conti | 44eaa6185d082fd3273b6b8c267935e2253bbe9acd345a7ef492d98112042743

General

Target

Conti Builder.rar
Size

2.4MB
Sample

241206-s7lcxszrgq
MD5

476b3969ddbb75be5174b64bdc2cdb07
SHA1

87ac2b436f1ea207b5f35aa84d4fc348df8c77e3
SHA256

44eaa6185d082fd3273b6b8c267935e2253bbe9acd345a7ef492d98112042743
SHA512

cf4eeeeaee09d2fcedc998fbcf96dc316eef5eef55f2e122af3f17caf6cf90ead465b08051ec7460a39761da5fb6a042b1bc4ef717c0c555aedcf10f06df0b7f
SSDEEP

49152:Jo+Oa8B53MBcRX9WOQ9csYYEyHsdzEB7qGzkMj8zgoKSGWzgbanPNkIAm:QB5UeAr9cIEyHsdAkGX3S0w1kRm

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\7zO082F98E7\HOW_TO_USE.txt

Ransom Note

-------- OVERVIEW -------- Known for its speed of delivery, remote operation, Conti ransomware is an encryption tool designed to block access to a computer system or data until a ransom is paid. It typically works by encrypting the victim's files or locking the operating system, rendering the data or system unusable. The attackers then demand a ransom, usually in cryptocurrency like Bitcoin, to provide a decryption key or unlock the system. Once the data is encrypted, the ransomware displays a message informing the victim of the attack and instructing them on how to pay the ransom to regain access to their files. ------------ INSTRUCTIONS ------------ Open "readme.txt" and input your tor details, providing instructions for victims on how to contact you to recover their encrypted files. Finally run "builder builder_output" then navigate to the "builder_output" folder and you will see "_locker.ex_" rename it, crypt file then send to victim

Extracted

Path

C:\Users\Admin\Desktop\Conti Builder\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt #__FILE_COUNT__# random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://#__TOR_URL__# HTTPS VERSION : https://#__HTTPS_URL__# YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- #__BASE64_ENCODED_STRING__# ---END ID---

URLs

http://#__TOR_URL__#

https://#__HTTPS_URL__#

Targets

- Target
  
  Conti Builder.rar
- Size
  
  2.4MB
- MD5
  
  476b3969ddbb75be5174b64bdc2cdb07
- SHA1
  
  87ac2b436f1ea207b5f35aa84d4fc348df8c77e3
- SHA256
  
  44eaa6185d082fd3273b6b8c267935e2253bbe9acd345a7ef492d98112042743
- SHA512
  
  cf4eeeeaee09d2fcedc998fbcf96dc316eef5eef55f2e122af3f17caf6cf90ead465b08051ec7460a39761da5fb6a042b1bc4ef717c0c555aedcf10f06df0b7f
- SSDEEP
  
  49152:Jo+Oa8B53MBcRX9WOQ9csYYEyHsdzEB7qGzkMj8zgoKSGWzgbanPNkIAm:QB5UeAr9cIEyHsdAkGX3S0w1kRm
Score

10^/10

conti discovery execution ransomware upx
- Conti Ransomware
  Ransomware generally thought to be a successor to Ryuk.
  ransomware conti
- Conti family
  conti
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2