snatch | 3c380d5492add3084df3876e715ef641ae0ba910cf84395e2f1f22bee33dad97

General

Target

2024-12-12_87ed0fc8118723ea66be965e8cea3764_poet-rat_snatch
Size

4.6MB
Sample

241212-sw1ngaykcv
MD5

87ed0fc8118723ea66be965e8cea3764
SHA1

bcc642835880fbf922cc2b029d362b3d82fac938
SHA256

3c380d5492add3084df3876e715ef641ae0ba910cf84395e2f1f22bee33dad97
SHA512

70974198ed89c9a325c03b3c78c1576d90b8a83b7adf3735fdfe2f30ea83309ba76bc34a3c78e9eb52defb161e5d5fb0e8813690a3960ce74975a2655b3f359a
SSDEEP

98304:lpzHHcNCDnfENtGVKSqnJe9pANQvlsisx:ldHHcN2nfENGOYvlsjx

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT

Ransom Note

Hello! All your files are encrypted and only we can decrypt them. Contact us: [email protected] or [email protected] Write us if you want to return your files - we can do it very quickly! The header of letter must contain extension of encrypted files. We always reply within 24 hours. If not - check spam folder, resend your letter or try send letter from another email service (like protonmail.com). Attention! Do not rename or edit encrypted files: you may have permanent data loss. To prove that we can recover your files, we am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups). HURRY UP! If you do not email us in the next 48 hours then your data may be lost permanently.

Emails

[email protected]

Targets

- Target
  
  2024-12-12_87ed0fc8118723ea66be965e8cea3764_poet-rat_snatch
- Size
  
  4.6MB
- MD5
  
  87ed0fc8118723ea66be965e8cea3764
- SHA1
  
  bcc642835880fbf922cc2b029d362b3d82fac938
- SHA256
  
  3c380d5492add3084df3876e715ef641ae0ba910cf84395e2f1f22bee33dad97
- SHA512
  
  70974198ed89c9a325c03b3c78c1576d90b8a83b7adf3735fdfe2f30ea83309ba76bc34a3c78e9eb52defb161e5d5fb0e8813690a3960ce74975a2655b3f359a
- SSDEEP
  
  98304:lpzHHcNCDnfENtGVKSqnJe9pANQvlsisx:ldHHcN2nfENGOYvlsjx
Score

10^/10

credential_access defense_evasion discovery execution impact ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (7843) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2