hydracrypt

Resubmissions

22-11-2024 22:54

241122-2vh7gaxmfl 10

22-11-2024 03:27

241122-dzqkcatmht 10

22-11-2024 03:16

241122-dsgc4atlgs 10

Sharing

Copy URL

Twitter E-mail

General

Target

Batch_5.zip
Size

10.7MB
Sample

241122-dsgc4atlgs
MD5

840ef805274a90a6354a0f5d1c6f05f1
SHA1

856f756302fb8559edac0804324c6fec97382d84
SHA256

51b3773145652b5d559396a08e1282a3a1d92d4df473f774d61791386fca0598
SHA512

a1dbedebf1dc9007ea6781116d3b92e052d5110b34bcc83e87d7ba8736d1b9353bfaeb88de6b53f11ea661ef60231ae2280a4a7e54c4c3bd06cbe7f1aa864904
SSDEEP

196608:1iAo5dAtwAQT+rrxa/kHpuI7c/hDU9EPh3VkXI599o9kDD8xCO:1jCAtwAy+rrakDcpDU9uFNgaDQCO

Score

10^/10

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\!!! READ THIS - IMPORTANT !!!.txt

Ransom Note

===============================# aes-ni ransomware #=============================== █████╗ ███████╗███████╗ ███╗ ██╗██╗ ██╔══██╗██╔════╝██╔════╝ ████╗ ██║██║ ███████║█████╗ ███████╗█████╗██╔██╗ ██║██║ ██╔══██║██╔══╝ ╚════██║╚════╝██║╚██╗██║██║ ██║ ██║███████╗███████║ ██║ ╚████║██║ ╚═╝ ╚═╝╚══════╝╚══════╝ ╚═╝ ╚═══╝╚═╝ SPECIAL VERSION: NSA EXPLOIT EDITION INTRO: If you are reading it, your server was attacked with NSA exploits. Make World Safe Again. SORRY! Your files are encrypted. File contents are encrypted with random key (AES-256 bit; ECB mode). Random key is encrypted with RSA public key (2048 bit). We STRONGLY RECOMMEND you NOT to use any "decryption tools". These tools can damage your data, making recover IMPOSSIBLE. Also we recommend you not to contact data recovery companies. They will just contact us, buy the key and sell it to you at a higher price. If you want to decrypt your files, you have to get RSA private key. In order to get private key, write here: [email protected] [email protected] [email protected] IMPORTANT: In some cases malware researchers can block our e-mails. If you did not receive any answer on e-mail in 48 hours, please do not panic and write to BitMsg (https://bitmsg.me) address: BM-2cVgoJS8HPMkjzgDMVNAGg5TG3bb1TcfhN or create topic on https://www.bleepingcomputer.com/ and we will find you there. If someone else offers you files restoring, ask him for test decryption. Only we can successfully decrypt your files; knowing this can protect you from fraud. You will receive instructions of what to do next. You MUST refer this ID in your message: UPNECVIU#9280BEBEDB0B889C212330DA0B6F9E4F Also you MUST send all ".key.aes_ni_0day" files from C:\ProgramData if there are any. ===============================# aes-ni ransomware #===============================

Emails

[email protected]

URLs

https://bitmsg.me

https://www.bleepingcomputer.com/

Targets

- Target
  
  AES-NI.exe
- Size
  
  999KB
- MD5
  
  83e824c998f321a9179efc5c2cd0a118
- SHA1
  
  16b84004778505afbcc1032d1325c9bed8679b79
- SHA256
  
  4142ff4667f5b9986888bdcb2a727db6a767f78fe1d5d4ae3346365a1d70eb76
- SHA512
  
  d1c9fdb653d6b028c16a9d82895b7f03b6f96aecc802ab5104d6a762091e71502e407feea3d3d64f19b9f7c2888b1fb2b1dd5f2909b6e29414d4e4a78b56917b
- SSDEEP
  
  24576:xMhc8sFdkS6BEeL8xYSCy3vIyzlueaBLxGLJe3:Ghc8sFB6WeIYSPAyUHxGLJe3
Score

10^/10

credential_access discovery ransomware stealer upx
- Renames multiple (8186) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Deletes itself
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1
- Target
  
  Abrechnung.exe
- Size
  
  103KB
- MD5
  
  81ff324d2023d8ecb98a127b87d51450
- SHA1
  
  acd24c80f6a02f7fe7a388a6779ea49be64674bc
- SHA256
  
  7d9fc496bc0ade736bf75e05564e9c93167362ef18450d75222deef0664f9ed5
- SHA512
  
  38b17683e835e7259a6972d0f920f9ac7f5823591962c624aa795c39c3213d0735bacd76c72b7255be1cefeb9c298ffc31266513f088684969e5e18ad4e0a139
- SSDEEP
  
  1536:o7ZrIoIlP/A765noAXMoiCQ/5NSDy+Ud1IE9vpFARgHsjoCje6fLCy:odIp/A0noAcoiCQ/5NS6ERnECnfLCy
Score

8^/10

discovery evasion persistence upx
- Disables RegEdit via registry modification
  evasion
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral2
- Target
  
  Box (2).exe
- Size
  
  438KB
- MD5
  
  1bb4dd43a8aebc8f3b53acd05e31d5b5
- SHA1
  
  54cd1a4a505b301df636903b2293d995d560887e
- SHA256
  
  a2380a5f503bc6f5fcfd4c72e5b807df0740a60a298e8686bf6454f92e5d3c02
- SHA512
  
  94c70d592e806bb426760f61122b8321e8dc5cff7f793d51f9d5650821c502c43096f41d3e61207ca6989df5bfdbff57bc23328de16e99dd56e85efc90affdce
- SSDEEP
  
  3072:rE+rnVvKX8/tmssEDUbPwBIK6xDq3bnBZvG1BpTU41zjhkkxbNWWmZ:ImVa8/tmswUB36G9ZvGZQ49jRF
Score

3^/10

discovery
behavioral3
- Target
  
  Box.exe
- Size
  
  440KB
- MD5
  
  698746928e12831d6982b4e260a9da3a
- SHA1
  
  c87945b0f3f19d3fa07f64b5454f588f568a94e7
- SHA256
  
  63a6c3864b0a51c790d8d0312137995eb16710178aaaebfe34fa5e57caff9b36
- SHA512
  
  8680e690337afa911471680aeb0ea6242e7cf68d83043e83b91bd6ffbe0af1af8aac140ecec8958ac6831a4b9f8401ac086e8322d6638144e5501df949594ea0
- SSDEEP
  
  3072:LE+rnVvKX8/tmssEDUbPwBIK6xDq3bnBZvG1BpTU41zjhkkxbNWOc:omVa8/tmswUB36G9ZvGZQ49jR
Score

3^/10

discovery
behavioral4
- Target
  
  a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe
- Size
  
  212KB
- MD5
  
  c697914b3e3c115391e5a32e6d8d3a98
- SHA1
  
  b61335cc60ff37680e82c7245ec268d206fc21e2
- SHA256
  
  a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43
- SHA512
  
  dbdd230a9829eeae3cbb7ba7cead7b378661275ca3a97bef7c4d60a7c8a5a475120bda551c2e2d81e69f9cc4f0dc798f9160d2e94d11f1ed3cc9cdf4752ae35b
- SSDEEP
  
  3072:HTS1pU/dvuuCtCxzxXXQu+pbSCu9P+5qd/o1x3wPWnK:HTeu/Zat6gH9un0ePW
Score

9^/10

defense_evasion discovery evasion execution impact persistence ransomware trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral5
- Target
  
  a7768f4973ad7cf8217212a4d12dbae0.exe
- Size
  
  380KB
- MD5
  
  a7768f4973ad7cf8217212a4d12dbae0
- SHA1
  
  143c52e5bf3978c7b1a544ccc9405afd17d77f55
- SHA256
  
  c8ea293b1ad5343dde79c6e095c134e4100fdaf47c84eac5e3012eae0b0125a2
- SHA512
  
  058cc6690f9910ead6441f7128f85cb6669f04a7a949bf0b464b42d7813695cf77f7fff539b742a829464cb1ad41ca0682df120e008095b9739e561f488201d5
- SSDEEP
  
  6144:Uzv+kSZBbdH19ex4T02J4fqz22tvymTiB62iKnWKKmDTcNwjreOwIbN8CCg4mnw8:UzcRD02J4Sq2vHGB67KWKKmDzrCg44w8
Score

10^/10

discovery evasion persistence trojan upx
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Drops startup file
- Checks whether UAC is enabled
  evasion trojan
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral6
- Target
  
  aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e.exe
- Size
  
  550KB
- MD5
  
  e1e589c2c91ca7563f8fb06cf356bbfc
- SHA1
  
  54ac30e96d237ebed232648d8b484579fd7a33d8
- SHA256
  
  aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e
- SHA512
  
  8c440d514c0e0b4587834e40ebe0603f1214a771f680c1a49d69a3dcf2cb799ff4f056faf06402a4f7243b927a296374fe024ecfbb754aa550ef25ceebfc0261
- SSDEEP
  
  6144:Nb/thbA20Budh1Bbm20BloOVAIqDAYQ+:ltGcAYp
Score

7^/10

discovery persistence
- Drops startup file
- Adds Run key to start application
  persistence
behavioral7
- Target
  
  aace43af8d0932a7b01c5b8fb71c8199.exe
- Size
  
  2.7MB
- MD5
  
  aace43af8d0932a7b01c5b8fb71c8199
- SHA1
  
  56422e5cc2abe198198003d2c5bf009c8652a983
- SHA256
  
  3bc78141ff3f742c5e942993adfbef39c2127f9682a303b5e786ed7f9a8d184b
- SHA512
  
  c4fdee4e0041a98eba661b41f521ea393e2cf8a2683d7722ba198bbc5d7620600855a773c849b1a24fb0542a6fdaf478b4e66d2ca709663d5665fac1613de2b3
- SSDEEP
  
  49152:HyhKEGeEWYQAsQ36mE4OZYYIqCGA02Ul0UFi28CdNT0BtT:HygEGTRQAsQ36mE4O6rqCb2i28CdNoBN
Score

8^/10

defense_evasion discovery
- Indicator Removal: Network Share Connection Removal
  Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
  defense_evasion
behavioral8
- Target
  
  ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de_PonyNews.exe
- Size
  
  216KB
- MD5
  
  70a377690917a98e6ee682f7941eb565
- SHA1
  
  246b1e0d01772a47a5f2032c8642d33d47a11c57
- SHA256
  
  ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de
- SHA512
  
  c384afb2230222115bffeeb951e6e204e99c44ff8d27af58b5660aa084405b1da3ad25ee75179b9f5db0f1ca7ceab070457d314b001c53cc0faa71dd7dfe9709
- SSDEEP
  
  3072:eowSng9e1zcHHgttb9a1XchykGt8N3mff:1IehkAttb9aFchy3um
Score

10^/10

pony credential_access discovery rat spyware stealer
- Pony family
  pony
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral9
- Target
  
  aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1.exe
- Size
  
  218KB
- MD5
  
  35f68acc0c3d5761a61975ec77b49cbc
- SHA1
  
  f6d03e713bc9b47265141d9f9b83ae634d43d204
- SHA256
  
  aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1
- SHA512
  
  6a9d131e7c4f310ec77cf3c9c07c75dca279b7ffd6c46b252c559947900f1d754400fc51ce12b8afde86a0fd758e1b68d00a2e5f9144ad019d51bff5c67a4656
- SSDEEP
  
  3072:HfVD9B1hzRAjEdJNCQ4woDZD57Wr3FKajQNR9MiYbuWjqgdcnfKvdHmN5b3SM:/jlVEEbNtoPajxu85cfAG3
Score

6^/10

discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral10
- Target
  
  afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
- Size
  
  164KB
- MD5
  
  08b304d01220f9de63244b4666621bba
- SHA1
  
  b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6
- SHA256
  
  afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
- SHA512
  
  162cc0fb48615c67ce6e104ca462c41aba79bad0d5409e837b300cffc34a1c9bed63f603eee7091b93edfcd772d8ab1e180fcb3aae6b07fe24413b8505815ae9
- SSDEEP
  
  3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn
Score

10^/10

hydracrypt defense_evasion discovery execution impact persistence ransomware spyware stealer
- HydraCrypt
  Relatively unsophisticated ransomware family based on leaked CrypBoss source code.
  ransomware hydracrypt
- Hydracrypt family
  hydracrypt
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (444) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral11
- Target
  
  b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54_not_packed_maybe_useless.exe
- Size
  
  53KB
- MD5
  
  93de5300dabf0711c57cbe31b4c9ef04
- SHA1
  
  4cad182a0cf72c2aff7c1a5b23eb26b352366f63
- SHA256
  
  b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54
- SHA512
  
  52c3e7a2721dac4b65d1b0ca78bd594f96f7adc36dcb9a69515665a039d644b4ce130f73f5eddd452911cac7f60c0af19688cdba57339fdec88c0ddfc574cc00
- SSDEEP
  
  768:4chho/bbYYwktIZwTUtv3h12jG6hdYWnXAjpWTbBbIKP077hPdxPaq77tio/rM:PjoDMYwEINR8j/Yu2pqOd77hPQoQ
Score

3^/10

discovery
behavioral12
- Target
  
  b7989d9eacb5a8b224fd183f6ba65e4e6bd30a4f0e4e1a299f0d2b63dcb56730_Archive_useless.exe
- Size
  
  110KB
- MD5
  
  efb012885a39dd28c11d1c90376162f0
- SHA1
  
  0b2d18503c969a388dcc58293303c86426018e2c
- SHA256
  
  b7989d9eacb5a8b224fd183f6ba65e4e6bd30a4f0e4e1a299f0d2b63dcb56730
- SHA512
  
  4cf3e37f7a8363f5e64a4e8d3377242857126d9979d1a03dd056bd64af6dfc0e15524fa5d16171a955ac4501c420887021db5046aa0ddec0b965c895f4bfb0bd
- SSDEEP
  
  3072:0XVgiPOH3Uq6NpYwm0XVgiPOH3Uq6NpYwmW:A5OXUqQH5OXUqQp
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral13
- Target
  
  b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0.exe
- Size
  
  518KB
- MD5
  
  4523ccfd191dcceeae8e884f82f5c7ad
- SHA1
  
  00107a6bdc9886e69425b7b0b761dcc8324946d3
- SHA256
  
  b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0
- SHA512
  
  79df12b1abb0d2ddab35e898aa01baaf7ea737fa37331c926b07d0ca478aa9c1c3d14795241e11d7dcff06ec3c5de93b2819cfbc0fd6db5bf6e752c52cfad5a5
- SSDEEP
  
  12288:uPenEoSpi011oQSnRxhmVacKcMxS8JWwEHD1T6hX5IGC2C:SJomi0GnbPcKcNcWwEj1T6hqm
Score

6^/10

discovery upx
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral14
- Target
  
  b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe
- Size
  
  33KB
- MD5
  
  d9789bfbc54d5cb6d52c385fd8f5d288
- SHA1
  
  b8f60c64c70f03c263bf9e9261aa157a73864aaf
- SHA256
  
  c0fcf3ac6b125e985c6574ed7ef1a7929f3be8f6487b68e4d58a48a3b1517b5d
- SHA512
  
  21e81d64136897e86362304666cb0a8510ae2280c432c8b768875d5459b527e2cdafe9a61107433d3ff7ccf8092f3bbc226f9366623c1d39f76445fc490dc4c8
- SSDEEP
  
  768:IPXirrjYZp0Tf6yFz5Om5jPwxgjAqJTKV/Z:I/iTYHQCm5DpjhJTKVR
Score

10^/10

xorist discovery persistence ransomware spyware stealer upx
- Detected Xorist Ransomware
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Xorist family
  xorist
- Renames multiple (2212) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral15
- Target
  
  bb0e8d9ba927076fbe076960ee7c3b31afa9086583b7358c748d78a55b044a38.exe
- Size
  
  284KB
- MD5
  
  0066c7dc5bb2e34e0ff6782b7a2ac821
- SHA1
  
  9a24a0c7079c569b5740152205f87ad2213a67ed
- SHA256
  
  bb0e8d9ba927076fbe076960ee7c3b31afa9086583b7358c748d78a55b044a38
- SHA512
  
  804cb06a56cc48ae92f3b41a381e6ad06e5d38e93e8921903e32a7f4b06ae4d2705517f0536b86402b203db10a9134c7097cfbc42c0306c24d716b0a11dad5f6
- SSDEEP
  
  6144:icQu7L20QOPNMNYKEdf7Q0chT7WbK1xb5b:d20Q1YKMfE06jb
Score

9^/10

collection defense_evasion discovery evasion execution impact persistence ransomware trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral16
- Target
  
  bb89efd602f3ddae8dc8c804053c5800c6628dbc7073c46bb3d268261130ba59.exe
- Size
  
  282KB
- MD5
  
  16a0eda7553c6011fbee64cc017e35a7
- SHA1
  
  de3c25f2b3577cc192cb33454616d22718d501dc
- SHA256
  
  bb89efd602f3ddae8dc8c804053c5800c6628dbc7073c46bb3d268261130ba59
- SHA512
  
  122e28741ab6e1092053a27f192ac6e47e7236e78eb56693fbfd9359ffd6097e5bd21a56528ae76a624dec76f10780397e698e1bbf3c3f74ab46d1ea1308894c
- SSDEEP
  
  6144:/Y4mV5gq4DBKkxa2RNJYw8coEdNqAniTw1sbLp7ByJ7NFPjsnH5+qPZOMbM+juh:/mVmb9Kkxa21Yw8QiJdAJTqNbM+u
Score

9^/10

collection defense_evasion discovery evasion execution impact persistence ransomware trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral17
- Target
  
  bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f.exe
- Size
  
  791KB
- MD5
  
  d1e75b274211a78d9c5d38c8ff2e1778
- SHA1
  
  d14954a7b9e0c778909fe8dcad99ad4120365b2e
- SHA256
  
  bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f
- SHA512
  
  1ec3fbb0bf17d4ad6397ba2e58daa210745f10f88f6722971464a6eeb7573f49be6d65e70a497002d6d00745317f11442bdeaf999b91127b123c11dfe9b088c2
- SSDEEP
  
  24576:l2RNuxIAdOx6mNoGSyGMjc6XaMAy9xg5tMZ/Z3RPpEYrTQAU:rIG+lbGuntxktM15RPpEYrTQAU
Score

7^/10

discovery persistence spyware stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral18
- Target
  
  bd2d4d43009623941f49554f5932188154fc9d16d820e00db1281d057468b017.exe
- Size
  
  54KB
- MD5
  
  f0be874585b7ed666de5edb88ccb1107
- SHA1
  
  9121c2e1e96cf87e5f9bab3a2dbd4b578bc5b438
- SHA256
  
  bd2d4d43009623941f49554f5932188154fc9d16d820e00db1281d057468b017
- SHA512
  
  f8941d32af25ba6f9f6907efd64265bff8e4884003c65410acd8f6dbb4e5c46f308e9bf0be5e7738f16bbb6dffe8adb2c61b4576ec754a7e5026741eb998d7fd
- SSDEEP
  
  768:UYQW5/spNck0lUzPrU23Wsq91si1QGb6LNyF2kbWsiPfNa133CiMRKeFyZc:UYQW57kCUzbFqvyyFhl2gpyVcrc
Score

1^/10
behavioral19
- Target
  
  be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d_Dumped_TDS=4F8C315F.exe
- Size
  
  116KB
- MD5
  
  50e3871f540b228941b8ef76ef0d543e
- SHA1
  
  ba51fc4ecff55d7c504db666d970490118153afc
- SHA256
  
  160e7c9806857f1dfae4191a338c4e9341f1f589b6ed72f4cf6e10db483e3af6
- SHA512
  
  16acd834a04b43eed8954d74a884032ae73439ffaefaf51f043fa19a7af7a71cdcf19a752d67194f6b15df1272947bd5522895a266e971a3e241d34aea79bf7f
- SSDEEP
  
  1536:df/SovFSSZtDgN+DpDkDEFtCw0YF8965L+vpCYC:J/zv0SZtDgN+Dp+Er0YF896WpTC
Score

7^/10

persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral20
- Target
  
  be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d_TDS=4F90A68A.exe
- Size
  
  59KB
- MD5
  
  db4161aec038c9c18a03636304083a0e
- SHA1
  
  096f0dfd110366a56cc5cb4b940311b13687663a
- SHA256
  
  be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d
- SHA512
  
  4330d31c2c014cba3981f881a5209c17e9321e634436dc83ee8765c2461376f54c971d85d3bdd4c70fa33f5c015d5d41e788cf087a9c3c8f737a172dec918147
- SSDEEP
  
  1536:tK25W2YiTR9vZWsU2c0yChDadK3352M849X:thaiF9vZQ2XNpau52MhR
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral21
- Target
  
  be514549a2e654706aeeaa15c8cffce504f0e271c904fe07d865f3999ebaa61f.exe
- Size
  
  9KB
- MD5
  
  0c526b77abfe8d54363e3d14aa28acfe
- SHA1
  
  3239434398da123454635d8fdb0bedc9f40d831a
- SHA256
  
  be514549a2e654706aeeaa15c8cffce504f0e271c904fe07d865f3999ebaa61f
- SHA512
  
  6c201b45e2041d3f96b05e0275c7e1164ea481b704b49767d2decba19e1587fc93ae54078c89fcb6d937de345697fe7196e49cf8245a53b8f519fa63970b40e4
- SSDEEP
  
  192:DKsF20IA6HAypQRr202tR+6raWP4xqLtSQlH:5Uj1gxV202Xyy4xqpSQZ
Score

9^/10

credential_access discovery persistence ransomware spyware stealer
- Renames multiple (7876) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral22
- Target
  
  bfb8f7f6cbe24330a310e5c7cbe99ed4_api-ms-win-system-wer-l1-1-0.dll
- Size
  
  440KB
- MD5
  
  bfb8f7f6cbe24330a310e5c7cbe99ed4
- SHA1
  
  cfb97a66c90bff92b5d72eb9e81b2e9d8013b66d
- SHA256
  
  a4e9c151a50595b59e787dd3b361ac53d02dd7f212d6b22639dc01776c886d05
- SHA512
  
  f8a4c341b50a37b15c8a11979d8b0ce82c33fb4fd6a9749b4c561db84627e850f8fc23778f78d085b218ea40cdecf05864e68b73f5cc606d7ef30a0454c09550
- SSDEEP
  
  6144:muStbEUJp4qjMO3QZW+PeT9JiPZCL/qrS9spyM:dStbJaE+NCLEnp
Score

8^/10

discovery spyware stealer
- Blocklisted process makes network request
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral23
- Target
  
  bldjad.ex1.exe
- Size
  
  132KB
- MD5
  
  b1c88e7ed0edb803ead0c0eeeef53935
- SHA1
  
  ddc529d37589d68e9013327e57d3cb15ddd6b406
- SHA256
  
  3fb245ab1427cb59a359fb2e910a3a8e7e4535114cf61469001d740305e97200
- SHA512
  
  129ade5293e0c5f0d5a1ad0dfde0e6e0f5eac5f3031f9d57d855a368e034dda932fca4f6d7020d111e463a37fd3da3ffc3405ec750e3a0dea5113a26ce316cd0
- SSDEEP
  
  1536:/udS9WayNWqE9pDV6PSPP7dl5vUOENrlSN+jvNYvecy1q2sJ6Ysktv8FkXAk3RCG:/R9jyMqMVmcdlONoNklYvhvGklRWAx
Score

1^/10
behavioral24
- Target
  
  bldjad.exe
- Size
  
  132KB
- MD5
  
  b1c88e7ed0edb803ead0c0eeeef53935
- SHA1
  
  ddc529d37589d68e9013327e57d3cb15ddd6b406
- SHA256
  
  3fb245ab1427cb59a359fb2e910a3a8e7e4535114cf61469001d740305e97200
- SHA512
  
  129ade5293e0c5f0d5a1ad0dfde0e6e0f5eac5f3031f9d57d855a368e034dda932fca4f6d7020d111e463a37fd3da3ffc3405ec750e3a0dea5113a26ce316cd0
- SSDEEP
  
  1536:/udS9WayNWqE9pDV6PSPP7dl5vUOENrlSN+jvNYvecy1q2sJ6Ysktv8FkXAk3RCG:/R9jyMqMVmcdlONoNklYvhvGklRWAx
Score

1^/10
behavioral25
- Target
  
  bldjad2.exe
- Size
  
  179KB
- MD5
  
  305811f060ff21aad8d8cd872c1e89e2
- SHA1
  
  32cba371f3021aabb76791992b7109e52fee2325
- SHA256
  
  97e1dd8169a82282ab889ab8b21b78eb64af975d66b136a19252b9b44352cb58
- SHA512
  
  ace79c93e2137410e02c29280df566d52a9b74d0759f6b5e25930834377c1cb7401fe963df896b60a55c9c67955c5e3ec232aedd87f91f9b5b7d7c76d4575644
- SSDEEP
  
  3072:7oaXHWASj9Fxb9ziS9z7ACPUiwFVb3fSpVD2s+706aeUTQjNSwUbJMwQuUEXszln:0aHejjldiSJtU9Zqf2s+7jaeUoNSwUJI
Score

5^/10

discovery
- Suspicious use of SetThreadContext
behavioral26
- Target
  
  c145a26dd6d200080c16300456e7c0bc95f2b71f56d94136619e239e466a04a0.exe
- Size
  
  26KB
- MD5
  
  01a18db18af5cd780eab9bbadd881e8c
- SHA1
  
  36728334c4d1bb927310e0f1268b3890f2bd2457
- SHA256
  
  c145a26dd6d200080c16300456e7c0bc95f2b71f56d94136619e239e466a04a0
- SHA512
  
  ea81c1340b8ddbd9a6e796ddb5b18e55c575ac974dcf66ad40ff188f85ae630fe68fa58c2bddd0aef859b5e3ea31b01ed2ee025c49d06e7a6053bb469de0dffe
- SSDEEP
  
  384:fyHccS+efqM7e5at0CdiSw+L0mNBrJKJ0wmQVrIUzf0tWqPWNnokwkwAetW:KHJkqM7eERYSw6ZTwHFIUAsqm
Score

3^/10

discovery
behavioral27
- Target
  
  c325092750dd55898c47be7ec8a7622c3bf8d1a79c40b160ef7901c2ef18f5db.exe
- Size
  
  1.6MB
- MD5
  
  82990aad8c1a1894d7b7fd56e78c3a6b
- SHA1
  
  8874204f4247232a98cca34e2387a3bd2a47d4ae
- SHA256
  
  c325092750dd55898c47be7ec8a7622c3bf8d1a79c40b160ef7901c2ef18f5db
- SHA512
  
  afe8d2d40e09863e17a725e42ccca1368cc2737c1234f3b6219399a5c4cab765486efe34a92561cc126aad7e0cf51f5cb77fe64d0105b84342f2f345b80ecfa9
- SSDEEP
  
  49152:j2L+FHeMX+8S31Ife70qkBxRXAmnTa+Gq:hXKIfVqWXAcabq
Score

3^/10

discovery
behavioral28
- Target
  
  c36c46f4de045ef332decc006694db6e.exe
- Size
  
  137KB
- MD5
  
  c36c46f4de045ef332decc006694db6e
- SHA1
  
  35e869facb8d72500cbf4f92bd89a64d2964899c
- SHA256
  
  4869d9a1cc95998879b95c141f1ea30518d3ea0a0dab9fe5172f80332e1b2df8
- SHA512
  
  54ab54348f193dfb8ca39af215f5fea39c85bd9c4869a5f29cefbf76440056eefaeb016b4f49fb4a1b2ef6c6ad839d07101ef48b59ac7fb44737cece66dad1d7
- SSDEEP
  
  1536:0krzRCHw9oa1KNvn4sBHoD/puuNNsFyVRYdvdE4zxNXGH8t/+rDCF:VrzwQ6akR4YIxNrRYdv6qxNXXEqF
Score

3^/10

discovery
behavioral29
- Target
  
  c3dd2e3cf0ebeec7a6c280e187a044a32b54b369a78aaaa89c600a0767b49704.exe
- Size
  
  56KB
- MD5
  
  c386730bdddbb25dc6eeda9702c1effe
- SHA1
  
  2caa8dbd49b3bc07b4e2d6a4f30ae8c1ab3e07f7
- SHA256
  
  c3dd2e3cf0ebeec7a6c280e187a044a32b54b369a78aaaa89c600a0767b49704
- SHA512
  
  e3fd8e8ed88b4eb8453e46407fa467d022c866f399a472f29951793008363f47fae7c9fb0a34bc79582fac3eb4a3e7c10a4509a4bbcc69f42f7c992f9d205957
- SSDEEP
  
  768:G/RZ9izj7h7723SVtXlD0NZewuqE7oOGX5/XtMpCrXZZW4wFxsqdxRp+rwFv:E9UV723SVQNZeP7oOGFtMpjsqDRlN
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral30
- Target
  
  c71c26bf894feb5dbedb2cf2477258f3edf3133a3c22c68ab378ba65ecf251d3_.exe
- Size
  
  2.4MB
- MD5
  
  3a37931a0c7f2c8ec5c38b04380c69e1
- SHA1
  
  61ac0d9783a744dfc02f4b6dd880c82e24a274b0
- SHA256
  
  c71c26bf894feb5dbedb2cf2477258f3edf3133a3c22c68ab378ba65ecf251d3
- SHA512
  
  9be09704ae50a657793ddee577e69967483858aa42c92eb3403c79a195c2d11a6f84f274cb6c5e8e357b9e8627ae347d9a11a39d1549a15690765dcf1f3579da
- SSDEEP
  
  49152:Ga8FL30rOQwir2OUXnfgwHrTi4UtqaAR1hbpTye21OR+jFlpuEKD:GaSL3KvSRnfX6qa61FdaOR6lpm
Score

7^/10

discovery persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral31
- Target
  
  c8462829871b7bdb005f4dd881d253aa255a1b2f6f3d89edb1d609b51f5d04fd.exe
- Size
  
  1.5MB
- MD5
  
  00e3b69b18bfad7980c1621256ee10fa
- SHA1
  
  b6cf6789c3b19ca82d12655274df7f9c302da794
- SHA256
  
  c8462829871b7bdb005f4dd881d253aa255a1b2f6f3d89edb1d609b51f5d04fd
- SHA512
  
  30cab0ba2a1e7a8d8c2da100c1eb7e06cb36012a7f67cceee1c3388d718c29d7a3f5543a3c41e7d07aaadde14bee873f4c9b29301460d7f473e2549830576ff9
- SSDEEP
  
  24576:8B8LCHrjTWTHTkRDene4Xgez7d7A8AA6os3xyloB183SlrwCLk:y8OHz8zkRDeeigcfBDo0ocCLk
Score

5^/10

discovery
- Suspicious use of SetThreadContext
behavioral32