c41899315b2f3dad512ed1f58746e59fdb2f9717badcf7b2c861c1248d945991

Sharing

General

Target

Batch_6.zip
Size

8.6MB
Sample

241122-d8832stnh1
MD5

efd2b474bb13fdb3b8a3159a64a22896
SHA1

48515da815cafb4d990efdd7b67baf86ac949813
SHA256

c41899315b2f3dad512ed1f58746e59fdb2f9717badcf7b2c861c1248d945991
SHA512

05195802d912ff48aac8035a8a061a3d8dc5b312ed936a147a742ad65ab75f982e3b443ebb001dd145086644006bfc361f83fb40799f60e51dd6eb053139f190
SSDEEP

196608:PYpWTGAAWAquK9u/2fpA4kuu0xCDCFvyRyi1GGywTpGRE:PYpWTGAAqub/2y4kudiCFviy88GGi

Score

10^/10

Malware Config

Extracted

Path

C:\!HELP_SOS.hta

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Decryption Instructions</title> <HTA:APPLICATION ID='App' APPLICATIONNAME="Decryption Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 12pt; line-height: 16pt; } body, h1 { margin: 0; padding: 0; } h1 { color: #555; text-align: center; padding-bottom: 1.5em; } h2 { color: #555; text-align: center; } ol li { padding-bottom: 13pt; } .container { background-color: #EEE; border: 2pt solid #C7C7C7; margin: 3%; min-width: 600px; padding: 5% 10%; color: #444; } .filecontainer{ padding: 5% 10%; display: none; } .header { border-bottom: 2pt solid #c7c7c7; padding-bottom: 5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .key{ background-color: #A1D490; border: 1px solid #506A48; display: block; text-align: center; margin: 0.5em 0; padding: 1em 1.5em; word-wrap: break-word; } .keys{ margin: 3em 0; } .filename{ border: 3px solid #AAA; display: block; text-align: center; margin: 0.5em 0em; padding: 1em 1.5em; background-color: #DCC; } .us{ text-decoration: strong; color: #333; } .info{ background-color: #E4E4E4; padding: 0.5em 3em; margin: 1em 0; } .text{ text-align: justify; } #file{ background-color: #FCC; } .lsb{ display: none; margin: 3%; text-align: center; } .ls{ border: 1px solid #888; border-radius: 3px; padding: 0 0.5em; margin: 1em 0.1em; } .ls:hover{ background-color: #D0D0D0; } .l{ display:none; } </style> <script language="vbscript"> Function GetCmd GetCmd = App.commandLine End Function </script> <script language="javascript"> function openlink(url){ new ActiveXObject("WScript.Shell").Run(url); return false; } function aIndexOf(arr, v){ for(var i = 0; i < arr.length; i++) if(arr[i] == v) return i; return -1; } function tweakClass(cl, f){ var els; if(document.getElementByClassName != null){ els = document.getElementsByClassName(cl); } else{ els = []; var tmp = document.getElementsByTagName('*'); for (var i = 0; i < tmp.length; i++){ var c = tmp[i].className; if( (c == cl) || ((c != '') && ((' '+c+' ').indexOf(' '+cl+' ') != -1)) ) els.push(tmp[i]); } } for(var i = 0; i < els.length; i++) f(els[i]); } var langs = ["en","de","it","pt","es","fr","kr","nl","ar","fa","zh"]; function setLang(lang){ if(aIndexOf(langs, lang) == -1) lang = langs[0]; for(var i = 0; i < langs.length; i++){ var clang = langs[i]; tweakClass('l-'+clang, function(el){ el.style.display = (clang == lang) ? 'block' : 'none'; }); tweakClass('ls-'+clang, function(el){ el.style.backgroundColor = (clang == lang) ? '#BBB' : ''; }); } } function onPageLoaded(){ try{ tweakClass('lsb', function(el){ el.style.display = 'block'; }); }catch(e){} try{ setLang(en); }catch(e){} try{ var args = GetCmd().match(/"[^"]+"|[^ ]+/g); if(args.length > 1){ var file = args[args.length-1]; if(file.charAt(0) == '"' && file.charAt(file.length-1) == '"') file = file.substr(1, file.length-2); document.getElementById('filename').innerHTML = file; document.getElementById('file').style.display = 'block'; document.title = 'File is encrypted'; } }catch(e){} } </script> </head> <body onload='javascript:onPageLoaded()'> <div class='lsb'> <span class='ls ls-en' onclick="javascript:return setLang('en')">English</span> <span class='ls ls-de' onclick="javascript:return setLang('de')">Deutsch</span> <span class='ls ls-it' onclick="javascript:return setLang('it')">Italiano</span> <span class='ls ls-pt' onclick="javascript:return setLang('pt')">Português</span> <span class='ls ls-es' onclick="javascript:return setLang('es')">Español</span> <span class='ls ls-fr' onclick="javascript:return setLang('fr')">Français</span> <span class='ls ls-kr' onclick="javascript:return setLang('kr')">한국어</span> <span class='ls ls-nl' onclick="javascript:return setLang('nl')">Nederlands</span> <span class='ls ls-ar' onclick="javascript:return setLang('ar')">العربية</span> <span class='ls ls-fa' onclick="javascript:return setLang('fa')">فارسی</span> <span class='ls ls-zh' onclick="javascript:return setLang('zh')">中文</span> </div> <div id='file' class='container filecontainer'> <div class='filename'> <div style='float:left; padding:18px 0'><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADEAAABACAYAAACz4p94AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAARCQAAEQkAGJrNK4AAAAB3RJTUUH4QEcFBoaYAOrHQAABThJREFUaN7tmlloXGUUx3/3ziRtTa2xcZ1gtaJFDFjtwSqllaKiiEilKOKDNS2UivXF+qD0QRBRUMQXN/TBBcFifahYFC0urfpghSMqaDSkdQMvojZpIk2zTMaHe776MZ17M6u9ozkwzAwz3/ed/9m+s9yABkhEUFX/+43ATcBy4FxgMdABTAB/Aj8CXwO7VfVdb10AlPy9aqGgTuYDVS3Z56XA48AtdWz1OrBdVQ82AiaoVfJATlWLIrIAeAbYWKciS975LwJ3q+pEJQ03DYRJKVDVGRFZCew0kylnqFaaAULgB+B2Vd1fru3ZKFcDAFS1JCLXA7uBMxs1S29t0fzn5kKhMBBF0WAURYgIURQ1DsIAhKaBVcAbwKk0l0JgGlgIrCkUChpF0U/VAgmrOCBvPrAEeBY4jdZQ3jRyDvCEiJxl2ne+mLowTQs5VZ0yJ95mobMaRx0A3gMGgSPAycCFwHXARQlrfKFeDjwMbG7IsT0zKorIauBtYFGFvxY9s3wZ2Kaqwyn7dgNPpkQ1t9/PwGZV3TNbxErThAOwCOhPADBtexwGNqrqrrR4bxFnBNgkIm8CrwFdCX66BNgA7KlLE2aDeVWdFpHlwPsVfMEBGAXuUtUd1YRGH6CIrLdAESZoYxC4Q1U/r8exQwMQAFdb+CuP7U6LO6oF4MK0d+47ZlpJfJ0HXFsm3OpB2HsPsCZBUtgF9VSZo85KFq7zqnrUTOq3ChYyA3QCq7x1NYFwZnYKsKJCFOqwz59YJKo5VTAmAQ4CuxKiHUCviCyryZzMhIqeOnsSDh8B9qnqTJqU0kKyAT8MfJwiyB5gWa0+ETjGgPOBeQkSGgG+rPdmM99wfjUEHEoA0Q0srRmEaSRv+VFHAogx84lGyO01ChxI+E8XcHq9aUdnhahU8uL471bszJoWVEFHbL8kHhfXCyIE5qesGXX+UW9F5mli0jSbRPMaAdGZ8vtUtSG1ykg1mXIRdzaaxVYjSU7kPmFKaAsq5DW+dBY2WAyV89GV8ntXran4tGfzW4B7K0grAI5WMIF6zAjgD2ATsDXhrPFaGwGZJhE59jrOPMraMIuBK4EzTFqlE8x7YNr6TFUP+dkwQCAiobuhRWQt8DTQl2FlfAtsVdW9DoyviUeA7U1owbSSfL4eU9UHjlVRInI/8FDGATizcvytLhQKQRRFewMRuQJ4y+y/Xcg13IaA/tBCWxftRe5+uwC4NQTWzpabZFgbAFeF1qzKtSEIp40+l+QFtC91hvwHaA7E/xlEKesgZrz6u19VA/eytH64FUGkmSCKtt8XwKWq+opL0GxE8AKwknh6mkkQ03bXRMTT0F9d7m/pfdGy5SHgPtclyRoIZyLfAR95APC6If4A5sOsgfB7UQe88jbJoceI+6+ZdeyOKrWWzxqIwJN+H/F8rlJDzR8XrMiyT1wM3OnX7V797oBeQzxYbF6lJCLTTcpi3fhrBNiiqjsrNCBuIx5Ozs+qT+SJW5vdxHPoS3yHlrjH8nyzAbTCsZ1ZjfPPoMa/DMdpAc0lgHMg2gREqcxPSrSoHdoqx+4Ceu3Sc4x3c/wkNpMgclZT9AIPisjZFl57gUeZZeKThcuuvDhyAppsFfOt9gl/385/w7FLtDmFwF9ebdxO5IQ/HBIPLabaGMT+kLitP9GGAELi4ecHIfAqyc9VZJWc+SvwUi6KorFCofANsA44qQ0AuEfrfgHuUdWB0IqWT4Ebml3At4hywPfAelXd5y47sIfY7XbdQNytuwxYkCHmR4GvgOfcM4fGL38Dzdjo/H/3PFAAAAAASUVORK5CYII=" style='padding:0 7.5px'/></div> <div> <h2 class='l l-en' style='display:block'>The file is encrypted but can be restored</h2> <h2 class='l l-de' >Die Datei ist verschlüsselt, aber kann wiederhergestellt werden</h2> <h2 class='l l-it' >Il file è crittografato, ma può essere ripristinato</h2> <h2 class='l l-pt' >O arquivo está criptografado, mas poderá ser descriptografado</h2> <h2 class='l l-es' >El archivo está encriptado pero puede ser restaurado</h2> <h2 class='l l-fr' >Le fichier est crypté mais peut être restauré</h2> <h2 class='l l-kr' >파일은 암호화되었지만 복원 할 수 있습니다</h2> <h2 class='l l-nl' >Het bestand is versleuteld maar kan worden hersteld</h2> <h2 class='l l-ar' > الملف مشفر لكن من الممكن إسترجاعه </h2> <h2 class='l l-fa' >این فایل رمزگذاری شده است اما می تواند بازیابی شود</h2> <h2 class='l l-zh' >文件已被加密，但是可以解密</h2> <p><span id='filename'></span></p> </div> </div> <h2>The file you tried to open and other important files on your computer were encrypted by "SAGE 2.0 Ransomware".</h2> <h2>Action required to restore your files.</h2> </div> <div class='container'> <div class="text l l-en" style='display:block'> <h1>File recovery instructions</h2> <p>You probably noticed that you can not open your files and that some software stopped working correctly.</p> <p>This is expected. Your files content is still there, but it was encrypted by <span class='us'>"SAGE 2.0 Ransomware"</span>.</p> <p>Your files are not lost, it is possible to revert them back to normal state by decrypting.</p> <p>The only way you can do that is by getting <span class='us'>"SAGE Decrypter"</span> software and your personal decryption key.</p> <div class='info'> <p>Using any other software which claims to be able to restore your files will result in files being damaged or destroyed.</p> </div> <p>You can purchase <span class='us'>"SAGE Decrypter"</span> software and your decryption key at your personal page you can access by following links:</p> <div class='keys'> <div class='key'> <a href="http://7gie6ffnkrjykggd.op7su2.com/login/AelT-PiV3tFi3W0uLljXQVzAzk-y1JaQMqB7Zs_9xkVVuFc0QGGvVx_A" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.op7su2.com/</a> </div> <div class='key'> <a href="http://7gie6ffnkrjykggd.pe6zawc.com/login/AelT-PiV3tFi3W0uLljXQVzAzk-y1JaQMqB7Zs_9xkVVuFc0QGGvVx_A" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.pe6zawc.com/</a> </div> </div> <p>If you are asked for your personal key, copy it to the form on the site. This is your personal key:</p> <div class='keys'> <div class='key'> AelT-PiV3tFi3W0uLljXQVzAzk-y1JaQMqB7Zs_9xkVVuFc0QGGvVx_A </div> </div> <p>You will also be able to decrypt one file for free to make sure "SAGE Decrypter" software is able to recover your files</p> <div class='info'> <p>If none of those links work for you for a prolonged period of time or you need your files recovered as fast as possible, you can also access your personal page using "Tor Browser".</p> <p>In order to do that you need to:</p> <ol> <li>open Internet Explorer or any other internet browser;</li> <li>copy the address <a href='https://www.torproject.org/download/download-easy.html.en' onclick='javascript:return openlink(this.href)'>https://www.torproject.org/download/download-easy.html.en</a> into address bar and press "Enter";</li> <li>once the page opens, you will be offered to download Tor Browser, download it and run the installator, follow installation instructions;</li> <li>once installation is finished, open the newly installed Tor Browser and press the "Connect" button (button can be named differently if you installed non-English version);</li> <li>Tor Browser will establish connection and open a normal browser window;</li> <li>copy the address <div class='key'>http://7gie6ffnkrjykggd.onion/login/AelT-PiV3tFi3W0uLljXQVzAzk-y1JaQMqB7Zs_9xkVVuFc0QGGvVx_A</div> into this browser address bar and press "Enter";</li> <li>your personal page should be opened now; if it didn't then wait for a bit and try again.</li> </ol> <p>If you can not perform this steps then check your internet connection and try again. If it still doesn't work, try asking some computer guy for help in performing this steps for you or look for some video guides on <a href='https://www.youtube.com/results?search_query=tor+browser+install' onclick='javascript:return openlink(this.href)'>YouTube</a>.</p> </div> <div class='info'> <p>You can find a copy of this instruction in files named "!HELP_SOS" stored next to your encrypted files.</p> </div> </div> <div class="text l l-de" > <h1>Anleitung zur Dateiwiederherstellung</h2> <p>Sie haben sicherlich gemerkt, dass Sie Ihre Daten nicht öffnen können und dass Programme nicht mehr ordnungsgemäß funktionieren.</p> <p>Dies ist zu erwarten. Die Dateiinhalte existieren noch, aber wurden mit {us_enc}} verschlüsselt.</p> <p>Ihre Daten sind nicht verloren. Es ist möglich, sie mit Hilfe von Entschlüsselung in ihren Originalzustand zurückzuversetzen.</p> <p>Die einzige Möglichkeit das zu tun, ist die Verwendung von <span class='us'>"SAGE Decrypter"</span> Software und Ihr persönlicher Entschlüsselungskey.</p> <div class='info'> <p>Das Verwenden von anderer Software, die angeblich ihre Daten wiederherstellen kann, wird dazu führen, dass Ihre Daten beschädigt oder zerstört werden.</p> </div> <p>Sie können die <span class='us'>"SAGE Decrypter"</span> Software und Ihren Entschlüsselungskey auf Ihrer persönlichen Seite erwerben, indem Sie diesen Links folgen:</p> <div class='keys'> <div class='key'> <a href="http://7gie6ffnkrjykggd.op7su2.com/login/AelT-PiV3tFi3W0uLljXQVzAzk-y1JaQMqB7Zs_9xkVVuFc0QGGvVx_A" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.op7su2.com/</a> </div> <div class='key'> <a href="http://7gie6ffnkrjykggd.pe6zawc.com/login/AelT-PiV3tFi3W0uLljXQVzAzk-y1JaQMqB7Zs_9xkVVuFc0QGGvVx_A" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.pe6zawc.com/</a> </div> </div> <p>Falls Sie nach ihrem persönlichen Key gefragt werden, kopieren Sie ihn in das Formular auf dieser Seite. Dies ist Ihr persönlicher Key:</p> <div class='keys'> <div class='key'> AelT-PiV3tFi3W0uLljXQVzAzk-y1JaQMqB7Zs_9xkVVuFc0QGGvVx_A </div> </div> <p>Sie können eine Datei gratis entschlüssen, um sicher zu sein, dass die "SAGE Decrypter" Software ihre Daten wiederherstellen kann</p> <div class='info'> <p>Falls keine dieser Links über einen längeren Zeitraum funktionieren sollten oder Sie Ihre Daten so schnell wie möglich wiederherstellen müssen, können Sie Ihre persönliche Seite mit Hilfe des "Tor Browser" aufrufen.</p> <p>Dazu benötigen Sie:</p> <ol> <li>Öffnen Sie den Internet Explorer oder einen anderen Internetbrowser;</li> <li>Kopieren Sie diese Adresse <a href='https://www.torproject.org/download/download-easy.html.en' onclick='javascript:return openlink(this.href)'>https://www.torproject.org/download/download-easy.html.en</a> in die Adressleiste und drücken Sie "Enter";</li> <li>So bald sich die Seite öffnet, wird Ihnen der Download des Tor Browser angeboten. Laden Sie ihn herunter und führen Sie die Installation aus, indem Sie den Installationsanweisungen folgen;</li> <li>Wenn die Installation abgeschlossen ist, öffnen Sie den soeben installierten Tor Browser und drücken Sie den "Connect" Knopf (Der Namen kann abweichen, falls Sie eine nicht-englische Version installiert haben);</li> <li>Tor Browser wird eine Verbindung herstellen und ein normales Browserfenster öffnen;</li> <li>Kopieren Sie die Adresse <div class='key'>http://7gie6ffnkrjykggd.onion/login/AelT-PiV3tFi3W0uLljXQVzAzk-y1JaQMqB7Zs_9xkVVuFc0QGGvVx_A</div> in die Browseradressleiste und drücken Sie "Enter";</li> <li>Ihre persönliche Seite sollte sich nun geöffnet haben; falls nicht: Warten Sie eine Weile und versuchen Sie es erneut.</li> </ol> <p>Falls Sie nicht in der Lage sind, diese Schritte durchzuführen, überprüfen Sie Ihre Internetverbindung. Wenn es noch immer nicht funktioniert, fragen Sie jemanden, der sich mit Computern auskennt, um diese Schritte durchzuführen oder schauen Sie sich einige Videoanleitungen auf {a_youtube}} an.</p> </div> <div class='info'> <p>Sie finden eine Kopie dieser Anleitung in einer Datei namens "!HELP_SOS" neben Ihren verschlüsselten Daten.</p> </div> </div> <div class="text l l-it" > <h1>Istruzioni per il recupero dei file</h2> <p>Probabilmente hai notato che non puoi più aprire i tuoi file e alcuni software hanno smesso di funzionare correttamente.</p> <p>Questo era previsto. I tuoi file si trovano ancora al loro posto, ma sono stati crittografati da <span class='us'>"SAGE 2.0 Ransomware"</span>.</p> <p>I tuoi file non sono persi, è possibile farli tornare al loro stato normale eseguendo una decrittazione.</p> <p>L'unico modo in cui è possibile f

Extracted

Path

C:\!HELP_SOS.hta

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Decryption Instructions</title> <HTA:APPLICATION ID='App' APPLICATIONNAME="Decryption Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 12pt; line-height: 16pt; } body, h1 { margin: 0; padding: 0; } h1 { color: #555; text-align: center; padding-bottom: 1.5em; } h2 { color: #555; text-align: center; } ol li { padding-bottom: 13pt; } .container { background-color: #EEE; border: 2pt solid #C7C7C7; margin: 3%; min-width: 600px; padding: 5% 10%; color: #444; } .filecontainer{ padding: 5% 10%; display: none; } .header { border-bottom: 2pt solid #c7c7c7; padding-bottom: 5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .key{ background-color: #A1D490; border: 1px solid #506A48; display: block; text-align: center; margin: 0.5em 0; padding: 1em 1.5em; word-wrap: break-word; } .keys{ margin: 3em 0; } .filename{ border: 3px solid #AAA; display: block; text-align: center; margin: 0.5em 0em; padding: 1em 1.5em; background-color: #DCC; } .us{ text-decoration: strong; color: #333; } .info{ background-color: #E4E4E4; padding: 0.5em 3em; margin: 1em 0; } .text{ text-align: justify; } #file{ background-color: #FCC; } .lsb{ display: none; margin: 3%; text-align: center; } .ls{ border: 1px solid #888; border-radius: 3px; padding: 0 0.5em; margin: 1em 0.1em; } .ls:hover{ background-color: #D0D0D0; } .l{ display:none; } </style> <script language="vbscript"> Function GetCmd GetCmd = App.commandLine End Function </script> <script language="javascript"> function openlink(url){ new ActiveXObject("WScript.Shell").Run(url); return false; } function aIndexOf(arr, v){ for(var i = 0; i < arr.length; i++) if(arr[i] == v) return i; return -1; } function tweakClass(cl, f){ var els; if(document.getElementByClassName != null){ els = document.getElementsByClassName(cl); } else{ els = []; var tmp = document.getElementsByTagName('*'); for (var i = 0; i < tmp.length; i++){ var c = tmp[i].className; if( (c == cl) || ((c != '') && ((' '+c+' ').indexOf(' '+cl+' ') != -1)) ) els.push(tmp[i]); } } for(var i = 0; i < els.length; i++) f(els[i]); } var langs = ["en","de","it","pt","es","fr","kr","nl","ar","fa","zh"]; function setLang(lang){ if(aIndexOf(langs, lang) == -1) lang = langs[0]; for(var i = 0; i < langs.length; i++){ var clang = langs[i]; tweakClass('l-'+clang, function(el){ el.style.display = (clang == lang) ? 'block' : 'none'; }); tweakClass('ls-'+clang, function(el){ el.style.backgroundColor = (clang == lang) ? '#BBB' : ''; }); } } function onPageLoaded(){ try{ tweakClass('lsb', function(el){ el.style.display = 'block'; }); }catch(e){} try{ setLang(en); }catch(e){} try{ var args = GetCmd().match(/"[^"]+"|[^ ]+/g); if(args.length > 1){ var file = args[args.length-1]; if(file.charAt(0) == '"' && file.charAt(file.length-1) == '"') file = file.substr(1, file.length-2); document.getElementById('filename').innerHTML = file; document.getElementById('file').style.display = 'block'; document.title = 'File is encrypted'; } }catch(e){} } </script> </head> <body onload='javascript:onPageLoaded()'> <div class='lsb'> <span class='ls ls-en' onclick="javascript:return setLang('en')">English</span> <span class='ls ls-de' onclick="javascript:return setLang('de')">Deutsch</span> <span class='ls ls-it' onclick="javascript:return setLang('it')">Italiano</span> <span class='ls ls-pt' onclick="javascript:return setLang('pt')">Português</span> <span class='ls ls-es' onclick="javascript:return setLang('es')">Español</span> <span class='ls ls-fr' onclick="javascript:return setLang('fr')">Français</span> <span class='ls ls-kr' onclick="javascript:return setLang('kr')">한국어</span> <span class='ls ls-nl' onclick="javascript:return setLang('nl')">Nederlands</span> <span class='ls ls-ar' onclick="javascript:return setLang('ar')">العربية</span> <span class='ls ls-fa' onclick="javascript:return setLang('fa')">فارسی</span> <span class='ls ls-zh' onclick="javascript:return setLang('zh')">中文</span> </div> <div id='file' class='container filecontainer'> <div class='filename'> <div style='float:left; padding:18px 0'><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADEAAABACAYAAACz4p94AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAARCQAAEQkAGJrNK4AAAAB3RJTUUH4QEcFBoaYAOrHQAABThJREFUaN7tmlloXGUUx3/3ziRtTa2xcZ1gtaJFDFjtwSqllaKiiEilKOKDNS2UivXF+qD0QRBRUMQXN/TBBcFifahYFC0urfpghSMqaDSkdQMvojZpIk2zTMaHe776MZ17M6u9ozkwzAwz3/ed/9m+s9yABkhEUFX/+43ATcBy4FxgMdABTAB/Aj8CXwO7VfVdb10AlPy9aqGgTuYDVS3Z56XA48AtdWz1OrBdVQ82AiaoVfJATlWLIrIAeAbYWKciS975LwJ3q+pEJQ03DYRJKVDVGRFZCew0kylnqFaaAULgB+B2Vd1fru3ZKFcDAFS1JCLXA7uBMxs1S29t0fzn5kKhMBBF0WAURYgIURQ1DsIAhKaBVcAbwKk0l0JgGlgIrCkUChpF0U/VAgmrOCBvPrAEeBY4jdZQ3jRyDvCEiJxl2ne+mLowTQs5VZ0yJ95mobMaRx0A3gMGgSPAycCFwHXARQlrfKFeDjwMbG7IsT0zKorIauBtYFGFvxY9s3wZ2Kaqwyn7dgNPpkQ1t9/PwGZV3TNbxErThAOwCOhPADBtexwGNqrqrrR4bxFnBNgkIm8CrwFdCX66BNgA7KlLE2aDeVWdFpHlwPsVfMEBGAXuUtUd1YRGH6CIrLdAESZoYxC4Q1U/r8exQwMQAFdb+CuP7U6LO6oF4MK0d+47ZlpJfJ0HXFsm3OpB2HsPsCZBUtgF9VSZo85KFq7zqnrUTOq3ChYyA3QCq7x1NYFwZnYKsKJCFOqwz59YJKo5VTAmAQ4CuxKiHUCviCyryZzMhIqeOnsSDh8B9qnqTJqU0kKyAT8MfJwiyB5gWa0+ETjGgPOBeQkSGgG+rPdmM99wfjUEHEoA0Q0srRmEaSRv+VFHAogx84lGyO01ChxI+E8XcHq9aUdnhahU8uL471bszJoWVEFHbL8kHhfXCyIE5qesGXX+UW9F5mli0jSbRPMaAdGZ8vtUtSG1ykg1mXIRdzaaxVYjSU7kPmFKaAsq5DW+dBY2WAyV89GV8ntXran4tGfzW4B7K0grAI5WMIF6zAjgD2ATsDXhrPFaGwGZJhE59jrOPMraMIuBK4EzTFqlE8x7YNr6TFUP+dkwQCAiobuhRWQt8DTQl2FlfAtsVdW9DoyviUeA7U1owbSSfL4eU9UHjlVRInI/8FDGATizcvytLhQKQRRFewMRuQJ4y+y/Xcg13IaA/tBCWxftRe5+uwC4NQTWzpabZFgbAFeF1qzKtSEIp40+l+QFtC91hvwHaA7E/xlEKesgZrz6u19VA/eytH64FUGkmSCKtt8XwKWq+opL0GxE8AKwknh6mkkQ03bXRMTT0F9d7m/pfdGy5SHgPtclyRoIZyLfAR95APC6If4A5sOsgfB7UQe88jbJoceI+6+ZdeyOKrWWzxqIwJN+H/F8rlJDzR8XrMiyT1wM3OnX7V797oBeQzxYbF6lJCLTTcpi3fhrBNiiqjsrNCBuIx5Ozs+qT+SJW5vdxHPoS3yHlrjH8nyzAbTCsZ1ZjfPPoMa/DMdpAc0lgHMg2gREqcxPSrSoHdoqx+4Ceu3Sc4x3c/wkNpMgclZT9AIPisjZFl57gUeZZeKThcuuvDhyAppsFfOt9gl/385/w7FLtDmFwF9ebdxO5IQ/HBIPLabaGMT+kLitP9GGAELi4ecHIfAqyc9VZJWc+SvwUi6KorFCofANsA44qQ0AuEfrfgHuUdWB0IqWT4Ebml3At4hywPfAelXd5y47sIfY7XbdQNytuwxYkCHmR4GvgOfcM4fGL38Dzdjo/H/3PFAAAAAASUVORK5CYII=" style='padding:0 7.5px'/></div> <div> <h2 class='l l-en' style='display:block'>The file is encrypted but can be restored</h2> <h2 class='l l-de' >Die Datei ist verschlüsselt, aber kann wiederhergestellt werden</h2> <h2 class='l l-it' >Il file è crittografato, ma può essere ripristinato</h2> <h2 class='l l-pt' >O arquivo está criptografado, mas poderá ser descriptografado</h2> <h2 class='l l-es' >El archivo está encriptado pero puede ser restaurado</h2> <h2 class='l l-fr' >Le fichier est crypté mais peut être restauré</h2> <h2 class='l l-kr' >파일은 암호화되었지만 복원 할 수 있습니다</h2> <h2 class='l l-nl' >Het bestand is versleuteld maar kan worden hersteld</h2> <h2 class='l l-ar' > الملف مشفر لكن من الممكن إسترجاعه </h2> <h2 class='l l-fa' >این فایل رمزگذاری شده است اما می تواند بازیابی شود</h2> <h2 class='l l-zh' >文件已被加密，但是可以解密</h2> <p><span id='filename'></span></p> </div> </div> <h2>The file you tried to open and other important files on your computer were encrypted by "SAGE 2.0 Ransomware".</h2> <h2>Action required to restore your files.</h2> </div> <div class='container'> <div class="text l l-en" style='display:block'> <h1>File recovery instructions</h2> <p>You probably noticed that you can not open your files and that some software stopped working correctly.</p> <p>This is expected. Your files content is still there, but it was encrypted by <span class='us'>"SAGE 2.0 Ransomware"</span>.</p> <p>Your files are not lost, it is possible to revert them back to normal state by decrypting.</p> <p>The only way you can do that is by getting <span class='us'>"SAGE Decrypter"</span> software and your personal decryption key.</p> <div class='info'> <p>Using any other software which claims to be able to restore your files will result in files being damaged or destroyed.</p> </div> <p>You can purchase <span class='us'>"SAGE Decrypter"</span> software and your decryption key at your personal page you can access by following links:</p> <div class='keys'> <div class='key'> <a href="http://7gie6ffnkrjykggd.op7su2.com/login/AelT-PiV3tFiCCV5GuZEb0dpUaZ0ovbTFcMQKZ7gebg1qmfdojvDiiLA" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.op7su2.com/</a> </div> <div class='key'> <a href="http://7gie6ffnkrjykggd.pe6zawc.com/login/AelT-PiV3tFiCCV5GuZEb0dpUaZ0ovbTFcMQKZ7gebg1qmfdojvDiiLA" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.pe6zawc.com/</a> </div> </div> <p>If you are asked for your personal key, copy it to the form on the site. This is your personal key:</p> <div class='keys'> <div class='key'> AelT-PiV3tFiCCV5GuZEb0dpUaZ0ovbTFcMQKZ7gebg1qmfdojvDiiLA </div> </div> <p>You will also be able to decrypt one file for free to make sure "SAGE Decrypter" software is able to recover your files</p> <div class='info'> <p>If none of those links work for you for a prolonged period of time or you need your files recovered as fast as possible, you can also access your personal page using "Tor Browser".</p> <p>In order to do that you need to:</p> <ol> <li>open Internet Explorer or any other internet browser;</li> <li>copy the address <a href='https://www.torproject.org/download/download-easy.html.en' onclick='javascript:return openlink(this.href)'>https://www.torproject.org/download/download-easy.html.en</a> into address bar and press "Enter";</li> <li>once the page opens, you will be offered to download Tor Browser, download it and run the installator, follow installation instructions;</li> <li>once installation is finished, open the newly installed Tor Browser and press the "Connect" button (button can be named differently if you installed non-English version);</li> <li>Tor Browser will establish connection and open a normal browser window;</li> <li>copy the address <div class='key'>http://7gie6ffnkrjykggd.onion/login/AelT-PiV3tFiCCV5GuZEb0dpUaZ0ovbTFcMQKZ7gebg1qmfdojvDiiLA</div> into this browser address bar and press "Enter";</li> <li>your personal page should be opened now; if it didn't then wait for a bit and try again.</li> </ol> <p>If you can not perform this steps then check your internet connection and try again. If it still doesn't work, try asking some computer guy for help in performing this steps for you or look for some video guides on <a href='https://www.youtube.com/results?search_query=tor+browser+install' onclick='javascript:return openlink(this.href)'>YouTube</a>.</p> </div> <div class='info'> <p>You can find a copy of this instruction in files named "!HELP_SOS" stored next to your encrypted files.</p> </div> </div> <div class="text l l-de" > <h1>Anleitung zur Dateiwiederherstellung</h2> <p>Sie haben sicherlich gemerkt, dass Sie Ihre Daten nicht öffnen können und dass Programme nicht mehr ordnungsgemäß funktionieren.</p> <p>Dies ist zu erwarten. Die Dateiinhalte existieren noch, aber wurden mit {us_enc}} verschlüsselt.</p> <p>Ihre Daten sind nicht verloren. Es ist möglich, sie mit Hilfe von Entschlüsselung in ihren Originalzustand zurückzuversetzen.</p> <p>Die einzige Möglichkeit das zu tun, ist die Verwendung von <span class='us'>"SAGE Decrypter"</span> Software und Ihr persönlicher Entschlüsselungskey.</p> <div class='info'> <p>Das Verwenden von anderer Software, die angeblich ihre Daten wiederherstellen kann, wird dazu führen, dass Ihre Daten beschädigt oder zerstört werden.</p> </div> <p>Sie können die <span class='us'>"SAGE Decrypter"</span> Software und Ihren Entschlüsselungskey auf Ihrer persönlichen Seite erwerben, indem Sie diesen Links folgen:</p> <div class='keys'> <div class='key'> <a href="http://7gie6ffnkrjykggd.op7su2.com/login/AelT-PiV3tFiCCV5GuZEb0dpUaZ0ovbTFcMQKZ7gebg1qmfdojvDiiLA" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.op7su2.com/</a> </div> <div class='key'> <a href="http://7gie6ffnkrjykggd.pe6zawc.com/login/AelT-PiV3tFiCCV5GuZEb0dpUaZ0ovbTFcMQKZ7gebg1qmfdojvDiiLA" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.pe6zawc.com/</a> </div> </div> <p>Falls Sie nach ihrem persönlichen Key gefragt werden, kopieren Sie ihn in das Formular auf dieser Seite. Dies ist Ihr persönlicher Key:</p> <div class='keys'> <div class='key'> AelT-PiV3tFiCCV5GuZEb0dpUaZ0ovbTFcMQKZ7gebg1qmfdojvDiiLA </div> </div> <p>Sie können eine Datei gratis entschlüssen, um sicher zu sein, dass die "SAGE Decrypter" Software ihre Daten wiederherstellen kann</p> <div class='info'> <p>Falls keine dieser Links über einen längeren Zeitraum funktionieren sollten oder Sie Ihre Daten so schnell wie möglich wiederherstellen müssen, können Sie Ihre persönliche Seite mit Hilfe des "Tor Browser" aufrufen.</p> <p>Dazu benötigen Sie:</p> <ol> <li>Öffnen Sie den Internet Explorer oder einen anderen Internetbrowser;</li> <li>Kopieren Sie diese Adresse <a href='https://www.torproject.org/download/download-easy.html.en' onclick='javascript:return openlink(this.href)'>https://www.torproject.org/download/download-easy.html.en</a> in die Adressleiste und drücken Sie "Enter";</li> <li>So bald sich die Seite öffnet, wird Ihnen der Download des Tor Browser angeboten. Laden Sie ihn herunter und führen Sie die Installation aus, indem Sie den Installationsanweisungen folgen;</li> <li>Wenn die Installation abgeschlossen ist, öffnen Sie den soeben installierten Tor Browser und drücken Sie den "Connect" Knopf (Der Namen kann abweichen, falls Sie eine nicht-englische Version installiert haben);</li> <li>Tor Browser wird eine Verbindung herstellen und ein normales Browserfenster öffnen;</li> <li>Kopieren Sie die Adresse <div class='key'>http://7gie6ffnkrjykggd.onion/login/AelT-PiV3tFiCCV5GuZEb0dpUaZ0ovbTFcMQKZ7gebg1qmfdojvDiiLA</div> in die Browseradressleiste und drücken Sie "Enter";</li> <li>Ihre persönliche Seite sollte sich nun geöffnet haben; falls nicht: Warten Sie eine Weile und versuchen Sie es erneut.</li> </ol> <p>Falls Sie nicht in der Lage sind, diese Schritte durchzuführen, überprüfen Sie Ihre Internetverbindung. Wenn es noch immer nicht funktioniert, fragen Sie jemanden, der sich mit Computern auskennt, um diese Schritte durchzuführen oder schauen Sie sich einige Videoanleitungen auf {a_youtube}} an.</p> </div> <div class='info'> <p>Sie finden eine Kopie dieser Anleitung in einer Datei namens "!HELP_SOS" neben Ihren verschlüsselten Daten.</p> </div> </div> <div class="text l l-it" > <h1>Istruzioni per il recupero dei file</h2> <p>Probabilmente hai notato che non puoi più aprire i tuoi file e alcuni software hanno smesso di funzionare correttamente.</p> <p>Questo era previsto. I tuoi file si trovano ancora al loro posto, ma sono stati crittografati da <span class='us'>"SAGE 2.0 Ransomware"</span>.</p> <p>I tuoi file non sono persi, è possibile farli tornare al loro stato normale eseguendo una decrittazione.</p> <p>L'unico modo in cui è possibile f

Targets

- Target
  
  D02D012970AA164CAD15C757D7E52994.exe
- Size
  
  214KB
- MD5
  
  d02d012970aa164cad15c757d7e52994
- SHA1
  
  25eef16797a7cf4168938f9d372332d65356b6f7
- SHA256
  
  eba685abd63d2c7378f788aa5ca8e4f95f4b82b51347cb8818090ef54e8f7d29
- SHA512
  
  640545996e924b5f759ba69f970686e67defc9142a195fb6774dd275e22961fd9b21328b119d42b4032f1cf4eb6363ccce64bf6f423d2bf3ddc1d8d5b1f524ee
- SSDEEP
  
  3072:BM+lmsolAIrRuw+mqv9j1MWLQ6xZ4qM+lmsolAIrRuw+mqv9j1MWLQlL:6+lDAArx2+lDAAmL
Score

1^/10
behavioral1 behavioral2
- Target
  
  DBm0yQwt.exe.ViR.exe
- Size
  
  216KB
- MD5
  
  3cb2c3ce48ac870ab0be9afb7233295f
- SHA1
  
  b87ac51e95b85e64bb3fecbbb8f9d2acb5b53895
- SHA256
  
  ac3f6f87217e1d4fbcd56289b4c77b1adea3dbbaf4131a84b7b2508d6fadcfaf
- SHA512
  
  e41c6ad1f5522dda96e19fdf4b79ebd8b7bc13507c5ed5afc1155e37b1dabf16f11f66b1101124035d3d92a942bcd60122e3751069ebd7da1a36e498845b6900
- SSDEEP
  
  3072:UPPdPl/PuW/Yqoeog665R6OKEjzG6hgckhmnl/5aUWTo+Kuv+nAo:UHTnVHv82ZJFgJ+/Hxn
Score

10^/10

defense_evasion discovery execution impact ransomware
- Contacts a large (7699) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Sets desktop wallpaper using registry
  ransomware
behavioral3 behavioral4
- Target
  
  ca6ec46ee9435a4745fd3a03267f051dc64540dd348f127bb33e9675dadd3d52.exe
- Size
  
  1.5MB
- MD5
  
  4b4d8abbca536c987fca430af62c9bc8
- SHA1
  
  4055b08de4d70cd512e1f10d186d887a2c38c86e
- SHA256
  
  ca6ec46ee9435a4745fd3a03267f051dc64540dd348f127bb33e9675dadd3d52
- SHA512
  
  1feb88f28eeda10e670761cda1d61039fc51f76e38aaf731cf11d7f4621b5f45ac2816037fbaf5a40ad53f14e221f24dbefc34023329a6b753fb90c35a515736
- SSDEEP
  
  24576:C6+MSDnehBCO+whjuFtxY5CMbkQfLenj3eesz07m5zvRquduX85ng7ScD:C6PQe3X+C6Mb1Den5i0MzvRgX85g7ScD
Score

8^/10

evasion persistence stealth trojan
- Removes its main activity from the application launcher
  stealth trojan evasion
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
behavioral5 behavioral6 behavioral7
- Target
  
  calc.exe
- Size
  
  161KB
- MD5
  
  df543c8c85a47c41886f644f4ecf66ff
- SHA1
  
  460154b09e361829c46efcbd64848bfd1db43f53
- SHA256
  
  ef00fed6e97e926bdb3b968030795ef5dd34e8e40dec2b7cf802de97feed6321
- SHA512
  
  2a43d36b8db163de66c48d3e1db318d4ffc4aa52f2bb5e3b5074cd597cedd18be5f01b07d1afe7cb53af54c54d4e3e32e0bd0c27d2f8698459c1214b5ebfc17d
- SSDEEP
  
  3072:g4eqa10YgyW9nnrS8zut754EmUQqWKcm+cqAdZuRqoDb1Ndgjx9MApVfqF8CHJq:A5WFrbzSeE6qWK+yHuR/DfCt9vpAFrp
Score

5^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral8
- Target
  
  ccc71c83c8d9895ef0b375273f9f185dfac63ecd01775e2dc705afe4d48c95e2_Dumped_TDS=4F9911B3.exe
- Size
  
  112KB
- MD5
  
  c1fa82712918b9907168593ce4497295
- SHA1
  
  dbd20b8fb720fa9735c9b4edce20f819f26f3f15
- SHA256
  
  ffdc8e2813a270f45ebd2540e0b0d8730443b6ab444c2d8ac4d1b4dbbd1e7854
- SHA512
  
  3ddc30baca3c92566e68d2148912fdd72d470404793edd7448464ec9c5a092e336e0176ea4f55dedabc6f95bd7ad974507324177cb191d26a1f208dfb9b1db4c
- SSDEEP
  
  1536:mf/YvFSSZtDgN+DrDkDEFtCofF89lGL+v:Q/Yv0SZtDgN+Dr+EpfF89ll
Score

10^/10

discovery persistence
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral10 behavioral9
- Target
  
  ccc71c83c8d9895ef0b375273f9f185dfac63ecd01775e2dc705afe4d48c95e2_TDS=4FAD9768.exe
- Size
  
  68KB
- MD5
  
  2fbed8e1453f1cf9c9ac43d642df00fc
- SHA1
  
  22aa6eeb79e95ff26f0775804152041aeb6df46b
- SHA256
  
  ccc71c83c8d9895ef0b375273f9f185dfac63ecd01775e2dc705afe4d48c95e2
- SHA512
  
  88043ca993f9fc81ae9a8da8579274796fde3f8bded78e11419fa06cf41466d671b0c50169645f19fa9e683c0b014d24366b31552f561267f03d0f2214578687
- SSDEEP
  
  1536:HFxpZTK0l7htEAoWt4EsLGtPx00oipJlzL6oMNbzKl+OJL8LeG:HjpZTKk1te/rLGtPC0NFLnY4R1G
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral11 behavioral12
- Target
  
  cd2d085998a289134ffaf27fbdcbc8cb_api-ms-win-system-dispex-l1-1-0.dll
- Size
  
  440KB
- MD5
  
  cd2d085998a289134ffaf27fbdcbc8cb
- SHA1
  
  e22678fe4bd0b209b14d5ed061ae61bb52e79df1
- SHA256
  
  0b12584302a5a72f467a08046814593ea505fa397785f1012ab973dd961a6c0e
- SHA512
  
  69c3ea1ff6c140ac4b21051bf0c0f3049750c31c0a1622ffa145daa1285b24678cd02d6bc89f85ecc5416b99ee99f42763a2d4e1d214c1d9d9e4acee834adc93
- SSDEEP
  
  6144:LDOrPcXOQeRKIawC7duJDaD0A9B5+9MRALsfwT4HZQO2f8etm:LqDQiF/Ad+9YzHZeZ
Score

8^/10

discovery spyware stealer
- Blocklisted process makes network request
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral13 behavioral14
- Target
  
  cdffb7e75b20eeae4db75c9962c17b3be980a719f7597e8b11a747d72c975a36_not_packed_maybe_useless.exe
- Size
  
  53KB
- MD5
  
  16f3a592d1a19d9873134f8e9c6ebbcc
- SHA1
  
  4e1a7a09e393c0d387e4846b4a48bfe273effe43
- SHA256
  
  cdffb7e75b20eeae4db75c9962c17b3be980a719f7597e8b11a747d72c975a36
- SHA512
  
  2b80c9ee5ba51132ab19059bef46d6db6228bea1d250905795f27ffabfffc20ad785aba42129a1d95b6432ea5a4cab226bf23cc7c2f658f7dc40770af93d492c
- SSDEEP
  
  768:uxX2MKhRw7+am7nx3h1OPG0H+l65Fuj0AjmWTbsbIK9QnjVPCxPao1X7tiJ+r/:uFKIqamtRMPJQoh2mqxTnjVPpJG
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
- Size
  
  501KB
- MD5
  
  8cef8cf2a22f58a16b12b5b0b05552ba
- SHA1
  
  cf7382c25a8bf0d904d51063ceb29fb70f630bc9
- SHA256
  
  c95fde4a188dbc361f9eff80e9ba9d082ef40f7a16809b5ef4886903f8fc8698
- SHA512
  
  86031b49267669987ee4cbe0e267d953c17032428c4ccaac318c3737c2b9a4c0203fa162f8c83a7f1616b73450118e6e5c0a474008130e1681443b3a51171591
- SSDEEP
  
  12288:clxTE2jm56ven1viU+NoAHKor2Bzqbb+0eT9aEZuo:cE2qvGHKorIaK0eMjo
Score

6^/10

discovery persistence
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  cgi19-alptsevs-h555.exe_.exe
- Size
  
  569KB
- MD5
  
  e9b9c39dd91c7fac1ee0b92e018a21bd
- SHA1
  
  1ddcf37b32f90f864b51adba3f4bd3a0f5ea935f
- SHA256
  
  388cc8da15d0fbee9bb9fb87715c8f2967b1584a12e30b4ea1ebbc27ff3b557b
- SHA512
  
  dee5a5da3fe70e5d15f48ba9e8d9204a2de641b91e22a8e3ddb7dfaa1aafd6d943bb21188985bb8d40836fc6e24ee2df9a9d988f5ea8048d30517cd6bf7e3add
- SSDEEP
  
  12288:j3nZMhJ+ubNmz0C4nkspjhPMy7NxkIXGUikyjk0y0xjYfYK4zjibVWidV3BtGN:j3nZqfbkz94h9P1+sbi3j2Bwjifv3BAN
Score

7^/10

bootkit discovery persistence spyware stealer
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral19 behavioral20
- Target
  
  chrst.exe
- Size
  
  130KB
- MD5
  
  c657daf595b5d535ccc757ad837eebe8
- SHA1
  
  894e953e86e54a830a14fac94e57569d184a9c09
- SHA256
  
  a02565ec78fa1221433e720bd57b044938345b8c65a73143bd9ff73529767526
- SHA512
  
  21a26bc146dd2a915c17b268b13edc565e9a582d11c1714d89741f4156a880dfe35415d4920a6326d164519f4b28b6371ef9c7bfdb5e19080448bd77b4a20a4b
- SSDEEP
  
  3072:YpcslRnXfFdRIVLdkVz1ZIGWSt8t81U3Uxi1mVB9kx:4XfNSLdkryGd
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  ci05l2a.exe
- Size
  
  179KB
- MD5
  
  27b4d4c481f97f0a90c420fb106be2a1
- SHA1
  
  35c8fd7176b2f50caf6af597b07d18074a6c8619
- SHA256
  
  94bf77695e893c6c9cd0b69e1081eb00a617ec384c980c127681d010f8aceb71
- SHA512
  
  8e6d23ec233308c32dfe4373900132b021856082584c94ddc01c31b74c859cdf73cb3b2816fd51a693848b35d248bcdc76212a3b323ccc045dcfc8df59bb31c5
- SSDEEP
  
  3072:Kz23EV9nbulU4sYjoEgwNLu4T4gG1ZJC8VMKsMJ9Bi1YrJ+YPkiKL/vZ6d:o3aJoEgiLuEEJjMaNI1iI6d
Score

1^/10
behavioral23 behavioral24
- Target
  
  cl.exe
- Size
  
  236KB
- MD5
  
  748ec019c171f22b8384195742967c51
- SHA1
  
  e3fefcbd3c432ac85d046a7ab27d2b0114ae658a
- SHA256
  
  b082e82311a6e8416b1823122959ea368316a936aa6ca667c032d300f76effaf
- SHA512
  
  a2bbef3dacdac5d5cf65f71f97c663b8731e2f2dbd9d923076e3551b68fce33157b961bd4709bfd6ccb1c5c807c453a8bae209538093dfe4c0662fb7e074ddc3
- SSDEEP
  
  6144:6741oQa1cxp/UWD9xgYxY68hX7Ph0ht7LRhU/a:v1uOp8J2Y68hLPhZ
Score

7^/10

discovery persistence
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral25 behavioral26
- Target
  
  clean.exe
- Size
  
  114KB
- MD5
  
  d15cfcd6caabb1cd1ebdc352a6ebb39e
- SHA1
  
  e60f23f716f37a7c91ae459fba65e41b4a60f752
- SHA256
  
  c926450324f23575ff6e980b70688caa56f584a84f2b447aea78183828099e50
- SHA512
  
  c5e3989e8157520036db2937c68bbb603ad58d16217fabbcb4860a7193d43e27d99062f4edcfcf3ab158ed7f0122df8665dd39aa1de53e81b2399aea6de7db57
- SSDEEP
  
  768:W+ry2sgHBHn+Kcv+aEtm0aOL9/rxM/UUk9B:I7gpiyri/UUYB
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  coinvault.exe
- Size
  
  544KB
- MD5
  
  b3a7fc445abfba3429094542049063c2
- SHA1
  
  451d2a60192d5a49c13dd4aed19c15448358969d
- SHA256
  
  2a5333438bed6532770f7d34b72439006625a9b38fd91f7659e390530cda18fd
- SHA512
  
  711d5a9a0fe539dc9e12092d360b008cc469cd387606e5a76c703e98b7e71863256cea4dbabf41b69b5d6bf0a7cebc01f2acd445c8d0e3a841f8dc46bc532908
- SSDEEP
  
  12288:xtMW53Bkb5nG7KC/MIkf74f6Z0PvB5V/EXF:xtJ53m5G7fP+Mi
Score

9^/10

defense_evasion discovery execution impact persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral29 behavioral30
- Target
  
  com_loader.exe
- Size
  
  64KB
- MD5
  
  7bb58c27b807d0de43de40178ca30154
- SHA1
  
  d3a69a5aa1f49a55eaed6de0686b45dede103b31
- SHA256
  
  eb72bef17b4f62a3cef6e36385cbdd65cf916f36b28d86b37b2990e2fc9e5330
- SHA512
  
  538527ca1c5037f4325ceca26b66ee0ef2d293eb29566b6bffa521593fa52e13450a01ba194ca5f574b2fa2d3335f3ab14ce759bf2d3421f746ffee5617a9d32
- SSDEEP
  
  768:TDYGaFFIR9v3PHchAps29+PP+ZkY1DjSzT2MxeRzL3MJV:HdJIAps29uujJjSH25
Score

3^/10

discovery
behavioral31 behavioral32