General

  • Target

    Batch_4.zip

  • Size

    8.6MB

  • Sample

    241122-dkdx1ayrbr

  • MD5

    3179e3edf25f87e78f2fd054faf6ae60

  • SHA1

    7648fb854c73c9a191b935278bcefd58cc5ad3fc

  • SHA256

    471f3fb1a953fab38be3081eb835574694bc72b94f239edc400d1ce3d7a8ecb0

  • SHA512

    b7d25a1a9008d363058192cd353fdd58c504db313bbcd9bf1090688c8af735f696c8a0551b3023f948de66f9f33c20c5cee18bde680afe7b2e2b60074f8abab7

  • SSDEEP

    196608:ttxPNvdJy9CNBi63RgR+itIShWmG9E6rHm5F2T97o:Vh7iCNveR+ipWmNEBo

Malware Config

Extracted

Path

C:\MSOCache\All Users\README_HOW_TO_UNLOCK.TXT

Ransom Note
YOUR FILE HAS BEEN LOCKED In order to unlock your files, follow the instructions bellow: 1. Download and install Tor Browser 2. After a successful installation, run Tor Browser and wait for its initialization. 3. Type in the address bar: http://zvnvp2rhe3ljwf2m.onion 4. Follow the instructions on the site.
URLs

http://zvnvp2rhe3ljwf2m.onion

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\How to restore files.hta

Ransom Note
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta charset="windows-1251"> <title>GLOBE</title> <HTA:APPLICATION ICON="msiexec.exe" SINGLEINSTANCE="yes"> <script language="JScript"> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type="text/css"> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <div class="header">YOUR FILES HAVE BEEN ENCRYPTED! </div> <div class="note private"> <div class="title">You personal ID</div> <pre>0178939591092578510096713288732734444436291030185111743159249877518849824774525780010420486703547306 4652603242890427289402157602390455027228145456585345657734661767927182934824784938044688982522451884 2620491262784131357266215950492358629941402487830576900203840833202399044220143367661121649632629301 5179074928560462574007465013958853843624259358386489262940377839951938122385622534242951108648983031 8880908644210114037550933639458208337240403693102170667425911540428961429569026846183735086129319325 3554270790458608138933805365087188517064690041601048024281544630417835654425448174464853540195663395 457396003521030681</pre><!-- !!! ������ �� ������ !!! --> </div> <div class=bold>Your files have been been encrypted with a powerfull strain of a virus called ransomware.</div> <div> Your files are encrytped using rsa encryption, the same standard used by the military and banks. It is currently impossible to decrypt files encrypted with rsa encryption..</div> <div>Lucky for you, we can help. We are willing to sell you a decryptor UNIQUELY made for your computer (meaning someone else's decryptor will not work for you). Once you pay a small fee, we will instantly send you the software/info neccessary to decrypt all your files, quickly and easilly. </div> <div>In order to get in touch with us email us at <span class="mark">[email protected]</span>.In your email write your personal ID (its located at the up of the page, it is a string of random characters). Once we receive your personal ID, we will send you payment instructions. </div> <div>As proff we can decrypt you files we may decrypt 1 small file for test. </div> <div class="note info"> <div class="title">If you dont get answer from [email protected] in 10 hours</div> <ul> <li>Register here: <a href="http://bitmsg.me">http://bitmsg.me</a> (online sending message service Bitmessage)</li> <li>Write to adress <span class="mark">BM-2cUrKsazEKiamN9cZ17xQq9c5JpRpokca5</span> with you email and personal ID</li> </ul> </div> <div>When you payment will bee confirmed, You will get decrypter of files on you computer.</div> <div>After you run decrypter software all you files will be decryped and restored.</div> <div class="note alert"> <div class="title">IMPORTANT!</div> <ul> <li>Do not try restore files without our help, this is useless and you may lose data permanetly</li> <li>Decrypters of others clients are unique and work only on PC with they personal ID.</li> <li>We can not keep your decryption keys forever, meaning after 1 week after you have been infected, if you have not paid, we will not be able to decrypt your files. Email us as soon as you see this message, we know exactly when everyone has been encrypted and the longer you wait, the higher the payment gets. </li> </ul> </div> </body> </html>
Emails

class="mark">[email protected]</span>.In

[email protected]

Extracted

Path

C:\Users\Admin\Desktop\_XiaoBa_Info_.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>[email protected]</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } img { display:block; margin:auto; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHgAAAB4CAYAAAA5ZDbSAAAABmJLR0QA/wD/AP+gvaeTAAAAB3RJTUUH1gQdASckuERAkwAAHNZJREFUeJztnXmQHNd93z+v77l2jj0BkCAJghBo0SYJUpRKJC2Ksmm5Uo4kp2iplEAFoRy6kirFSUqp+A+XzUrKqaQc5yqVXFIYiSqKkhzK0UGTkmxLlERTRUEUBJIgQNyLvbC7c+7cM328/NHTM7PAAtxjZnYJ7beqa3r6eP26v/27X3fDNraxjW1sYxvb2AyIze5Av3Hw4MExVVVTiqIkgYTneUJRlLyiKIVGo5F96qmnFje7j/3EdUXwo48+qkaj0fcBDwN3AweAibfYbQE4Chz1PO+FarX6w2eeecbtc1cHhuuC4E9+8pPvAz4OfAQY3WBzGSHENzzP+8qTTz75ww13bpPxtiX48ccfV6ampj4kpfz3wLuvtp1lWei6jqZpaJoGgOM4OI6DbdvU6/VrHeZnQoj/snv37m88/vjjXm/PYDB4WxJ86NChh4QQnwHe2b1cCEE0GiWRSBAOhwmHwyiK0rXen5eyw5XnedRqNSqVCoVCgXK5jJTy8kO+AfyrL37xiz/o0yn1DW8rgg8ePDimadqfAwfp6rtpmoyPj5NIJNB1HV0PYZoRDCOMrofQNANFUbt2kXiei+M0aTZr2HaVRqOCbdewbZtCocDi4uJK0v1lVVU//cQTTywM5ow3jrcNwYcPH35ESvkVYDhYFgqF2LFjB8lkEk0ziURShMP+vKIILEvDNFUMQ0NRQFV9CXZdiedJmk2HRsOlXnfwPInjNKhW81SreWy7Tj6f59KlS9Rqte6u5IQQ/+wLX/jCdwZ7BdaHtwPB4vDhw38spfxTQAVQVZWdO3cyNjaGYYQZGhonFIqj6xqxmEEsZmCaGmKVZycl1Os25bJNqdTEth1qtSLF4jzNZpVMJsPMzAyu23auPSnlf7z55pv/w1a3zVua4EOHDlmKonxVSvnhYFkikWD37t2YZohk8gbC4SSWpZFKWUSjRk+OWy43yeXq1OsOtVqBfH6Ger3K1NQUhUKhvZ3ned+pVqv/5Jlnnqldo7lNxZYl+LHHHgvbtv0t4DeCZTfccANjY2PEYqPE4zsxTZ3R0RDhsN6XPlSrDplMjXq9ydLSHOVyhoWFBWZmZtrbOI7zk1gs9luf/exny33pxAahbnYHVsJjjz0Wt237O8BDAJqmsXfvXkZGRhkZuZmhoQlSKYvx8Qi6rly7sQ1A1xWGhgwURUGICLoeRtM8otEIS0tLeJ6Hoig31uv13z5w4MBfHTt27Jox12ZgyxH86KOPGpqmPQu8D3xy9+3bRyIxzOjoXiKRIXbsCBON9kdqV4JlqUQiGratYVlxpGwSi0UpFAoByTts2354eHj4y5OTk87AOrYKbDmC77vvvieEEB8BMAyDffv2EY8PMzZ2G7FYmImJUF+l9mpQVUEspuM4CoYRx3FqxGK+JLuui6qquyzLuvv48eP/F9gyjteWIvjw4cN/BHwafE95//79DA2lGB3dy9CQydiYtWrPWFEULMsiFAoRiUSIRCJEo1EikQihUKid4VIUBdd1V0puXAEhIBrVcBwwjDiuWycaDZPL5fA8D13X9+3Zsyd58uTJ7wFv3eAAsGUIbuWTvwQoQgj27t1LPD7M+PhtxGImIyPmqtqxLItYLEYsFmuTqKpqy44KhBAoioKqqui6jmmahMNhdF1HSonjvLWGDYc1XFegaUPYdpVQyCSXywFgmuZ9o6OjZ8+fP//aBi5Hz7AlCP74xz+e1DTtu0AS4Oabb2Z4eISxsX3EYhbDw28d/pim2U5Rqury0+omVnSpgG6pVVUVy7KwLAvXdd+S6FBIbZEcxXGqGIZOoVBACCEikcj7bNt+Lp1Op9dyHfqBLUHwvffe+yRwP8Dw8DC7du1idPQ2IpEwIyPXJldRFOLxOLFYrJ13FkKg6zqGYWCaJoZhtFKYnSlYpqoqQog22YqiEAqFUFWVZrN5TdVtWSrNpkDTIkhZp9FoUKvVUBQlnEwm3/nGG298C9hUz3rTCT506NDvCCH+DHwpvPXWW0kmbyAWSzI6qiOEL2krTbquk0qlMAz/JlAUBdM0MU0TVVVpNGyy2SJzc1mmptJMTaWZnc2yuFigWKxg2w66rmFZZtsee56HlBJN07Asi2azieM4Kx4fJKGQQrOpIoSKYUA+n8d1XQzDuDmVSmUuXLjwCrBp9eVNJfhTn/qUadv2N4Hhjt0dIZm8keFhHU27ukdlWRapVKqtdk3TxLIsQJBOF3jjjWkuXFhkfj5LOp0mn89QLGYplfIUi0UKhSK5XIW5uQLp9BKaJohGwxiGgRAC13URQhAKhdqlxZUgBBiGwHEsbLuGaWpkMhkAIpHIndPT08/X6/VNU9WbSvAdd9zx74DfAxgdHWV8fILR0b3EYjrh8NVDoXA4TDKZRAiBqqrtsmA+X+LVVy8wO5shl5snn59maekS1Wq+TW6lUqBWW6LRKFEup6nVCjQaTQqFJouLBSIRg0gkhGEYbe86sMtXI1lVBSBQ1SjNZgnbblKtVlFVNToyMmKdPn36J0C1D5fwLbFpBB88eHBMUZSvA4aqqm3VHI3GSSSu3q1AcsFX6aFQCNf1OHVqmrNnF8jnL5HNTlIu51hcnGd2dpbp6WkWFhbIZDJkMhkWFxdZWFigVCph2w2gSbWaw7Zd8nmXer1BKhXDNH3P3XVdLMvCtu2rkqzrgmZTIKVAVV2y2Sye5xEKhX6lXC7/MJfLXWQT4uNNI/jAgQN/LIR4GGDXrl0MD48xPHwT8biCepVeGYbByMgIQggsy8I0Ter1BseOXWBhIUMmc45SKcvs7AwXLlxgaWnpqo6SlJJms0mxWCSdTuM4Dqrq0WgUcRydfL7K8HAMyzIRQuA4DpZlUa/Xu6tKy6DrAte1aDSKSOlRLBYRQmjRaDR06tSpnwKFFXfsIzaF4EOHDiWEEE8Dlq7r7Nmzh1TqZiIRi0hkZburKAqjo6NtL1fXder1JkePnieXS5PNniebTXP27FmKxeIyUqWUjVqtNlmr1SYbjcYl13UrmqZFhBBaaz2VSoVsNoth6LhuFSk18vkmo6MxTNPPRwckVyqVFW8aRQHPE4CJEA2y2Wwg/Xvm5+e/W6lU5oGBpjK1QR6sC/8SiAOMj49jmhFCoSGiUXHVsCSZTLZjVV3XaTSa/OIX58nnF8hmLzI/P8+lS5e693fy+fzL58+f/9HJkyfP2La9TOx0XVdvv/322/bs2fNAMpm8H9Acx+HcuXNMTEzgeS6e53H0KNxzzx5M00BKSb1eJ5VKcbUQNxKBRiOGaUYZHx9nenoaRVGse++999Bzzz03CZzrzSVcHQYuwY8//ri2tLT0FSCmqip79uwhmbyRaNTCslbeJxKJEIvFMAyj7fC89tpFMplFstnJto0NUCqVjr344ot/ceTIkR8vLCykPc8rA3lgCcgBS57nlRYWFubffPPN17LZ7Mujo6NjpmnuACiXy9i2jWGAohhUKh7j4/F2tgv8gXvNZvOKvgoBvgbXkbJOJpPB8zwsy7r59OnT33QcJ8MApXjgBN96662/LaX8A4CJiQmGh8dazpVEiCtjTUVRGBkZQdM0wuEwAGfOzDI/nyGTOc/MzAyLi+2x697k5ORTzz///NPFYrGMT+Zs63ceuABMAZOt+QvAuWKxeOnEiROvJxKJZiKR+FUhhFKtVlvxrEBVI7iuZHh4CE3TcBwHXdcpl8vtuLl7UlWJ61rU60vYdpNyuYyiKKZpmtNTU1Pn8W+2gWDgBN91113/CfgVIQQ33XQTqdSNRCJhTHNl1ZxIJLAsi2g0ihCCXK7I2bPzLC6eIZ1eYHZ2NtjUOX78+P946aWXgpBkGigCi8BZIIufVXLoFAI8wMa/AU5PTk6+put6fXR09D1CCLVSqbQSIA5SRonFQoTDJpqmYds2QojLx2sBgRQLPE/gefX2DWgYRvTEiRN/D2QYkEc9UII/8YlPDCuK8nlAjUajTExMkErtJhwGRbmSYE3TGB4ebjtVjuPy6qsXyWZnKBTSnDt3LlCZ3okTJz5z5MiRo/hqeBaoAWeANKu/mIW5ubmfDg0NNVKp1EOAKJVKDA3FUBRBva6xY0eynd5UFIVKpbKiV+2nvEPUanlKpRLNZhPDMMYXFxe/WyqV8sBARoAMtLCqKMqHAANgZGSEUCiBqmqo6pVqTkpJPB5H07R2KnJuLkOlUqRcTnPx4kU8z+dtdnb2//30pz99BV8S54AK8Gbrd60o//jHP/7zTCbzv8EfNz01NUW5nKZSWWJ21s9SGYaBqqrE4/EV+65pXsvjjzM87A8EFUKo+/fv/w1gZP1XcW0YNMEfBL8YkEgkiERS6LoLXHmBVFUlEom00o/QaNhcvJihUJgjm81SLvsCUK1WT37/+9//NlDCV8c14DS+6l0vGs8+++yn6/X6z8F3ujIZ/9hTUxkaDd+5CoVC7erVyrlyj3A4RSKRaFexUqnUewATiG6gf6vGwAh+7LHHdCnlI+B7xZqmY5pRdH1l6Y1Go8seN1lYyFGtlqjViszNzQEgpbRffvnlL7iuW8eXXBvf3vYiuV+en5//A6ABtMZHF6lUlpif92u/qqqiaRqxWOwqUuxiWTE0TSca9fmMRCJ3WJaVoFUa7TcGRnCz2XwPrdg3Ho9jWVEURSCEu0KVhnbBHvxU4cxMjlJpkUwm0w5P0un03128eHEe30P2gPPAlbHLOvHCCy/8vFqtfgnAtm0ymQzlcpqZmXzb7gYOIFxZ9VIUiaIITDPK0NAQAIqiWHfcccd9QKJX/bwWBqmiHw5mhoaGsKyhq9rewKkKpDefL1GtVqnVltoeqed59Zdffvlv8J2qKr6XXOp1p0ul0p9KKatA63GWEvV6lVzOP1TgI4RCoRXOxUNVHUKhOPF4vN3m2NjYPfi+SLjX/b0cAyNYCHEP+CnHcDiMZcVQFAfP866YQqEQpmm2L9TCwhLVap5yuUyj0QAgl8u9lM1mgzDIAWaufvT14/nnn59vNpt/BdBoNCgWi5TLOebn8+3+GYZBOBxe8VwUxVfTlmW1R5pEIpG9gA7E+tHnbgyMYCnlveCX+oRQ0DTzquo5Go2i6/6wWNt2yGYrVKt5stlsu72TJ0/+Pb70OnRI7guEEP89mM/lctRqefL5GrbtH9IwDCKRSHtkSPckhIummahqJ1ETCoVuwZfe64Pgw4cP7xRC7ACfYMMIt7zKK1V0UCUKvM5SqYJt17HtOktLSwA0Go2Zs2fPzuCrZQ8/1u0bnn766ddd130DoFAo4DhNbLtGsdiJwoKRJFfesC5CSHQ91CZYVdXYjTfeeBO+J93Xp0sGQrDneXcF8wHB4CDlygQbhtH+n89XaDR8GxwMhMtms0fww6EmPsl9z+1KKf8afIfPNxVlCoXKMjW9sh2WCOFhGOE2wQC7du16B36iaXXDRdeJnlaTnvjdHTcJ1T0gEMteozDfeP2hkuo7jYlSE2W2RD1j0VSudHit4WFm5oba/2emMtRz85CZZ8L2y6lR97x5+wOJB0O6OLAzrs1HdKXRy/NYCUv2K+ai3AmAmClSr08znXkNZbZzquVikUqXGQkgpYFSr5MozTNhXwIgMVJ+3/vfn3THouqDcUutSnAV4V2iaf/kk98s9Kxu3BP18MTvjd0v4D8DD/SivV9y2ELwDEL7o8Nfm5veaGMbJviJR8f/ECH/gi0wQvM6Q04q8sP//GvpFzfSyIYIfuKj4x/Df+reT61bHjftahANewixJZ7ceNvAdQWFksrFWRPX9WmRklLZcd/9b76RPbnedtdtg7/8T1NDdVv+L1rk7r2pzt13S9L2DdjKUPuFJ9tYHaTXZFgsceCOGV74SZhsQUMIYrjiS8D7WV/hZP0EN2zt47TeSTUxYnPnAY1s4iF2v/NudGvoLfbexuWQ0qNRTHPx2M94+MF/4NvfjdKwBTFLedcj+0K/87ena9/CjxzWhHUT7MEjgX7/tf0V5pUHecfd70XYNcgMdNjRdQGhqFhDO7jlXe9l+kez7Nszxeun/LBq/7jxgb89XXsdOMEan1pcN8FCihtp2dlYUked2IkQGsweBz0BarjTF0ln/vJfeZXl7XXd53P5vldpV15l+2XrV9GulOAN8NGiZhVj/Hac8E5GkufbiyO6shOI4Bco1jTcZ90ESyHNQII9oaPqrabcOozdA9H9IL0WSW7r1+v67Zq4bBlyhXVd27TXt5YtW9/dVrBeLl8vL9uH7mV0HceDygC1keNrYNUIoWudQSiaKkz8hEiSQRHM5R54IGzSAem2prczufjbCMAb0CBI6a6gXdrQWEfWq3eZrLZaCwj2eHuT21ouNJADUtPS7erzilgzX70lWHJ9kQuA2rrwA4AX9KV36AnBEokMLoh0WtPlJGwCudYoRN8B4VvASIAa8dfbJWikoXwClk6Anb8KuZ6vouWgxqn7N1IvOe7toyttG+zRscGbQK4xCiMPQuSW5f3zWuPw1DCEb/Kn0d+C/BFI/wCaSywjt/umHQQCG9xDhnv8bFJgg7sleMDkJu6F1HsAAe4qi0zxuyF6O8x+Dcpnuo7VdU6DgPTH5G89CZbdk4N/gdzBkzvyfojsA7dThjxx6iw/P3ac85PTFJaKaJpKKplg/217ePe9d7FzYqy1pYCdH4WFZ2HpleV2eeAS3DuKe+hktTrVLcGDJHfoAFg3taV2enaeL3/9Oc6cn7qiq9lcgTPnJvmb773Ae991Jx/7yAeJhEP+ypFHoJmD6tnWMeyB2+Beog82OJBcd3DkGjtakuuT+4vjp/n8l79Fo3ntse9SSl46cowz5y/ybx/7GGMjraHKY/8Ipj8HTsW324Pyovtgg3tX8mnbKxe81hQQ3f3/inVd27TXBzdI9/rutrpuICkh+k5fLbsNzl+Y5HNPffMtye3GYibPf/vcV6mUlvybRAoYek+rT81OX/o++TdsL61wb2t6bRvcCtgHEQoZEyAscBu4zRqf/8pzNO21q9TFbIGvffv7PsFuA8Lv8L1tt95ldvo8eVtUgn2/ILDB3YmO1oS3fJ7LtsFbvt+y9d1tBeu9zrw+1iblxSOvsZhdWvd5/OToKS7NL/jteXbLppcGLMHBFe0Nei/B3mWd7ie5ElCG2gS/fOz0xrovJUdePd2RYnMX2OWOWen3FNhg7y27umr0Lxft9VEtt9fr+IUAB8f1ODu98eHRJ8/P8aFf39/6Z4LXs0ed3hqtXPQWjINbFz7wor0uSetnbllV2p5zoVDF8zZ+afJL1a4EicbAPGhonS9syTh4mQ1epnb7RC6eryVcv9LjOb2p+Lie226zfR4Dg6+bt54EBwi86EGQKyVQa0tbKiJaLy7d2CkMD5kdCXbyDC7JQccG9xB9yEV3O1T9JLclXW4dEGjAjlSYuezGXgl540ioQ3BjfsAqOggve4c+Z7L6SG7QnpMHEQHgvfuTfP2ljRF8/+3JDsHl1wZLcB/qwb2LgwMHZ6U6cD+L9V6uHdY8sD9GxFr/Axa37Qhzy4jaCZPKr3YcxUFMbXa3chzc9qJ7EecGTs7l64NlEuQSuBVwGwyZLgd/fX2fD7Z0hd//QCdpQuko2GmWxfQDmeipFPc+F92W0D5LroQO2Zk2MffdYvDhe+Or/joLgKkJ/sVvDjMa8fx2nAosfa/T54FOspdRUj9scKej/SfXax24Ap4Cnv/Sln98p8VIRPLki0Ucj2siGVH4w99MsntYAadle0vf8237oBHEwT0U4Z4V/Dv5l4AEdzDkBsv1JWg44Pqvfrj7BsEXV9H1ZFiwO+EGbxCF2s+gdmzj12Rd8K/hFpTgFkGye36A5AK+Ta6D6/8/NukGs9fEhYxLvlQnGW7pdGeBnhrBNaHrGvYIPX4EUIIiWG6LB0Fua77htW3x0anV1YOlhKMXGx3nSr3RP4fNmpCdiKQH6P24aEX4Q01Fi6hlvy3SRBe5oovQ7m0DckWL3GB/QWc50Ca3CTh+YaDpwutzq/945dFpjw/cGmSsxkDR2JQv4QjRc+XR42oS/nvtRbe6Dn4vUz/d66Vcvi3dy/y38fj/RecmobU82KZht+3o8TmNprt6gk8tQrnWJGq0jq1MAJfWcRE2CCVw/beqipbQiU8GpJaDbar1jnqeWduLCzwpODYjO2pajvnnMehJblEJ7sTmsiPBgSrup1oOtmk2oek/medKwbFLa/+28NE5jQduKPp/RBxUFQb9GorABm89L5qOClb8j0QNRC0H21Rq7RLfm+kQVXvtiun4okmj2cRUWzeREQdl/cN/1oXABveQ4N6/SEMRLRs8ALUcbBOMhnQb/PxSaF3ddjzBa/N6R003hzbJi+6tlt6QBLc74gFeIMGXqeh+qeVgm0Yd6uVWfwS/WFz/e7Z/Ph/hXaOtYT91C2IDfpGMEkhw2+ABndt7PejdiI5At7RV9AAkV3pQyrfLe+eWoiw11n9Kr6VjOI6NJjw/SrJNMAc4Jku0bHAPm+y9F60IX8ICR7btqMjOvJCt9cEy0SX1orNctJZfa5tCtqOeFzf2ju26q3IiE+6o6bo5eBXdYxvc+y+fKQqdsTN9lFw8Xz1Xcu1Dn8oPEdE2NsTmjWyMX4v7nwygJGB4gGpaBDa4dwz3juDA0W0H630mVwJLi8seEf2TX/1Rb84lSGLVgKYC1oDCpa2ayfK1SqA+la7Xs8hOVitQzzJYJrqcrVYoFKji7lBopW2C5blLq38GeL0oKhAalBQrdELH3qB31aRlEtxnycUDuw6FeXp+y1+OvAo71hd6rRmXedG9QB9s8Aqpyl6TiweaDvfcDyy0po0EE6s9pz6jdZgtEwdfgavGwRuIc6/YtwykQaRBD0ZQCq6Ltxkryta0wT664mDvAggXRAr/DXyw5vQjAmQT/xN/S0AeRBFEd1w6IMkaFBTYoja4hbYNngO3FWqggAgDUZAmCNM/rFBBKi0JbeJ/dsEF0QBqIKotgi/HdUZqN1ruy9YjWOKnKsFXM1eg6k+XcxMkvbr/L/v9JXvndHC+snf+RJ8keBvrwpauB8suG7yN9UEC7latB0PLZ/olU6u9hAy86K0YBwd92pbgDaD31653mazgZ0UnaxurQtsGb0EJ3rbBPYDcymOyYNuL3igCCd5yBHd3altFrx9eqx68NYoNK0jqtgRvDMvqwd1ZoPVf0+04eCuhD2Oyelts2PaiN4agHtzDyud2HLyVsJbXEqwSvX+6cDuTtX6ILZrJEu0ObdvgDaFVD+5lpLQRgtsP7ujCoVQp+71qjoKV2XjPfhlRG/Mfda7lqXkdTVizZXG9TW6E4JPA/QDzCxpl4zy18h2E5h4AMw/KgIaaXi/wdKgnmJ99k5Fwmukzna/YZUrO/Hqb3cDXR72/lkL5fYBjJyJ88KFL/OyV59l9wx3E4ykUpffj+a5nOHaJhfQblAvHmdDKTM75T2lISfPvTleOATbreO3Aug2mBPHZ3x17xdDEAYBIyOW9B8poEY2ybeB527Z4LdAUj7jVYGEOXnk9itu6fqcWm8/+1x/mvwqcAQrA2bW0uyEW/vWD8QP7x83vq4poPxRk6JJo2EXZVtFrguMISlUV1+1QUqx7Z//kO7k/q9juIv7Y4GlgcS3tbljMPnpn/JEHbjX+j6UpN2y0rW10kC67v/ifL+b/cqHkFoELQAM4zhrV9IYHE7+x0Jh85aL9g2RYMcKGEjFUhoQQ18Eg5cHD9ahmyu7rL16oP/2Zfyh8s9KUDWAG/x1Ck/ijF9eEXhlKBdgD3A2Y4zE1rCjbAfFa0LA9J1dd9qBVCV8tN4EpYF2xZ69JsIB9wDjr+Fr1NnDxB4iX8VVyCZhlHZIboF9SJoAwoPfxGNczHPyHVwf4PYFtbGMbWw//H4sSVoS1YoLgAAAAAElFTkSuQmCC'> <div class='header'> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

<title>[email protected]</title>

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Targets

    • Target

      757e3242f6a2685ed9957c9e66235af889a7accead5719514719106d0b3c6fb4.exe

    • Size

      18KB

    • MD5

      d8e99fcae9a469c2081e7ff01675c361

    • SHA1

      ef7c4358717ec9d04b9adc8e40b1eb928885ebf0

    • SHA256

      757e3242f6a2685ed9957c9e66235af889a7accead5719514719106d0b3c6fb4

    • SHA512

      cd75242646dde33b7c792e9bf9fe976ce7f2dd1b02c5c97a4cf2f9f80cfae1bd44463fc2b0f9e002d17087358fafa298ca0d4dc4aff17405df95f13099c79b02

    • SSDEEP

      384:rd7gYWDhghSmeSQjkCg3St1bVz1LTwbZxssimS8dHDT:6lg/eLjkCwQQFx8SHX

    • Renames multiple (780) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops file in Drivers directory

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops file in System32 directory

    • Target

      76fe72e0ecdc389b5749df5fe406cb70110b1ef8b64e51cf0a96da2fa2ec5eb2_not_packed_maybe_useless.exe

    • Size

      89KB

    • MD5

      0af473977e2b58a3630dc2bd59245127

    • SHA1

      6b1086070e0918c428b4f6688fe2760c9ab9dfea

    • SHA256

      76fe72e0ecdc389b5749df5fe406cb70110b1ef8b64e51cf0a96da2fa2ec5eb2

    • SHA512

      d2f001ed413538368597585483c6745ab1bec058e227ada41937b75435f9456135b876e0ce40249389448b9769a37c3c06233c0d648cfaf9f613e42ad0b92450

    • SSDEEP

      1536:ef/SovFSSZtDgN+DpDkDEFtC+YF8965L+v:I/zv0SZtDgN+Dp+ErYF896W

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Target

      78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_Dumped_TDS=4F9911B3.exe

    • Size

      116KB

    • MD5

      5a580ab3f5b3806da853459e9ef7b368

    • SHA1

      df93c0f0dd694ab49646b539418b67d83eafccb5

    • SHA256

      5f60eed8e27867c843387fe7fece3af688586a40c8d3dd2c27647b23cc200fdc

    • SHA512

      91ecd8f00f4cd6c7d199eb365cb7cfa414bcab41b144fe7a5f43529e560201a81284cdb3a3d18d252e2eb4429a67f2db5718eacc8bf1eeb072958c0a4be20a3b

    • SSDEEP

      1536:tf/YvFSSZtDgN+DrDkDEFtCwbfF89lGL+vpCYC:Z/Yv0SZtDgN+Dr+ErbfF89llpTC

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Target

      78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_TDS=4FA04B59.exe

    • Size

      72KB

    • MD5

      f0b567179d42d5d4f27d6d9a7fcf183f

    • SHA1

      fb91a4f85ad3576110cdb476b0eb94c2e14a4e1b

    • SHA256

      78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b

    • SHA512

      ca5afd8671f79d1ee55d51aa75330daac87e4cb116b5b8f60d5be2ed1f21a1e0cbd9e4c613a3c20850bfd0bba78358e4289258f010b6d3c8c169b7a80998c64c

    • SSDEEP

      768:Xf+vj1VHjoFW+gh2vHa0uTbPKYlNnYVbUnWfTMuRqj2O4sO2ieFZ0F:G71NoFhDHaT/CukbUWdfO4LFeP0F

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Target

      78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe

    • Size

      865KB

    • MD5

      dbf3707a9cd090853a11dda9cfa78ff0

    • SHA1

      5af5403d8e003812a34c7b085d878680d7130ad5

    • SHA256

      78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669

    • SHA512

      68b1627ed20e6980c32c44df3560fc3eeed37db2c47caaf8db86461c594a5d040a7404be777374af512fe05fcdc2f15a6014a914b1445c2e23adb741db68c7e0

    • SSDEEP

      12288:SCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBga+Q9bN9jQl:SCdxte/80jYLT3U1jfsWa+QpN9jQl

    • Renames multiple (161) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Target

      7965f6adf3261e8820fe583e94dcb2d17dc665efa0442743e47d27c989fcb05f_not_packed_maybe_useless.exe

    • Size

      54KB

    • MD5

      e0c70373ea59baa4422771dde804a21c

    • SHA1

      d9708f709a0e7ad070ee34b4065437e400e5bdd9

    • SHA256

      7965f6adf3261e8820fe583e94dcb2d17dc665efa0442743e47d27c989fcb05f

    • SHA512

      c9a6b94d091a48d1a294953226fca00089dbf266f81fa60481f9ca468f7c3e9a2460bdd384b070dd6ae8bb778fb0737e196a1870e6f550645b9192f78e9763fa

    • SSDEEP

      768:zchho/bbYYwktIZwTUtv3h12jG6hdYWnXAjpWTbBbIKP077hPIxPaq77ti:wjoDMYwEINR8j/Yu2pqOd77hPl

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      7B75B33BCF4ECF013B93F84ED98B3FB5.exe

    • Size

      214KB

    • MD5

      7b75b33bcf4ecf013b93f84ed98b3fb5

    • SHA1

      7be5f5dcf6b9519c0f8c8071503b7f5dd66b6386

    • SHA256

      74aa7b73b46d7bd7bc53cb44add9ec8172f2de7831d045e33db06e2d6b916edf

    • SHA512

      96e1253358db1f724b381f9e1e416cc35bf44d94505e8b86508676f997b44be65d3c33c22df9c004652a34170e48805f9b7ba6f2703dd287e8c770cb426c5114

    • SSDEEP

      3072:5W1M+lmsolAIrRuw+mqv9j1MWLQFPBCM+lmsolAIrRuw+mqv9j1MWLQlL:5J+lDAAIv+lDAAmL

    Score
    1/10
    • Target

      7E3903944EAB7B61B495572BAA60FB72.EXE

    • Size

      228KB

    • MD5

      7e3903944eab7b61b495572baa60fb72

    • SHA1

      116930517baab6bdb0829990a43af54d155f5332

    • SHA256

      06e921abf28c4b260c59d61d84a74c3a5dc12ac99a34110ca5480ce61689385c

    • SHA512

      0e29eaea245dd0068d44ff016c5da65396e5ad94aa79fcbe3cb187666b7b21890b22e2a13ac57e4bcfcf39436a7c5fa53a5470a8fae6de7215f297b82ea62ad5

    • SSDEEP

      3072:RKR+u1vFeb+pknH46ZjbVxltW8wylYJiocMor+ROYJPR+9RbA8D79qiNFwEQ7:R4Z19dknH4yFhtocMO+kYlI9tdJmr

    Score
    7/10
    • Deletes itself

    • Drops file in System32 directory

    • Target

      7dd93123078b383ec179c4c381f9119f4eac4efb287fe8f538a82e7336dfa4ca.exe

    • Size

      602KB

    • MD5

      ae38213715e758e3c296715f1ec25aea

    • SHA1

      bf0d7b7d8ab11536e25235f7c18901c9be65fae1

    • SHA256

      7dd93123078b383ec179c4c381f9119f4eac4efb287fe8f538a82e7336dfa4ca

    • SHA512

      fd0bbeaff08301f6e26c878ef59d7be964533075f1b1c6f93f3a03bee048f4587f44fef96cffe709f5f0511b81edeb4d64878be7b6852f5a14aa3318c9ed15e7

    • SSDEEP

      12288:6oHEHblpWz0jPLhEfgP6WMDoEuY7jVWv:6vZPLWffWMDo+7Jc

    Score
    3/10
    • Target

      7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe

    • Size

      161KB

    • MD5

      517d709b1b99fa87ddfe61950a93cf5c

    • SHA1

      2b6da3641ad3c13be272c7e66c938afd5879d65f

    • SHA256

      7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f

    • SHA512

      e23c60821e71704ab77ed8031b025b6ec9065479b766ca9fce2d4e93f1e4e66f7ed821d161890dfd87306408917c82514aaf96506cfc335e2c0bd1166fd1809f

    • SSDEEP

      3072:+dhOdhhyAbz6XdKWf4xEE1ODDl9oz4ilUEPllLBDlWz:+dhw1CZJEQXl9o05EDLBlWz

    • Target

      80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_Dumped_TDS=4F9911B3.exe

    • Size

      116KB

    • MD5

      5a580ab3f5b3806da853459e9ef7b368

    • SHA1

      df93c0f0dd694ab49646b539418b67d83eafccb5

    • SHA256

      5f60eed8e27867c843387fe7fece3af688586a40c8d3dd2c27647b23cc200fdc

    • SHA512

      91ecd8f00f4cd6c7d199eb365cb7cfa414bcab41b144fe7a5f43529e560201a81284cdb3a3d18d252e2eb4429a67f2db5718eacc8bf1eeb072958c0a4be20a3b

    • SSDEEP

      1536:tf/YvFSSZtDgN+DrDkDEFtCwbfF89lGL+vpCYC:Z/Yv0SZtDgN+Dr+ErbfF89llpTC

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Target

      80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_TDS=4FAAF59A.exe

    • Size

      68KB

    • MD5

      b1024afccaf9847146e611beab995356

    • SHA1

      310a31da48325cea02182158efe0daa2ac6b451d

    • SHA256

      80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2

    • SHA512

      164d5b81008251a454e0cc18ebbaaa3c1ce9f3dd24d45650359db5e4b30f00bd889f88333b2290e86667aa00296dea57f7b016d85f79ba12ea38eb6bd1342244

    • SSDEEP

      1536:h3C4HGFE94jwEG/eO5VEx70AwAWkH+/z13+QDmsrxwSX:hNoESj8p5OeFAWp7p+Qbxr

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Target

      845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe

    • Size

      246KB

    • MD5

      7f61ab7160ccea4f69fed025fbbfdb30

    • SHA1

      88d06d4124bca680bf28dde09cc1c3995002eef3

    • SHA256

      845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8

    • SHA512

      8ff46db7d1bfddef6bab676c1439207a7b755280720bf83406d95a700eac364ef667978a7e538cc3d6e2836487b38ddc34df288100b510e32d16f013ffd07d98

    • SSDEEP

      6144:clmE5hV/XRG4FmeAs32AcNhunE+AWTWk6+wv:2/XRG4FdAs32AeOWk

    • Renames multiple (140) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe

    • Size

      56KB

    • MD5

      a865cae4f9a553fa100932e8786b80be

    • SHA1

      1c691b07fa9c59c1eb6a993723887a9ac08b301c

    • SHA256

      85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f

    • SHA512

      df149155fc97c72f9401826f614dfb16edbf982b64c6fb3d7302526cd9c4ee8368dcfdc666c1c1fe2a522115176042f135723e9390ed4755fb35b4ebddc263e2

    • SSDEEP

      768:9Wf9/O9lXRyz4M9XyTm/O94NOYXkGQ40d4Wg/i+Pet+F/O9LiAU3UF3333efYZCz:9EmRyz4gOmxNOYXF+yzTPSwjH33wk

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      86be3831f5d8a975b0924168117fc7fcd1f5067ac5935c657efbb4798cb6a439.exe

    • Size

      37KB

    • MD5

      406588f62853601a4f0381ad537b51ca

    • SHA1

      a4a5602c1446a61c653a7bf8ad89558b4761ce71

    • SHA256

      86be3831f5d8a975b0924168117fc7fcd1f5067ac5935c657efbb4798cb6a439

    • SHA512

      28e019a091c309bb732fa0f3782c763a333ae95e7cfed86424950dac658297e862d707de1328fe50dc8ac2372832c93e6e131db79bf9c9fa91ae58da1fba0bfc

    • SSDEEP

      768:hLNLdNY8E+pRqAyQ3ipHbEMsm/IqJRDftP5IM05kHZnJ6zZQufB9wZOKh2h1:Ij+pRqAyQ3ipHbEMsm/IqJR3IP54JhA9

    • Target

      8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f_Dumped_TDS=4F83FCDA.exe

    • Size

      116KB

    • MD5

      3444e41067c52192e3ee1e5f57ddd393

    • SHA1

      cccd89e09c2391f7e6bb8cb972c364bc27cad61d

    • SHA256

      d03d3d4eab25c38eef57493c7494d3a1ffd0147e1fcb2730a97d9b826e15e799

    • SHA512

      81a6729a11b5626fc49bbcdc2988a2a1de0fe9b1805d5ac9271666a12b81a40f4ce932b51014a21f262fd677773a010894deae3b7bc13ab85d142647662b281e

    • SSDEEP

      1536:MnUfv0+ZXqm3S+DQNn1Bp/GpL7F6iCINF8nqZULCYk:Mn6v0+ZX5S+DQ11Bx67FZNF8nqWLTk

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Target

      8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f_TDS=4F84A969.exe

    • Size

      72KB

    • MD5

      311f6db6e5a4476b03cf973671e8afed

    • SHA1

      5831825c55e55e9c4127d0ed72d38df060a00eee

    • SHA256

      8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f

    • SHA512

      5d9824902cea653ac84667889b22017b444a1d878ee990fd6f3a5dabb1c288afa1268a6bb795f8b6ef4f856c4a114bca10d1db11643329e5805d8d659792a431

    • SSDEEP

      1536:xiOtoD7Ja3UAZfd5ycu6vGRbelxbJ3uJ4GjAaH:gJa3UAlPyclv4belP3k9AM

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Target

      87a4f3f9f6dc263378f2f01db5f2c988.exe

    • Size

      630KB

    • MD5

      87a4f3f9f6dc263378f2f01db5f2c988

    • SHA1

      dab86879e6e423582fedab0cc00c95882d3c3417

    • SHA256

      5d196e6481f38fa6657d74288fc51b91e273b62ec00100737d0d0cc8f1e8379b

    • SHA512

      b2d98312e827c14702befe05c4262718a2e321a7200f1c08ddaa2517157b4fef960ba9508cec43654c77bec060c998d71f7be8e0b84633531e1cb5cd10b903e6

    • SSDEEP

      12288:AzBsMGrB6kzTKOeW9dY82G+JTlJR8E4TeOb57BIAwP/wyBmrdTOVf8I6jTBwF2dO:ifGIkzGOeW9dYG0pFf0wP/wyBmrdTOVN

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      89fb6d7ff29b0c349c19df2e81028a62a2758c33f2c72b87dc11af4f22d3c6f6.exe

    • Size

      276KB

    • MD5

      0c997c93bf7aac43e8bc22a9ea2fd9f8

    • SHA1

      1c1e46e49c769c48104ee40506c67f738c6978f9

    • SHA256

      89fb6d7ff29b0c349c19df2e81028a62a2758c33f2c72b87dc11af4f22d3c6f6

    • SHA512

      da27770d969800978e3a21a4ff9d887f1cfca8ee33c81cbbd9c61aa5640e1f6535a6189b45f9c498d8e75628714226ff91658ff53855332036124459b34ebffa

    • SSDEEP

      6144:1nsJCTa8fC8OrAk2o90sBDuSeJ5zOSP+N4s7:1nWCTa8fC8W/0sBWJ5zvp

    • Target

      8c591485357e45a09dad3116496e6f686fa11f445a6bea5ef3cd5ed1ac078821.exe

    • Size

      246KB

    • MD5

      04742f7774cda5b58d7e5c1ba5a4e941

    • SHA1

      a8e35ff71e0561268f8c3082bcaa2f314a272005

    • SHA256

      8c591485357e45a09dad3116496e6f686fa11f445a6bea5ef3cd5ed1ac078821

    • SHA512

      726974f82334c474b363d2232f21db2e04730965147e01f9ac5b8f06a44c873e78e2ee7982147c85dffb1eec40fdb445b18b67d4e25303f1dfc672f63f0b9562

    • SSDEEP

      1536:xQqUQQ5fNlzCKxOxwoBg5KE+Y5NpWEibmbkWuEZ8DIPsfie8Sf1wKygNiJK:6NBbOKnoIKE+YpWFCoWk6a1wKyPK

    • Renames multiple (177) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe

    • Size

      4.9MB

    • MD5

      4313fd0a3d2cbedd4570230931833fe1

    • SHA1

      8280f59248747c6901079ac6e52814606ab8cdc4

    • SHA256

      8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0

    • SHA512

      1fd81fb997cbc2973b66a2f95b848dc5813b44513d21189b73a708e9d26b583bebe6bb429c89ecb7dd687262fa4a35abb791f56db3dc884e281b4d056b05887e

    • SSDEEP

      98304:/VKIRQd+TZAJPEoRgWkJgsgv4n/C2QHij4WeoM14s7Oc3b7e6l/R4ze9H:NKo4iAJcoSLi4/C2QHTRh6o/Gy9

    Score
    7/10
    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      900.exe

    • Size

      12KB

    • MD5

      5a43d2db5c8cc3b8ec273aa470ccc931

    • SHA1

      dfcc68945b9daf7e9f49be4837a6934560ec635f

    • SHA256

      2424a7ce5e885bf460aeb8968ceab48057813430973c5a2e27d846553e79402c

    • SHA512

      ffae7fe714667cb44d200f87c36a6f60735926d03ce86dd5756b7e91ab1bd04e7b98dccd1dc0b3f652ea50f5d4c74ffa1f66245052b61e00fd0e8273681a99d3

    • SSDEEP

      192:LvJ8ZxTFrv7bg1d4/QkODGAoyjwlkp7qQT6yNQ+pJYMq6fdw4RI2P:d8zt+UFxy9p7qk3DfC4RI

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (1113) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Target

      911d5905cbe1dd462f171b7167cd15b9.exe

    • Size

      138KB

    • MD5

      911d5905cbe1dd462f171b7167cd15b9

    • SHA1

      bca38ab2f4b461e25e4686cfe523d3b0ed2d1cd0

    • SHA256

      8c42a084278ff8e25f7ee765c37da84da02780da725505108f9eb39cfb05c051

    • SHA512

      c60c274360040b2385fcfbc1f9cbc85cd48c9872d0cadcfbe0343efb16e5401af1b74159ecd29d5adeb519c2818bde022fd21b20c12e4dfb274351733d38b7d1

    • SSDEEP

      1536:IhcFu21x8xUoDq88z/1h5jOla6H7uTnkwwZI0qXAREZ+QOS4D0rtJ/lxABC:7DnoDjbin/w1O3D5J/lxABC

    Score
    7/10
    • Deletes itself

    • Target

      91d24e06572099ba0aa5c20be6b1021fa48e864913fe3676ed05323e6b68fceb.exe

    • Size

      282KB

    • MD5

      f79b517d733de07ee82e5ac8cd9ee192

    • SHA1

      050b21190591004cbee3a06019dcb34e766afe47

    • SHA256

      91d24e06572099ba0aa5c20be6b1021fa48e864913fe3676ed05323e6b68fceb

    • SHA512

      799e55b3a1e04c7c87c7fe6fcb807600975510a7f05fa57f83a9301731a378c1323486343ba880a575aef59faa6e1d1ccc9cea90173b7626228b24ff9d4e685c

    • SSDEEP

      6144:QY4mV5gq4DBKkxa2RNJYw8coEdNqAniTw1sbLp7ByJ7NFPjsnH5+qPZOMbM+juE:OmVmb9Kkxa21Yw8QiJdAJTqNbM+/

    • Target

      92ac6be4d9215b237d624177ca0543844d0dc8d071660ae4a4cf7c93cc11505b.exe

    • Size

      315KB

    • MD5

      8434eea972e516a35f4ac59a7f868453

    • SHA1

      39eff0a248b7f23ee728396968e9279b241d2378

    • SHA256

      92ac6be4d9215b237d624177ca0543844d0dc8d071660ae4a4cf7c93cc11505b

    • SHA512

      308160a34f7074f9a8178ce8ba37f155ba096c7448bc5cd0e9861788e158d2eacdbb329f716bc1b6935db9b26c0bcb9aca23966c73e4114c8ea92e6f53d77348

    • SSDEEP

      6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXve:BswRSslz0P1OdFXJlJ8buXve

    • Target

      97512f4617019c907cd0f88193039e7c.exe

    • Size

      666KB

    • MD5

      97512f4617019c907cd0f88193039e7c

    • SHA1

      24cfa261ee30f697e7d1e2215eee1c21eebf4579

    • SHA256

      438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499

    • SHA512

      cfbb8dd91434f917d507cb919aa7e6b16b7b2056d56185f6ad5b6149e05629325cdb3df907f58bb3f634b17a9989bf5b6d6b81f5396a3a556431742ed742ac4a

    • SSDEEP

      12288:bB/72HFAQBMiZB7fJJ2qDHKK/K5FJL+xQhrwjeI:bBKqFiT7fJJ2qbKK6F5+xQhrEJ

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (84) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe

    • Size

      151KB

    • MD5

      993135dacbff2607839ee5a76ca06c61

    • SHA1

      c1a9a8cdad293887214605ca0e47f3ddfa4e1a52

    • SHA256

      98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7

    • SHA512

      69472dc86d5d3c44742b209fb0a57ab3afd8f93d0c5adfdcd48c2e4828828309101fcb9500813044712b1bc3e85e6a2ad3e5dde5f3818fb8772f0ff5d0b873ea

    • SSDEEP

      3072:aMAr2Q8LH/r1GgDwheOj9Pm4uX2QZJiU8ypfoAWe:aMAaQ0D1VDwheuhJmJiU8y90

    • Renames multiple (1038) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      9943256.exe

    • Size

      134KB

    • MD5

      25e54dfbce20546da0e8cd8152ee2b8e

    • SHA1

      3f0b80ef090c0b14821309b6110839cbd2312afe

    • SHA256

      4725414537a3605ee6cdd226d189419cc5d3a7df1b092b526b61b8c5e2a59386

    • SHA512

      215f4d5d35153622f159970e0097cde6e00d387f5636a1c28d3de6c0f5f84b61dfcaf4d390464eb888738786a0028d7d6f6ce13a29e07116ad032027428215a2

    • SSDEEP

      3072:r+qf9FUiVdubWibOQNi3MWL4FksNYFfPK:r+iLUwAbpi3MDEK

    • Target

      9B9517FA1515F47A502FE56536236A20BE5BBADF.exe

    • Size

      119KB

    • MD5

      b80a2daca4b5000fae089e655f2fa4b0

    • SHA1

      9b9517fa1515f47a502fe56536236a20be5bbadf

    • SHA256

      e58e7b91af952f56d32d3cb11e82d366f256f40d2e4c846f3aa8cda886bfb49f

    • SHA512

      9e5a24fd11bf542608ca8762ad735de749cfcfdc2bd750ca3f7de20dbc19a2ccda0cc88544261314c8dfa77c5ad2fd6e97af51ceee344794fba1efa49d32964f

    • SSDEEP

      3072:VAsj8MBX8s0oXJE455Vdcws635oUIFNTNC1f3U:VAsBZW+VdK6iUcIfU

    Score
    7/10
    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • Target

      9b7eaffe4dffcbd06445d0b32785cdc8.exe

    • Size

      39KB

    • MD5

      9b7eaffe4dffcbd06445d0b32785cdc8

    • SHA1

      af992e2e6c045137b8220c60f534f80da968dd38

    • SHA256

      4137f8c196fdd99a5cd64c518ed27c466953e37b78887954ea192b5595a0a076

    • SHA512

      3639fc1b3ccd57b6a61acecfce8030a7c2c634deb44b75345b5c69eb5cad03a8aecae781b950c254e35f4db248b5e9113fd06412f14ca7a90596985a282e123f

    • SSDEEP

      768:BPXsWRbrIA8vxG/VZ0xcv+n9DfUEGC4ZC:B/s+HUxSZOcvI9DsE4ZC

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

    • Xorist family

    • Renames multiple (2217) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops file in Drivers directory

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

    • Size

      322KB

    • MD5

      4a6bcd14aee9be6ccd5fd4939f8350ef

    • SHA1

      10a7e4377fdbab12ee66151d3c5af9096bc47b59

    • SHA256

      a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244

    • SHA512

      336c05288cae08c966659b5ca528994ccdb0be55cc2197ee810067242995a3448321a9c1b2355a16c5f4cbdcc4131f2707839e055dec4df2bd8dbb6c5090b7f2

    • SSDEEP

      6144:lf0H8b57WZ87m4eEictcjk76F3OpRsmC:lf/b57WZ8K1ZcenF3OpRs

    • Blackmoon family

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      a42252e674a09a0b689e71c88f59969f538a473da647cc4eb5457a5d5e03a234.exe

    • Size

      246KB

    • MD5

      7ec4fb3737e96c0aef2f98d20013dc5a

    • SHA1

      4e8a042292c4ef20556d4aedf5b3ea0a29d2fbe7

    • SHA256

      a42252e674a09a0b689e71c88f59969f538a473da647cc4eb5457a5d5e03a234

    • SHA512

      849ab6bfd9f61a10d29b727e0bfcc7804653764e2d4a9a01515a48b6ff52e37fd1954715d8decb7bde819bf490563924c3d8e51dcaf8218c40852ffdf9d65eb8

    • SSDEEP

      3072:6NBbOKnoIKE+Ypjf+MGtmhoWk6a1wKyPK:clmE5jfwWk6+wv

    • Renames multiple (154) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

upxblackmoon
Score
10/10

behavioral1

ransomwarespywarestealer
Score
9/10

behavioral2

persistence
Score
7/10

behavioral3

persistence
Score
7/10

behavioral4

discoverypersistence
Score
7/10

behavioral5

discoverypersistenceransomwarespywarestealer
Score
9/10

behavioral6

Score
7/10

behavioral7

Score
1/10

behavioral8

discovery
Score
7/10

behavioral9

discovery
Score
3/10

behavioral10

defense_evasiondiscoveryexecutionimpactpersistenceransomware
Score
9/10

behavioral11

persistence
Score
7/10

behavioral12

discoverypersistence
Score
7/10

behavioral13

discoverypersistenceransomware
Score
9/10

behavioral14

discoverypersistence
Score
6/10

behavioral15

discoverypersistence
Score
6/10

behavioral16

discoverypersistence
Score
7/10

behavioral17

discoverypersistence
Score
7/10

behavioral18

discoveryransomwarespywarestealer
Score
7/10

behavioral19

defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
Score
9/10

behavioral20

discoverypersistenceransomware
Score
9/10

behavioral21

spywarestealer
Score
7/10

behavioral22

credential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
9/10

behavioral23

Score
7/10

behavioral24

collectiondefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
Score
9/10

behavioral25

discoveryevasionpersistencetrojan
Score
10/10

behavioral26

defense_evasiondiscoveryexecutionimpactransomwareupx
Score
10/10

behavioral27

discoverypersistenceransomwarespywarestealerupx
Score
10/10

behavioral28

defense_evasiondiscoveryevasionpersistencetrojan
Score
10/10

behavioral29

discovery
Score
7/10

behavioral30

xoristdiscoverypersistenceransomwarespywarestealerupx
Score
10/10

behavioral31

blackmoonbankercredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealertrojan
Score
10/10

behavioral32

discoverypersistenceransomware
Score
9/10