSDEEP

      768:Xf+vj1VHjoFW+gh2vHa0uTbPKYlNnYVbUnWfTMuRqj2O4sO2ieFZ0F:G71NoFhDHaT/CukbUWdfO4LFeP0F

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe

    • Size

      865KB

    • MD5

      dbf3707a9cd090853a11dda9cfa78ff0

    • SHA1

      5af5403d8e003812a34c7b085d878680d7130ad5

    • SHA256

      78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669

    • SHA512

      68b1627ed20e6980c32c44df3560fc3eeed37db2c47caaf8db86461c594a5d040a7404be777374af512fe05fcdc2f15a6014a914b1445c2e23adb741db68c7e0

    • SSDEEP

      12288:SCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBga+Q9bN9jQl:SCdxte/80jYLT3U1jfsWa+QpN9jQl

    Score
    9/10
    discoverypersistenceransomwarespywarestealer

    • Renames multiple (164) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral5

    • Target

      7965f6adf3261e8820fe583e94dcb2d17dc665efa0442743e47d27c989fcb05f_not_packed_maybe_useless.exe

    • Size

      54KB

    • MD5

      e0c70373ea59baa4422771dde804a21c

    • SHA1

      d9708f709a0e7ad070ee34b4065437e400e5bdd9

    • SHA256

      7965f6adf3261e8820fe583e94dcb2d17dc665efa0442743e47d27c989fcb05f

    • SHA512

      c9a6b94d091a48d1a294953226fca00089dbf266f81fa60481f9ca468f7c3e9a2460bdd384b070dd6ae8bb778fb0737e196a1870e6f550645b9192f78e9763fa

    • SSDEEP

      768:zchho/bbYYwktIZwTUtv3h12jG6hdYWnXAjpWTbBbIKP077hPIxPaq77ti:wjoDMYwEINR8j/Yu2pqOd77hPl

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral6

    • Target

      7B75B33BCF4ECF013B93F84ED98B3FB5.exe

    • Size

      214KB

    • MD5

      7b75b33bcf4ecf013b93f84ed98b3fb5

    • SHA1

      7be5f5dcf6b9519c0f8c8071503b7f5dd66b6386

    • SHA256

      74aa7b73b46d7bd7bc53cb44add9ec8172f2de7831d045e33db06e2d6b916edf

    • SHA512

      96e1253358db1f724b381f9e1e416cc35bf44d94505e8b86508676f997b44be65d3c33c22df9c004652a34170e48805f9b7ba6f2703dd287e8c770cb426c5114

    • SSDEEP

      3072:5W1M+lmsolAIrRuw+mqv9j1MWLQFPBCM+lmsolAIrRuw+mqv9j1MWLQlL:5J+lDAAIv+lDAAmL

    Score
    1/10
    behavioral7

    • Target

      7E3903944EAB7B61B495572BAA60FB72.EXE

    • Size

      228KB

    • MD5

      7e3903944eab7b61b495572baa60fb72

    • SHA1

      116930517baab6bdb0829990a43af54d155f5332

    • SHA256

      06e921abf28c4b260c59d61d84a74c3a5dc12ac99a34110ca5480ce61689385c

    • SHA512

      0e29eaea245dd0068d44ff016c5da65396e5ad94aa79fcbe3cb187666b7b21890b22e2a13ac57e4bcfcf39436a7c5fa53a5470a8fae6de7215f297b82ea62ad5

    • SSDEEP

      3072:RKR+u1vFeb+pknH46ZjbVxltW8wylYJiocMor+ROYJPR+9RbA8D79qiNFwEQ7:R4Z19dknH4yFhtocMO+kYlI9tdJmr

    Score
    7/10
    discovery

    • Deletes itself

    • Drops file in System32 directory

    behavioral8

    • Target

      7dd93123078b383ec179c4c381f9119f4eac4efb287fe8f538a82e7336dfa4ca.exe

    • Size

      602KB

    • MD5

      ae38213715e758e3c296715f1ec25aea

    • SHA1

      bf0d7b7d8ab11536e25235f7c18901c9be65fae1

    • SHA256

      7dd93123078b383ec179c4c381f9119f4eac4efb287fe8f538a82e7336dfa4ca

    • SHA512

      fd0bbeaff08301f6e26c878ef59d7be964533075f1b1c6f93f3a03bee048f4587f44fef96cffe709f5f0511b81edeb4d64878be7b6852f5a14aa3318c9ed15e7

    • SSDEEP

      12288:6oHEHblpWz0jPLhEfgP6WMDoEuY7jVWv:6vZPLWffWMDo+7Jc

    Score
    3/10
    discovery
    behavioral9

    • Target

      7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe

    • Size

      161KB

    • MD5

      517d709b1b99fa87ddfe61950a93cf5c

    • SHA1

      2b6da3641ad3c13be272c7e66c938afd5879d65f

    • SHA256

      7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f

    • SHA512

      e23c60821e71704ab77ed8031b025b6ec9065479b766ca9fce2d4e93f1e4e66f7ed821d161890dfd87306408917c82514aaf96506cfc335e2c0bd1166fd1809f

    • SSDEEP

      3072:+dhOdhhyAbz6XdKWf4xEE1ODDl9oz4ilUEPllLBDlWz:+dhw1CZJEQXl9o05EDLBlWz

    Score
    9/10
    defense_evasiondiscoveryexecutionimpactpersistenceransomware
    behavioral10

    • Target

      80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_Dumped_TDS=4F9911B3.exe

    • Size

      116KB

    • MD5

      5a580ab3f5b3806da853459e9ef7b368

    • SHA1

      df93c0f0dd694ab49646b539418b67d83eafccb5

    • SHA256

      5f60eed8e27867c843387fe7fece3af688586a40c8d3dd2c27647b23cc200fdc

    • SHA512

      91ecd8f00f4cd6c7d199eb365cb7cfa414bcab41b144fe7a5f43529e560201a81284cdb3a3d18d252e2eb4429a67f2db5718eacc8bf1eeb072958c0a4be20a3b

    • SSDEEP

      1536:tf/YvFSSZtDgN+DrDkDEFtCwbfF89lGL+vpCYC:Z/Yv0SZtDgN+Dr+ErbfF89llpTC

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_TDS=4FAAF59A.exe

    • Size

      68KB

    • MD5

      b1024afccaf9847146e611beab995356

    • SHA1

      310a31da48325cea02182158efe0daa2ac6b451d

    • SHA256

      80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2

    • SHA512

      164d5b81008251a454e0cc18ebbaaa3c1ce9f3dd24d45650359db5e4b30f00bd889f88333b2290e86667aa00296dea57f7b016d85f79ba12ea38eb6bd1342244

    • SSDEEP

      1536:h3C4HGFE94jwEG/eO5VEx70AwAWkH+/z13+QDmsrxwSX:hNoESj8p5OeFAWp7p+Qbxr

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe

    • Size

      246KB

    • MD5

      7f61ab7160ccea4f69fed025fbbfdb30

    • SHA1

      88d06d4124bca680bf28dde09cc1c3995002eef3

    • SHA256

      845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8

    • SHA512

      8ff46db7d1bfddef6bab676c1439207a7b755280720bf83406d95a700eac364ef667978a7e538cc3d6e2836487b38ddc34df288100b510e32d16f013ffd07d98

    • SSDEEP

      6144:clmE5hV/XRG4FmeAs32AcNhunE+AWTWk6+wv:2/XRG4FdAs32AeOWk

    Score
    9/10
    discoverypersistenceransomware

    • Renames multiple (145) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe

    • Size

      56KB

    • MD5

      a865cae4f9a553fa100932e8786b80be

    • SHA1

      1c691b07fa9c59c1eb6a993723887a9ac08b301c

    • SHA256

      85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f

    • SHA512

      df149155fc97c72f9401826f614dfb16edbf982b64c6fb3d7302526cd9c4ee8368dcfdc666c1c1fe2a522115176042f135723e9390ed4755fb35b4ebddc263e2

    • SSDEEP

      768:9Wf9/O9lXRyz4M9XyTm/O94NOYXkGQ40d4Wg/i+Pet+F/O9LiAU3UF3333efYZCz:9EmRyz4gOmxNOYXF+yzTPSwjH33wk

    Score
    6/10
    discoverypersistence

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral14

    • Target

      86be3831f5d8a975b0924168117fc7fcd1f5067ac5935c657efbb4798cb6a439.exe

    • Size

      37KB

    • MD5

      406588f62853601a4f0381ad537b51ca

    • SHA1

      a4a5602c1446a61c653a7bf8ad89558b4761ce71

    • SHA256

      86be3831f5d8a975b0924168117fc7fcd1f5067ac5935c657efbb4798cb6a439

    • SHA512

      28e019a091c309bb732fa0f3782c763a333ae95e7cfed86424950dac658297e862d707de1328fe50dc8ac2372832c93e6e131db79bf9c9fa91ae58da1fba0bfc

    • SSDEEP

      768:hLNLdNY8E+pRqAyQ3ipHbEMsm/IqJRDftP5IM05kHZnJ6zZQufB9wZOKh2h1:Ij+pRqAyQ3ipHbEMsm/IqJR3IP54JhA9

    Score
    6/10
    discoverypersistence
    behavioral15

    • Target

      8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f_Dumped_TDS=4F83FCDA.exe

    • Size

      116KB

    • MD5

      3444e41067c52192e3ee1e5f57ddd393

    • SHA1

      cccd89e09c2391f7e6bb8cb972c364bc27cad61d

    • SHA256

      d03d3d4eab25c38eef57493c7494d3a1ffd0147e1fcb2730a97d9b826e15e799

    • SHA512

      81a6729a11b5626fc49bbcdc2988a2a1de0fe9b1805d5ac9271666a12b81a40f4ce932b51014a21f262fd677773a010894deae3b7bc13ab85d142647662b281e

    • SSDEEP

      1536:MnUfv0+ZXqm3S+DQNn1Bp/GpL7F6iCINF8nqZULCYk:Mn6v0+ZX5S+DQ11Bx67FZNF8nqWLTk

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f_TDS=4F84A969.exe

    • Size

      72KB

    • MD5

      311f6db6e5a4476b03cf973671e8afed

    • SHA1

      5831825c55e55e9c4127d0ed72d38df060a00eee

    • SHA256

      8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f

    • SHA512

      5d9824902cea653ac84667889b22017b444a1d878ee990fd6f3a5dabb1c288afa1268a6bb795f8b6ef4f856c4a114bca10d1db11643329e5805d8d659792a431

    • SSDEEP

      1536:xiOtoD7Ja3UAZfd5ycu6vGRbelxbJ3uJ4GjAaH:gJa3UAlPyclv4belP3k9AM

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      87a4f3f9f6dc263378f2f01db5f2c988.exe

    • Size

      630KB

    • MD5

      87a4f3f9f6dc263378f2f01db5f2c988

    • SHA1

      dab86879e6e423582fedab0cc00c95882d3c3417

    • SHA256

      5d196e6481f38fa6657d74288fc51b91e273b62ec00100737d0d0cc8f1e8379b

    • SHA512

      b2d98312e827c14702befe05c4262718a2e321a7200f1c08ddaa2517157b4fef960ba9508cec43654c77bec060c998d71f7be8e0b84633531e1cb5cd10b903e6

    • SSDEEP

      12288:AzBsMGrB6kzTKOeW9dY82G+JTlJR8E4TeOb57BIAwP/wyBmrdTOVf8I6jTBwF2dO:ifGIkzGOeW9dYG0pFf0wP/wyBmrdTOVN

    Score
    7/10
    discoveryransomwarespywarestealer

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral18

    • Target

      89fb6d7ff29b0c349c19df2e81028a62a2758c33f2c72b87dc11af4f22d3c6f6.exe

    • Size

      276KB

    • MD5

      0c997c93bf7aac43e8bc22a9ea2fd9f8

    • SHA1

      1c1e46e49c769c48104ee40506c67f738c6978f9

    • SHA256

      89fb6d7ff29b0c349c19df2e81028a62a2758c33f2c72b87dc11af4f22d3c6f6

    • SHA512

      da27770d969800978e3a21a4ff9d887f1cfca8ee33c81cbbd9c61aa5640e1f6535a6189b45f9c498d8e75628714226ff91658ff53855332036124459b34ebffa

    • SSDEEP

      6144:1nsJCTa8fC8OrAk2o90sBDuSeJ5zOSP+N4s7:1nWCTa8fC8W/0sBWJ5zvp

    Score
    9/10
    defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
    behavioral19

    • Target

      8c591485357e45a09dad3116496e6f686fa11f445a6bea5ef3cd5ed1ac078821.exe

    • Size

      246KB

    • MD5

      04742f7774cda5b58d7e5c1ba5a4e941

    • SHA1

      a8e35ff71e0561268f8c3082bcaa2f314a272005

    • SHA256

      8c591485357e45a09dad3116496e6f686fa11f445a6bea5ef3cd5ed1ac078821

    • SHA512

      726974f82334c474b363d2232f21db2e04730965147e01f9ac5b8f06a44c873e78e2ee7982147c85dffb1eec40fdb445b18b67d4e25303f1dfc672f63f0b9562

    • SSDEEP

      1536:xQqUQQ5fNlzCKxOxwoBg5KE+Y5NpWEibmbkWuEZ8DIPsfie8Sf1wKygNiJK:6NBbOKnoIKE+YpWFCoWk6a1wKyPK

    Score
    9/10
    discoverypersistenceransomware

    • Renames multiple (171) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe

    • Size

      4.9MB

    • MD5

      4313fd0a3d2cbedd4570230931833fe1

    • SHA1

      8280f59248747c6901079ac6e52814606ab8cdc4

    • SHA256

      8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0

    • SHA512

      1fd81fb997cbc2973b66a2f95b848dc5813b44513d21189b73a708e9d26b583bebe6bb429c89ecb7dd687262fa4a35abb791f56db3dc884e281b4d056b05887e

    • SSDEEP

      98304:/VKIRQd+TZAJPEoRgWkJgsgv4n/C2QHij4WeoM14s7Oc3b7e6l/R4ze9H:NKo4iAJcoSLi4/C2QHTRh6o/Gy9

    Score
    7/10
    spywarestealer

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral21

    • Target

      900.exe

    • Size

      12KB

    • MD5

      5a43d2db5c8cc3b8ec273aa470ccc931

    • SHA1

      dfcc68945b9daf7e9f49be4837a6934560ec635f

    • SHA256

      2424a7ce5e885bf460aeb8968ceab48057813430973c5a2e27d846553e79402c

    • SHA512

      ffae7fe714667cb44d200f87c36a6f60735926d03ce86dd5756b7e91ab1bd04e7b98dccd1dc0b3f652ea50f5d4c74ffa1f66245052b61e00fd0e8273681a99d3

    • SSDEEP

      192:LvJ8ZxTFrv7bg1d4/QkODGAoyjwlkp7qQT6yNQ+pJYMq6fdw4RI2P:d8zt+UFxy9p7qk3DfC4RI

    Score
    9/10
    credential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (1077) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral22

    • Target

      911d5905cbe1dd462f171b7167cd15b9.exe

    • Size

      138KB

    • MD5

      911d5905cbe1dd462f171b7167cd15b9

    • SHA1

      bca38ab2f4b461e25e4686cfe523d3b0ed2d1cd0

    • SHA256

      8c42a084278ff8e25f7ee765c37da84da02780da725505108f9eb39cfb05c051

    • SHA512

      c60c274360040b2385fcfbc1f9cbc85cd48c9872d0cadcfbe0343efb16e5401af1b74159ecd29d5adeb519c2818bde022fd21b20c12e4dfb274351733d38b7d1

    • SSDEEP

      1536:IhcFu21x8xUoDq88z/1h5jOla6H7uTnkwwZI0qXAREZ+QOS4D0rtJ/lxABC:7DnoDjbin/w1O3D5J/lxABC

    Score
    7/10

    • Deletes itself

    • Executes dropped EXE

    behavioral23

    • Target

      91d24e06572099ba0aa5c20be6b1021fa48e864913fe3676ed05323e6b68fceb.exe

    • Size

      282KB

    • MD5

      f79b517d733de07ee82e5ac8cd9ee192

    • SHA1

      050b21190591004cbee3a06019dcb34e766afe47

    • SHA256

      91d24e06572099ba0aa5c20be6b1021fa48e864913fe3676ed05323e6b68fceb

    • SHA512

      799e55b3a1e04c7c87c7fe6fcb807600975510a7f05fa57f83a9301731a378c1323486343ba880a575aef59faa6e1d1ccc9cea90173b7626228b24ff9d4e685c

    • SSDEEP

      6144:QY4mV5gq4DBKkxa2RNJYw8coEdNqAniTw1sbLp7ByJ7NFPjsnH5+qPZOMbM+juE:OmVmb9Kkxa21Yw8QiJdAJTqNbM+/

    Score
    1/10
    behavioral24

    • Target

      92ac6be4d9215b237d624177ca0543844d0dc8d071660ae4a4cf7c93cc11505b.exe

    • Size

      315KB

    • MD5

      8434eea972e516a35f4ac59a7f868453

    • SHA1

      39eff0a248b7f23ee728396968e9279b241d2378

    • SHA256

      92ac6be4d9215b237d624177ca0543844d0dc8d071660ae4a4cf7c93cc11505b

    • SHA512

      308160a34f7074f9a8178ce8ba37f155ba096c7448bc5cd0e9861788e158d2eacdbb329f716bc1b6935db9b26c0bcb9aca23966c73e4114c8ea92e6f53d77348

    • SSDEEP

      6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXve:BswRSslz0P1OdFXJlJ8buXve

    Score
    10/10
    discoveryevasionpersistencetrojan
    behavioral25

    • Target

      97512f4617019c907cd0f88193039e7c.exe

    • Size

      666KB

    • MD5

      97512f4617019c907cd0f88193039e7c

    • SHA1

      24cfa261ee30f697e7d1e2215eee1c21eebf4579

    • SHA256

      438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499

    • SHA512

      cfbb8dd91434f917d507cb919aa7e6b16b7b2056d56185f6ad5b6149e05629325cdb3df907f58bb3f634b17a9989bf5b6d6b81f5396a3a556431742ed742ac4a

    • SSDEEP

      12288:bB/72HFAQBMiZB7fJJ2qDHKK/K5FJL+xQhrwjeI:bBKqFiT7fJJ2qbKK6F5+xQhrEJ

    Score
    10/10
    defense_evasiondiscoveryexecutionimpactransomwareupx

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (73) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral26

    • Target

      98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe

    • Size

      151KB

    • MD5

      993135dacbff2607839ee5a76ca06c61

    • SHA1

      c1a9a8cdad293887214605ca0e47f3ddfa4e1a52

    • SHA256

      98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7

    • SHA512

      69472dc86d5d3c44742b209fb0a57ab3afd8f93d0c5adfdcd48c2e4828828309101fcb9500813044712b1bc3e85e6a2ad3e5dde5f3818fb8772f0ff5d0b873ea

    • SSDEEP

      3072:aMAr2Q8LH/r1GgDwheOj9Pm4uX2QZJiU8ypfoAWe:aMAaQ0D1VDwheuhJmJiU8y90

    Score
    10/10
    discoverypersistenceransomwarespywarestealerupx

    • Renames multiple (4603) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral27

    • Target

      9943256.exe

    • Size

      134KB

    • MD5

      25e54dfbce20546da0e8cd8152ee2b8e

    • SHA1

      3f0b80ef090c0b14821309b6110839cbd2312afe

    • SHA256

      4725414537a3605ee6cdd226d189419cc5d3a7df1b092b526b61b8c5e2a59386

    • SHA512

      215f4d5d35153622f159970e0097cde6e00d387f5636a1c28d3de6c0f5f84b61dfcaf4d390464eb888738786a0028d7d6f6ce13a29e07116ad032027428215a2

    • SSDEEP

      3072:r+qf9FUiVdubWibOQNi3MWL4FksNYFfPK:r+iLUwAbpi3MDEK

    Score
    10/10
    defense_evasiondiscoveryevasionpersistencetrojan
    behavioral28

    • Target

      9B9517FA1515F47A502FE56536236A20BE5BBADF.exe

    • Size

      119KB

    • MD5

      b80a2daca4b5000fae089e655f2fa4b0

    • SHA1

      9b9517fa1515f47a502fe56536236a20be5bbadf

    • SHA256

      e58e7b91af952f56d32d3cb11e82d366f256f40d2e4c846f3aa8cda886bfb49f

    • SHA512

      9e5a24fd11bf542608ca8762ad735de749cfcfdc2bd750ca3f7de20dbc19a2ccda0cc88544261314c8dfa77c5ad2fd6e97af51ceee344794fba1efa49d32964f

    • SSDEEP

      3072:VAsj8MBX8s0oXJE455Vdcws635oUIFNTNC1f3U:VAsBZW+VdK6iUcIfU

    Score
    7/10
    discovery

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral29

    • Target

      9b7eaffe4dffcbd06445d0b32785cdc8.exe

    • Size

      39KB

    • MD5

      9b7eaffe4dffcbd06445d0b32785cdc8

    • SHA1

      af992e2e6c045137b8220c60f534f80da968dd38

    • SHA256

      4137f8c196fdd99a5cd64c518ed27c466953e37b78887954ea192b5595a0a076

    • SHA512

      3639fc1b3ccd57b6a61acecfce8030a7c2c634deb44b75345b5c69eb5cad03a8aecae781b950c254e35f4db248b5e9113fd06412f14ca7a90596985a282e123f

    • SSDEEP

      768:BPXsWRbrIA8vxG/VZ0xcv+n9DfUEGC4ZC:B/s+HUxSZOcvI9DsE4ZC

    Score
    10/10
    xoristdiscoverypersistenceransomwarespywarestealerupx

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Xorist family

      xorist

    • Renames multiple (2195) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral30

    • Target

      a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

    • Size

      322KB

    • MD5

      4a6bcd14aee9be6ccd5fd4939f8350ef

    • SHA1

      10a7e4377fdbab12ee66151d3c5af9096bc47b59

    • SHA256

      a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244

    • SHA512

      336c05288cae08c966659b5ca528994ccdb0be55cc2197ee810067242995a3448321a9c1b2355a16c5f4cbdcc4131f2707839e055dec4df2bd8dbb6c5090b7f2

    • SSDEEP

      6144:lf0H8b57WZ87m4eEictcjk76F3OpRsmC:lf/b57WZ8K1ZcenF3OpRs

    Score
    10/10
    blackmoonbankercredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealertrojan

    • Blackmoon family

      blackmoon

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral31

    • Target

      a42252e674a09a0b689e71c88f59969f538a473da647cc4eb5457a5d5e03a234.exe

    • Size

      246KB

    • MD5

      7ec4fb3737e96c0aef2f98d20013dc5a

    • SHA1

      4e8a042292c4ef20556d4aedf5b3ea0a29d2fbe7

    • SHA256

      a42252e674a09a0b689e71c88f59969f538a473da647cc4eb5457a5d5e03a234

    • SHA512

      849ab6bfd9f61a10d29b727e0bfcc7804653764e2d4a9a01515a48b6ff52e37fd1954715d8decb7bde819bf490563924c3d8e51dcaf8218c40852ffdf9d65eb8

    • SSDEEP

      3072:6NBbOKnoIKE+Ypjf+MGtmhoWk6a1wKyPK:clmE5jfwWk6+wv

    Score
    9/10
    discoverypersistenceransomware

    • Renames multiple (157) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

6
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

3
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks

static1

upxblackmoon
Score
10/10

behavioral1

ransomwarespywarestealer
Score
9/10

behavioral2

discoverypersistence
Score
7/10

behavioral3

discoverypersistence
Score
7/10

behavioral4

discoverypersistence
Score
7/10

behavioral5

discoverypersistenceransomwarespywarestealer
Score
9/10

behavioral6

Score
7/10

behavioral7

Score
1/10

behavioral8

discovery
Score
7/10

behavioral9

discovery
Score
3/10

behavioral10

defense_evasiondiscoveryexecutionimpactpersistenceransomware
Score
9/10

behavioral11

discoverypersistence
Score
7/10

behavioral12

discoverypersistence
Score
7/10

behavioral13

discoverypersistenceransomware
Score
9/10

behavioral14

discoverypersistence
Score
6/10

behavioral15

discoverypersistence
Score
6/10

behavioral16

discoverypersistence
Score
7/10

behavioral17

discoverypersistence
Score
7/10

behavioral18

discoveryransomwarespywarestealer
Score
7/10

behavioral19

defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
Score
9/10

behavioral20

discoverypersistenceransomware
Score
9/10

behavioral21

spywarestealer
Score
7/10

behavioral22

credential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
9/10

behavioral23

Score
7/10

behavioral24

Score
1/10

behavioral25

discoveryevasionpersistencetrojan
Score
10/10

behavioral26

defense_evasiondiscoveryexecutionimpactransomwareupx
Score
10/10

behavioral27

discoverypersistenceransomwarespywarestealerupx
Score
10/10

behavioral28

defense_evasiondiscoveryevasionpersistencetrojan
Score
10/10

behavioral29

discovery
Score
7/10

behavioral30

xoristdiscoverypersistenceransomwarespywarestealerupx
Score
10/10

behavioral31

blackmoonbankercredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealertrojan
Score
10/10

behavioral32

discoverypersistenceransomware
Score
9/10