wannacry

General

Target

2024-12-03_afbe6bba36be6ad384e6feccab258960_cova_luca-stealer_wannacry
Size

4.4MB
Sample

241203-mwehcasjcz
MD5

afbe6bba36be6ad384e6feccab258960
SHA1

45c076d83c648f195444799aa2eacaf7dde7392a
SHA256

23ad77a2be48a81e4460c894c41a35db18308a8f85eb841f5bf7ae99265f7310
SHA512

420449e730f3e9ccf2d2680ef3f51c7e6d8c78a1dd5de8ee23d2726b1aec011a861bae97644e404bf1fea4944a06fe4d14f39a870ce5a9aa7cd3f916d9f55f50
SSDEEP

98304:GJ4izQvct0rXAAlWmUX5vLxwvfYSU3YD6Si4ftjZWIVTpj1JEOux5uA3mm:GJ/zQvcYAAXUlxcfYRYDZi46IJ3JEO4B

Score

10^/10

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

- Target
  
  2024-12-03_afbe6bba36be6ad384e6feccab258960_cova_luca-stealer_wannacry
- Size
  
  4.4MB
- MD5
  
  afbe6bba36be6ad384e6feccab258960
- SHA1
  
  45c076d83c648f195444799aa2eacaf7dde7392a
- SHA256
  
  23ad77a2be48a81e4460c894c41a35db18308a8f85eb841f5bf7ae99265f7310
- SHA512
  
  420449e730f3e9ccf2d2680ef3f51c7e6d8c78a1dd5de8ee23d2726b1aec011a861bae97644e404bf1fea4944a06fe4d14f39a870ce5a9aa7cd3f916d9f55f50
- SSDEEP
  
  98304:GJ4izQvct0rXAAlWmUX5vLxwvfYSU3YD6Si4ftjZWIVTpj1JEOux5uA3mm:GJ/zQvcYAAXUlxcfYRYDZi46IJ3JEO4B
Score

10^/10

wannacry xred backdoor bootkit defense_evasion discovery execution impact persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2