crypvault

Sharing

General

Target

Batch_7.zip
Size

6.8MB
Sample

241122-dyw1qszkhp
MD5

77e8eab2073a789150dc3eefb0541f1c
SHA1

e2a21748a32116967087f421e91b1e4afbe38dc5
SHA256

17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd
SHA512

a9e462f5234ac18ef699243383ce3538ae0d1069cf900e5cfae132049a3b13bba783d61ac325348a1aaa2187095896864919916e8daf8c924bd22180974c0f1c
SSDEEP

196608:xu+epCgmrd0rEVf4ZxvoFApfzStfGGaPA:4+0mr+EOYApA

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\360390_readme.txt

Ransom Note

ATTENTION: All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. To restore your files you have to pay 0.5 BTC (bitcoins). To do this: 1. Create Bitcoin wallet here: https://blockchain.info/wallet/new 2. Buy 0.5 BTC with cash, using search here: https://localbitcoins.com/buy_bitcoins 3. Send 0.5 BTC to this Bitcoin address: oJHR97yvh97wrjvwlkrcnqrp79w9rvqnrvj 4. Send any e-mail to: [email protected] After that you will recieve e-mail with detailed instructions how to restore your files. Remember: nobody can help you except us. It is useless to reinstall Windows, rename files, etc. Your files will be decrypted as quick as you make payment.

Emails

[email protected]

Extracted

Path

C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.html

Ransom Note

<html> <head> <meta content="text/html; charset=UTF-8" http-equiv="content-type"> <title>jaff decryptor system</title> </head> <body style="background-color: rgb(102, 204, 204); color: rgb(0, 0, 0);" alink="#ee0000" link="#0000ee" vlink="#551a8b"> <div style="position: absolute; top:0; text-align:center; width:100%" > <h1 style="font-family: System; color: rgb(102, 102, 102);"><big>jaff decryptor system</big></h1> </div> <style> .center { width: 1000px; padding: 10px; margin: auto; background: #fc0; } </style> <div style="position: absolute; top:15%; left: 30%;" > <p style="border: 3px solid rgb(255, 255, 10); padding: 10px; background-color: rgb(223, 213, 209); text-align: left;"><big><big>Files are encrypted!</big></big><br> <br> <big><big>To decrypt flies you need to obtain the private key.<br> The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet<br> <br> </big></big>❶<big><big> You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en<br> <br> </big></big>❷<big><big> After instalation, run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/<br> <br> Follow the instruction on the web-site.</big></big><br> </p> <br> <br> <center><h1><big>Your decrypt ID: 0582710216</big></h1></center> </div> </div> </body> </html>

URLs

http-equiv="content-type">

http://rktazuzi7hbln7sy.onion/<br>

Extracted

Path

C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.txt

Ransom Note

jaff decryptor system Files are encrypted! To decrypt flies you need to obtain the private key. The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en After instalation,run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/ Follow the instruction on the web-site. Your decrypt ID: 0582710216

URLs

http://rktazuzi7hbln7sy.onion/

Extracted

Family

pony

http://startwavenow.com/gate.php

http://hollandfintech.net/api/gate.php

Extracted

Family

warzonerat

195.140.213.91:5200

Extracted

Path

C:\Users\Admin\Documents\READ_THIS_TO_DECRYPT.html

Ransom Note

<html> <head> <title>-</title> <style> html {font-family:Consolas;font-size:20px;background-color:lightgrey;} div{ margin:0 auto 15px auto; border:1px solid; background-color:grey;} p,h3{ text-align:center; color:white; } #R{background-color:darkred;} button{padding:10px 15px; margin:15px;} </style> </head> <body> <div> <h3>YOU PERSONAL FILES HAS BEEN ENCRYPTED</h3> <p>-</p> <p>Your data (photos, documents, databases etc.) have been encrypted with a private and unique key generated for this computer. This means that you will not be able to access your files anymore until they are decrypted. The privete key is stored in our servers and the only way to receive your key to decrypt your files is making a payment.</p> </div> <div> <p>The payment has to be done in Bitcoin to a unique address that we generated for you. Bitcoins are the virtual currency to make online payments. If you don't know how to get Bitcoins, you can click the button "How to buy Bitcoins" below and follow the instructions. If you have problem with this task use internet.</p> <p><abbr style="color:red;background-color:black;">You have only 1 week to submit the payment.</abbr> When this time ends, the unique key will be destroyed and you won't be able to recover your files anymore.</p> </div> <div id="R"><h3>YOUR UNIQUE KEY WILL BE DESTROYED IN 1 WEEK FROM ENCRYPTION!</h3></div> <div> <p>To recover your files, you must send 0.1 Bitcoins ( ~$37 ) to the next Bitcoin address:</p> <p><abbr style="background-color:white;font-size:35px;color:black;">15F5FM7qMhLQ44RDxuozbKRwSbHKmq7N39</abbr></p> <a target="_blank" href="https://bitcoin.org/en/getting-started"><button>How to buy Bitcoins #1</button></a> <a target="_blank" href="https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)"><button>How to buy Bitcoins #2</button></a> </div> </body> </html>

Targets

- Target
  
  DUMP_00A10000-00A1D000.exe.ViR.exe
- Size
  
  52KB
- MD5
  
  6152709e741c4d5a5d793d35817b4c3d
- SHA1
  
  05ae9c76f8f85ad2247c06d26a88bbbcfff4d62e
- SHA256
  
  2c4c8066a1a7dfdf42c57ff4f9016f1ba05bcb004ff8b0ffc0989165d2ad30e2
- SHA512
  
  1e5ebd53ac942b0f06f759f936efebeeb9a74062647cd978d5112720f772f607b12ee20c02ab838104a7a947fef2fde79b0db944286d8daf2e6e6d16e10b9390
- SSDEEP
  
  768:UR/FcohAQFBY4JzKNkN3QZ0gGINlVOWcm:U1PhAQztJWNeCVOWc
Score

7^/10

discovery persistence upx
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1
- Target
  
  DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
- Size
  
  176KB
- MD5
  
  b88fd69b53a6e4587d9e95a0c6061141
- SHA1
  
  728281eb2bde83701f379797f1b2e36765429543
- SHA256
  
  ebea4a46175b0e9c24e74b774f9ecfb036030f916ec5f2fced34fcb6c1f3ba57
- SHA512
  
  5105c000a7d0c2d68feb00e4f7de77b5afe58347b5d0c24f64346ec3bd8f684f1087ef8559c568f19ef47c301c7675cea0bf91d5551aeb38c89e23a114421aba
- SSDEEP
  
  3072:OCHM30xGHntNzuOIPEerSoKx1B2vUNc/H7BJ4gKraLKQ5oGqDQuRGBiY50pOwP:tMntdcKoWn2vzbvWm3ADQNwOo
Score

10^/10

discovery persistence upx
- Modifies WinLogon for persistence
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral2
- Target
  
  Dumped_.exe
- Size
  
  72KB
- MD5
  
  afc0e1b3c683fcfb276f8e054d733945
- SHA1
  
  a1ef6e368f78bc147c2ee70449917f3929d669ed
- SHA256
  
  86a4ec02684bfd8a055929b0aa6f687bd54e80da0ed689be4e315adf76edbbcb
- SHA512
  
  68adc819478468c55e85d9cb476b94a363f7d90df1697cd1a1814180ca1dfb47cba4f584d6706330c7d7e2b1e26092c780345cb59bdf736daf4616f06fae7ce7
- SSDEEP
  
  768:0Nt2Lmmi8euodnS53h1O8jFQ3tuL7EAj+WTbibIKFQnjVPoxPaBF77tiU8r:nLZOQRM8Jg12+q7LnjVP0U
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral3
- Target
  
  EntrateSetup.exe
- Size
  
  261KB
- MD5
  
  cd6258b33207e85f20fec5f39d9ba09f
- SHA1
  
  fc132ed8922a767061abfd372dfb6f23bd8c0b62
- SHA256
  
  103bc884dce60ec680dd00bcd2d45721319b526b2f6ae7ebe75c73a5c977dafe
- SHA512
  
  2d0f5c0ee81b050fa99dc40fd5ea1864ae68f4d08a7610ea08f8c99e589d90d917a009ff25286d4351b133cf466a408e442c99a8b8cca99d81a81af8e4c6ab49
- SSDEEP
  
  6144:oxagl7jMOfUsQgatPpi9SQG7q94Al6HnIpOLoG7SYQ5SFZ:oxagRjM+JQ1Pp2y1Al6HesZ7Sl8Z
Score

9^/10

defense_evasion discovery evasion execution impact persistence ransomware trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral4
- Target
  
  ErrorFileRemover.exe
- Size
  
  2.4MB
- MD5
  
  dbfbf254cfb84d991ac3860105d66fc6
- SHA1
  
  893110d8c8451565caa591ddfccf92869f96c242
- SHA256
  
  68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c
- SHA512
  
  5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d
- SSDEEP
  
  49152:6kAG2QGTC5xvMdgpdb1KRHGepUu2cGbqPs9+q2HRPTnFVSLE:6kAjQGTCnvMmpYQqPNRPTnF4Y
Score

10^/10

discovery persistence
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral5
- Target
  
  ExtraTools.exe
- Size
  
  280KB
- MD5
  
  0210d88f1a9c5a5a7eff5c44cf4f7fbc
- SHA1
  
  83bff855966cf72a2dd85acae7187caeab556abf
- SHA256
  
  06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f
- SHA512
  
  42445a8d1a3662e16ee1f5129b8792a47c8b17992940e1ba97a96c11d038d0d5088ca00719c6031e204adefbb18672c58113ac5de66b016a63e330b672fde132
- SSDEEP
  
  3072:il+Lkqpd5vh6+RDuUZbEl+Lkqpd5vlpcslRnXfFdRIVLdkVz1ZIGWSt8t81U3Uxu:Ppd5vhrDuUZxpd5vbXfNSLdkryGdY
Score

7^/10

discovery
- Executes dropped EXE
behavioral6
- Target
  
  F45F47EDCED7FAC5A99C45AB4B8C2D54.exe
- Size
  
  86KB
- MD5
  
  f45f47edced7fac5a99c45ab4b8c2d54
- SHA1
  
  9060189dd95635c5f75d7f91c9bd345200e83028
- SHA256
  
  0529cdbc893fee664d3ac540b1e41e184797e0770808254058fc21de0a10b6c8
- SHA512
  
  ecf1ae299d0525f86b8c398d06b429164a10d6552caf08710567680ba670bc0c918bfff1807214b33a177202cbe8eeeeffa1396b91e697aed4da91fe81f523d3
- SSDEEP
  
  768:4H5GP9db20gWEF5mx1pOtIWoZzP5N1jydBWGwRYuKlYsVSsVSSVSENVSjYR:Uo760g95mRhZFrWBWvrs1/LNIYR
Score

10^/10

discovery evasion persistence upx
- Modifies WinLogon for persistence
  persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral7
- Target
  
  decrypt_0000000000000020-000A0000.exe
- Size
  
  611KB
- MD5
  
  c81f5b5e057b4a3c7eee9e4d1c4abd53
- SHA1
  
  949af2ac0176ae4bcc4c07a41e26094f8ed301aa
- SHA256
  
  94f36b586379137a58862ca46cd1cd6c01c20ea9f56755f7b193f0c97b7a57bd
- SHA512
  
  541892f2d23a1d3c3324e721764a62aed8191e4ff47ba681684aa251842337b8a8e78d72eee98c73d70bb917e19724ec9671259022b21faad324734fcf462a92
- SSDEEP
  
  12288:LSY9aHA9OWHFzHaqxSjxspvZhsKsh+M7:hiA9OWlz6qmx8hnsh+u
Score

6^/10

discovery persistence
- Adds Run key to start application
  persistence
behavioral8
- Target
  
  dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
- Size
  
  182KB
- MD5
  
  1105f1e5cd13fc30fde877432e27457d
- SHA1
  
  108f03f9c98c63506dd8b9f6581f37ae5c18de23
- SHA256
  
  dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d
- SHA512
  
  49e9e4b02f432b9cc8f36913ce275f1d13672be627119c183713b5d6fb9fe27fd2cea67421560a463aaa16db35feb15df7c45258e2d102b5f70edb02865d9373
- SSDEEP
  
  3072:nO2W3zwMGWxLNjglP4cdkYsxSehTr76bJnhL:O2izwWlFuPP2xSehX6Fx
Score

10^/10

crypvault pony collection credential_access defense_evasion discovery execution impact persistence ransomware rat spyware stealer
- CrypVault
  Ransomware family which makes encrypted files look like they have been quarantined by AV.
  ransomware crypvault
- Crypvault family
  crypvault
- Pony family
  pony
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Deletes itself
- Drops startup file
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
behavioral9
- Target
  
  dircrypt.deobf.exe
- Size
  
  321KB
- MD5
  
  d224637a6b6e3001753d9922e749d00d
- SHA1
  
  bacb2313289e00a1933b7984dd1cbef01c8019ee
- SHA256
  
  9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263
- SHA512
  
  08eb7f64f852bbb3403d26a6cbcaa28a5747070b499464bed45b3578fd8ebb31ee97fc15f99a14fab9c01585ba5abeded3bd95aa80c73ce76c5af19bf587c4b0
- SSDEEP
  
  6144:rHpp6ZEmJSr/49JSpIGOGsX5HWY7ydvxHlcaAy0iWYOcG4BDhnxD28ixv7uDphY+:zuYQJUaGsX7/Qwgylf
Score

10^/10

discovery evasion persistence trojan upx
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Disables Task Manager via registry modification
  evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral10
- Target
  
  dma locker 4.0.exe
- Size
  
  315KB
- MD5
  
  18ef6bc988d99b2ec1e91daec2619f72
- SHA1
  
  ddb7bce5fd44d1b3a1d38dfccb8d5b23ae5ed73b
- SHA256
  
  53a0dc85e447c58cb8d7c7e00381c8548878390c7a1443326625faa2b461ebe8
- SHA512
  
  02d30a6ac6a9fddc9fe542d19284e0398e1b6b329eff0c0d1410a5568cf87fb7b3c2e7d548c111b7e0fb41e4a5aee2d14678b3be11e11bd33c39477840d1ee6a
- SSDEEP
  
  3072:uon0fbxl3q7UWEj8FBqLXtCovWZ9crTb2aa1ppUPZCvW2Zg5JpdNCympz/CpUERj:1wl3eB6XtCMWZerWDvUhCvWl5NF
Score

9^/10

defense_evasion discovery execution impact persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral11
- Target
  
  downloader.js
- Size
  
  8KB
- MD5
  
  2fabecc77b10b39ff03f221f39f50c6c
- SHA1
  
  e66ab4015c360a0f0866ea840dbeb2ef4953c86d
- SHA256
  
  f6e2c1b42ce68165fd2cd8580daf47d594c4960fc8fb5cdbf1ec210e3ffae87f
- SHA512
  
  9c8bcaee59eaa6d9738caf9a61214e098438e5ecc352e8faaa7972625c3bce3f00eece4bd7b43587b09a5ef66c93778b42d0b39a7ef46aeca5d3f7da2a43384a
- SSDEEP
  
  192:E4/wMMuUYDKe5enZr2CU0eC+To2fOO0spxetRut64pB6BS:bMufcnZr2CU0etTaO7GtRut6UMQ
Score

10^/10

execution ransomware spyware stealer
- Blocklisted process makes network request
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral12
- Target
  
  dump.mem.exe
- Size
  
  53KB
- MD5
  
  22c7f529c6da6da1d063daeeaea41d71
- SHA1
  
  e24872be78361eb23ab5797aff421a6c7561e235
- SHA256
  
  ea3745e02a69f4123e06115b3abeb8dc6930000ed97d8a55351641b76b4d5e1a
- SHA512
  
  d93e581d158bb7d23d42cca59704ae1c1a1ba3846833dc76bece113360b319381a97d8a50d3d9cf02ac0f710e763057699e95c1843c00a5971dc1feec42386ae
- SSDEEP
  
  384:v3Arp7pMcV+D7xMkycTUFkY7XnxO/hH+mbtv/f5E8mGfF2A/:vSpdkyF57XabtHf5EEdp
Score

6^/10

discovery persistence
- Adds Run key to start application
  persistence
behavioral13
- Target
  
  e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe
- Size
  
  89KB
- MD5
  
  276e5289101e0536abf03736217f9fbd
- SHA1
  
  2631f18ca5631d265c6e4ffc8eb1fcfbcf1c68bd
- SHA256
  
  e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32
- SHA512
  
  fa7f39599f9aa689f7944930704106a6c294715a9d0984cc0624aa666da87cdfc4315b865d07874674ba14cf91df43dd54f15fc4ed2f18c3acb9ed0a5119765a
- SSDEEP
  
  1536:Af/YvFSSZtDgN+DrDkDEFtClfF89lGL+v:m/Yv0SZtDgN+Dr+EcfF89ll
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral14
- Target
  
  e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad.exe
- Size
  
  54KB
- MD5
  
  4b24f2c99d93b86bd0d8a1445d976092
- SHA1
  
  6ea9246fd85cf2663ca6fc7e97b7bcd11d25551b
- SHA256
  
  e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad
- SHA512
  
  43c9bc692edbc5151518626008eb33e14b7d6b80ff9b457a0d0702ef2d5b86b33cab0df8a22005182a56aa6a4275458b5a0edb18af4aa759e60be75b88ac792a
- SSDEEP
  
  768:1YQW5/spNck0lUzPrU23Wsq91si1QGb6LNyF2kbWsiPfNa133CiMRKeFyZR:1YQW57kCUzbFqvyyFhl2gpyVcrR
Score

1^/10
behavioral15
- Target
  
  e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
- Size
  
  33KB
- MD5
  
  0d2c400c967b3df9f1c5e193e9ffe482
- SHA1
  
  2b09bd6fb74d067e107727a7494ddd33eba47338
- SHA256
  
  e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a
- SHA512
  
  55366092f2c6d036ac23b7832a59eabb78e31c9dec1a390fadc2173e3cbccf064ec657f0df7303769ed6769437c193c2d589f2760d82dda45b6b274e805f35b4
- SSDEEP
  
  384:XKrBEMQmrwynWHmetF/2zmb/yzU0JBECvQgdxyllliReMGm4hEEZGIG5YBg49YZT:FMpBWH3HdbOygUhobYBraZs2SM6Q
Score

10^/10

defense_evasion discovery ransomware spyware stealer
- Renames multiple (4027) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral16
- Target
  
  e6c4ae470977aa78d1005746ae05deea0bf3b4260f88865662a35f99b2559dbc_not_packed_maybe_useless.exe
- Size
  
  54KB
- MD5
  
  bc6a67d5665ccfba24c093da2a606d9d
- SHA1
  
  5bca38d447165307087df43912f4b15b43c934a2
- SHA256
  
  e6c4ae470977aa78d1005746ae05deea0bf3b4260f88865662a35f99b2559dbc
- SHA512
  
  5b25e0b84414cfe3ea35948d82274b73f1d993c2403503572fc6fb4520bfeae64ee55d014887db1667419f6847720e4b12bfc6c227f68e22d2d42f193d2ad820
- SSDEEP
  
  768:emX2MKhRw7+am7nx3h1OPG0H+l65Fuj0AjmWTbsbIK9QnjVPO1xPao1X7tiHC:egKIqamtRMPJQoh2mqxTnjVPti
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral17
- Target
  
  e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exe
- Size
  
  196KB
- MD5
  
  c82617e2ea031d93d5c2ea8165656753
- SHA1
  
  62e495b8e7bf597cb5fac48828f808d46f064930
- SHA256
  
  e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d
- SHA512
  
  36766d8d98348926ed49e40a88e3ac928de8f2bd415bbe955aa73edb0db943f20c0d2e92b955bbd1d93ca2db316c6a421066993c3ce675d4597bc397110fd563
- SSDEEP
  
  768:JQ092dvBhHL+Txzm9xrHefCQ+LKSYTPlSfDj017JaS8+LvH5:C092ZjHezmTrHUoYzNT8yh
Score

1^/10
behavioral18
- Target
  
  e8e07496df5370d2e49ecce5a47c1fd2.exe
- Size
  
  181KB
- MD5
  
  e8e07496df5370d2e49ecce5a47c1fd2
- SHA1
  
  caa07048b079f148d704a49a0d44cd299a3db380
- SHA256
  
  63b541a11d8389b13c634665ba72437270cd8bbbbc3df7dc43acfe201a5a67e5
- SHA512
  
  8734843f2c9b1ed9afb5304806ce5adfffba8f8a93d6a1e1f0e9a1e2ec6c87df7435b54b3231aa583e5f08435ff470e2650c953fdfe4cde0461e5c00fa1bac94
- SSDEEP
  
  3072:Sed1DM5u4n7pV1HiBDqSe/01R+8UQrbUQrYc1rIzDu:3fDM5u41HiBK/s+4rXrYc1
Score

10^/10

xorist discovery persistence ransomware spyware stealer upx
- Detected Xorist Ransomware
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Xorist family
  xorist
- Renames multiple (2558) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral19
- Target
  
  ea8292721a34ca2f1831447868bbe91e.exe
- Size
  
  52KB
- MD5
  
  ea8292721a34ca2f1831447868bbe91e
- SHA1
  
  2ea7bf7b43ca83102d74f57edb5e783c02c40c6f
- SHA256
  
  21c0601f225087fa6d36ed951e0328bcbd2138bcea6a413162d1a8e17b0cb179
- SHA512
  
  8d2357cd8c216f67765a3c1c9f222f9fb258c9bb83642cd89fc0feb46ee6ca31b46c1bc7c459f483858b6348a14ed74a930a97607e817ec5bba31505d55ffb8e
- SSDEEP
  
  1536:BfLvzQzLRYhvpipuhVzwkZz3gaPOi4YYCcPzQOq4O:BDvVzwkFvd4YYDzq
Score

5^/10

discovery
- Suspicious use of SetThreadContext
behavioral20
- Target
  
  eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d_Stealer.exe
- Size
  
  949KB
- MD5
  
  d65f155381d26f8ddfa304c83b1ad95a
- SHA1
  
  87d7a85b4ea7d4041ade140576b4d6fd2c5aa403
- SHA256
  
  eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d
- SHA512
  
  a37f7eab52a486c947313d67c1b06dfd923f6ed5804fd74fa9cd2b30b9dac931bcb0c5827b3dfbf6ad784879e9b77ef7d0e92032b02855c35d83fba3d27fe7f0
- SSDEEP
  
  24576:qqHcFnufDotGNFfZptfvB2heOGmyC4//Ptn+O:qsDotivvWGmyC4//F
Score

1^/10
behavioral21
- Target
  
  ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe
- Size
  
  1.2MB
- MD5
  
  0ced87772881b63caf95f1d828ba40c5
- SHA1
  
  6e5fca51a018272d1b1003b16dce6ee9e836908c
- SHA256
  
  ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791
- SHA512
  
  65f3a52930dd560cf27a9a6e7386ae1bba22d663a1112b44fa1db043bd0b980f7dcb1d5fe21b873bb93db69c5c4d0b3c7dcf13ea110836970454b56dc16e57bb
- SSDEEP
  
  24576:DxIWmj1GwuqWt6GoXrxv7EJoD7p1YQzA+GdctrOvpk5P4TB5tP9P6F:Dnqqo5PzA+Gda4TB5tFP6F
Score

9^/10

defense_evasion discovery execution impact ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral22
- Target
  
  edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5.exe
- Size
  
  559KB
- MD5
  
  535494aa6ce3ccef7346b548da5061a9
- SHA1
  
  2c0b5637701c83b7b2aeabdf3120a89db1dbaad7
- SHA256
  
  edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5
- SHA512
  
  f02464b3563b4552246b86e2c6ec377b8b0734576647bbc69ca8f4dd775d59f54ffbf3dd7f6433990ec187f1116891426f0e70a7524c9b793df9bc78e087f6dc
- SSDEEP
  
  12288:ZVJ/hB+eGkeURqNvA0msxNxgnr/V4ZhiKjUkE6PofKhs:R/r47iKjUBIs
Score

10^/10

pony collection credential_access discovery execution persistence rat spyware stealer
- Pony family
  pony
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Executes dropped EXE
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral23
- Target
  
  encrypter.exe
- Size
  
  40KB
- MD5
  
  3ab401abcc5394e06c5e81fb08a5a451
- SHA1
  
  ad4fd5e28586ce50d1db6647e2490145a9dbe172
- SHA256
  
  3251403ff9848ed520230a0fb8979ea4b5c8a4aa4e4a392da4c4458390f040db
- SHA512
  
  fdfb6d16e007bac6b8aa5e376fada1f155a261ca63d272c4e5ea0a2e1b7f7970371275a43b7f48aac186c718ea90f1a9115a6eb97dcbbeca4c2ea4ac7d7c1104
- SSDEEP
  
  384:WAqJTdAAZpZd269D26KNLL15FFWjeiBTwohMMIPqUQXjSQ5Yhy:1c7d269D26at2TwomMrRXWGYhy
Score

10^/10

defense_evasion discovery evasion execution impact ransomware spyware stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral24
- Target
  
  encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
- Size
  
  111KB
- MD5
  
  2ce82b2c3e43a6090685bf7e3ec36d0f
- SHA1
  
  112a99938d60abd821e345538b0b1446cd9113a5
- SHA256
  
  d4410c277e4120169a546d613d06b6f1ca1c09ea94494baeb0af796bfaefeefa
- SHA512
  
  9f0fc8a81da4977d683e4051169b5ca0f3fcd592a6946da8a4da962c2519c1fd0044baa0c950332334d9bb6e56a43aceb174bd18166cd183921d5d4213c01ece
- SSDEEP
  
  1536:Nynce2jUA5AaPcHbh7g9WKBvwAYbwdlR3zkWOSgiC81rZ8R9YgAic2i:RrjxwHbhgNwAp/R7pgi7rWv
Score

9^/10

defense_evasion discovery execution impact persistence ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Drops file in Drivers directory
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral25
- Target
  
  f002618c01fe652f7f00eabd0e890e4992ccce818dfb2863e82c43f793685635.exe
- Size
  
  1.0MB
- MD5
  
  f65657f31da966e1a4f52488f91d9e90
- SHA1
  
  86c197ac4d89c2a3d5425eb3e8625970dbd317b0
- SHA256
  
  f002618c01fe652f7f00eabd0e890e4992ccce818dfb2863e82c43f793685635
- SHA512
  
  49c95e774d82668cba1527d6d72783d973f1b2a28146cda9e2da4e4bcf65d0d4414b822dbeb408f185ee00200ea0e051ddf50ea3663896d26296bfef7c65be2e
- SSDEEP
  
  24576:WgtpsYed+8uF2RypfI1aNGKwCik8oNelkzTbkGf9ee/1lL:ptOYeM8vIw1swCik8oNelKbPVeen
Score

3^/10

discovery
behavioral26
- Target
  
  f213e54c8520e7458751020edf15a5ea.exe
- Size
  
  208KB
- MD5
  
  f213e54c8520e7458751020edf15a5ea
- SHA1
  
  9ff0b2f8c83d6efea0dad136179a83d33cc141eb
- SHA256
  
  2cd85dc5040ecbc052bb243575c8f9924afafdbf774a21afe03d2d4896e5d0e1
- SHA512
  
  70e3b96da403d6d5be5a00022e4b0cd30eeaecbcb3b3f3e462695c2b0400db1fcefaaecffc9ffc40528b255dd34a126613bcf99764abe7c007b5e22c39655622
- SSDEEP
  
  3072:RM+lmsolAIrRuw+mqv9j1MWLQkMTmmsolNIrRuw+mqv9j1MWLQa:K+lDAAqTmDAN
Score

1^/10
behavioral27
- Target
  
  f2c8eee2cd88b834e9d4c0eb4930f03f.exe
- Size
  
  809KB
- MD5
  
  f2c8eee2cd88b834e9d4c0eb4930f03f
- SHA1
  
  a47b40f642bb78757b2de40344f555dc48a5a12f
- SHA256
  
  0cc95d376267ae78c309fd5f60f3083670b1c2616b6e3e2eec8810fa273c24be
- SHA512
  
  3be3760ff7b308017d820307af224bff1c5d49ae3ea71062792816477b071af9cb106e5f2ec970da022b7a055010b91b47d57e571e18643f808787538386831d
- SSDEEP
  
  12288:hmnc1DmxioiLAJmR+1IfFHmqgCqwwNgJV1TGBEXgyJ:hmnc1KioiLAcRHgCiNS1TGB
Score

10^/10

warzonerat discovery infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzonerat family
  warzonerat
- Warzone RAT payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral28
- Target
  
  f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe
- Size
  
  689KB
- MD5
  
  0aa0397edc45cc08dd005a73f707fec5
- SHA1
  
  7c1319364fe39580d9f0a928a6f6dc593f425528
- SHA256
  
  f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7
- SHA512
  
  5766cd40e76bb48233649ecdebf31449020b65146a6e90cc9fa97651f73a3bbd13be2791fcf47c9bba8e158f21d304fa087c8d6dc5c1d53be96c107fa84e6e32
- SSDEEP
  
  12288:yHesdPT6mID+Nscf3SDEmaBY2sWevYKrQaUeSSU8g+HnCPMmq8:o4DbcvqEmay2sIaUJig/T
Score

7^/10

discovery persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral29
- Target
  
  f6a8d7a4291c55020101d046371a8bda.exe
- Size
  
  799KB
- MD5
  
  f6a8d7a4291c55020101d046371a8bda
- SHA1
  
  09b08e04ee85b26ba5297cf3156653909671da90
- SHA256
  
  082060e3320870d1d576083e0ee65c06a1104913ae866137f8ca45891c059a76
- SHA512
  
  547ad8ac404e494cce474209ebfbe33a40b69feb59f564215622f479e98dd93699794f4950b05d21225af271c55987da24c68d7c4c172f1d99ba7050b7063888
- SSDEEP
  
  24576:Fpfzmg0hsVxPJHnhxqj/jELyOpQR2dnCy:FpfCHKrPFnh4jEWOpQEdnCy
Score

10^/10

discovery ransomware
- Drops startup file
behavioral30
- Target
  
  f9151107655aaa6db995888a7cb69ada.exe
- Size
  
  360KB
- MD5
  
  f9151107655aaa6db995888a7cb69ada
- SHA1
  
  854755b232ef00fffdafe68ed624cf91fe0fe92b
- SHA256
  
  b70c528731e7fa31c6038f26a07f48a0436741162961922d9bba468f77b3ce0f
- SHA512
  
  0b600b60a6fae79d0a815b8c2f43e6843941205b0560858e4274cd105e2124e87c91b0b73baa8ef58a357b5e9b3b5af73597dd96a815f559d4cc3ac7d5b8d894
- SSDEEP
  
  6144:iBDWtg/7YsXUmTXgEXrMzp14WaumddWFlhdYBb+faDvLPoJgQ1GqXOFK:iEtu/3XgsdumdIlnYZPyv1LZ
Score

7^/10

discovery spyware stealer
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral31
- Target
  
  fb8823e9494016f59ab25ec6cc0961da_api-ms-win-system-softpub-l1-1-0.dll
- Size
  
  261KB
- MD5
  
  fb8823e9494016f59ab25ec6cc0961da
- SHA1
  
  e8468fafaea37696af5ed86396d3f40a20d35a99
- SHA256
  
  3b6cdb0d03f07af774ea34a964a6e2fb6ce321d7adc487af0486f13e5aed0304
- SHA512
  
  4cd273d95b561e2424a8a09aaa5032d8c879d044f434e39c8897315863cdb0c49c9f27be29a541c179f7595d0e3c4682cc0a0d4dd8da9e5bbc5d0d7d7001740b
- SSDEEP
  
  3::
Score

1^/10
behavioral32