Overview

overview

10

Static

static

1

RNSM00275.7z

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00275.7z

  • Size

    7.0MB

  • Sample

    241122-vxyxdazrgr

  • MD5

    8656d8583cbacf028910947a2d80b3fa

  • SHA1

    d83fffb694eb27f434eae8f29e7f495a3c3a5c59

  • SHA256

    e1c89f5b482e75e1fc766986357e478c670ab87a415fe25a80bf8b1852f2c367

  • SHA512

    8fb1b81484bb5c20fec83073761b12165c4ade7d716f522f1d0a73d0ece3e7b458e85ce54ae7c33f1861a5126554aa0988e4523a5163378cad140f3f72d60bb2

  • SSDEEP

    196608:57RdJrgtIAwwmEz46Hyp0248n43vmnVJl4s2v:VRdFSLYp3Cvmn7+sU

Score
10/10
gozibankerdefense_evasiondiscoveryexecutionimpactisfbpersistenceransomwaretrojanupx

Malware Config

Extracted

Family

gozi

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+hvkav.txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: * http://t54ndnku456ngkwsudqer.wallymac.com/38762F6F846837E1 * http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/38762F6F846837E1 * http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/38762F6F846837E1 If for some reasons the addresses are not available, follow these steps 1 Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 After a successful installation, run the browser 3 Type in the address bar: xlowfznrg4wf7dli.onion/38762F6F846837E1 4 Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://t54ndnku456ngkwsudqer.wallymac.com/38762F6F846837E1 http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/38762F6F846837E1 http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/38762F6F846837E1 Your personal pages TOR Browser xlowfznrg4wf7dli. onion/38762F6F846837E1
URLs

http://t54ndnku456ngkwsudqer.wallymac.com/38762F6F846837E1

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/38762F6F846837E1

http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/38762F6F846837E1

http://xlowfznrg4wf7dli.onion/38762F6F846837E1

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+hvkav.txt

Ransom Note
----- NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://ytrest84y5i456hghadefdsd.pontogrot.com/19231476997B99E 2. http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/19231476997B99E 3. http://5rport45vcdef345adfkksawe.bematvocal.at/19231476997B99E If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/19231476997B99E 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://ytrest84y5i456hghadefdsd.pontogrot.com/19231476997B99E http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/19231476997B99E http://5rport45vcdef345adfkksawe.bematvocal.at/19231476997B99E *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/19231476997B99E
URLs

http://ytrest84y5i456hghadefdsd.pontogrot.com/19231476997B99E

http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/19231476997B99E

http://5rport45vcdef345adfkksawe.bematvocal.at/19231476997B99E

http://xlowfznrg4wf7dli.onion/19231476997B99E

http://xlowfznrg4wf7dli.ONION/19231476997B99E

Targets

    • Target

      RNSM00275.7z

    • Size

      7.0MB

    • MD5

      8656d8583cbacf028910947a2d80b3fa

    • SHA1

      d83fffb694eb27f434eae8f29e7f495a3c3a5c59

    • SHA256

      e1c89f5b482e75e1fc766986357e478c670ab87a415fe25a80bf8b1852f2c367

    • SHA512

      8fb1b81484bb5c20fec83073761b12165c4ade7d716f522f1d0a73d0ece3e7b458e85ce54ae7c33f1861a5126554aa0988e4523a5163378cad140f3f72d60bb2

    • SSDEEP

      196608:57RdJrgtIAwwmEz46Hyp0248n43vmnVJl4s2v:VRdFSLYp3Cvmn7+sU

    Score
    10/10
    gozibankerdefense_evasiondiscoveryexecutionimpactisfbpersistenceransomwaretrojanupx

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Gozi family

      gozi

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Contacts a large (669) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

2
T1112

Credential Access

Discovery

Network Service Discovery

1
T1046

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks