icedid | 831a54f66b7645119d642dab565d86f4316752f6f2f759f9cc10737a34032ebf

General

Target

JaffaCakes118_831a54f66b7645119d642dab565d86f4316752f6f2f759f9cc10737a34032ebf
Size

621KB
Sample

241222-eaqz9asmgm
MD5

96be737bf47ac991c0dc9be996e0f10b
SHA1

2739c52ce389aad8214224617a04e5b494c410b3
SHA256

831a54f66b7645119d642dab565d86f4316752f6f2f759f9cc10737a34032ebf
SHA512

20675f2b1a9cd1fd091a48b535d8f37e42001fce393d1d180f21017ce4b1f999f3488d8da1985d641ff838716124f51cfb1adadb727c4740199babe7d9481711
SSDEEP

12288:IEL5jUeK/mKz5U584IsTcmMcuWeshJuNrLtVEAcNYqky:I9/z5UOl0cNR8JuNftXRy

Score

10^/10

Malware Config

Extracted

Family

icedid

Campaign

2642071409

C2

netmoscito2.uno

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails [email protected] or [email protected] BTC wallet: 15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj Ryuk No system is safe

Emails

[email protected]

Wallets

15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj

Targets

- Target
  
  dll64.dll
- Size
  
  43KB
- MD5
  
  cfad79ca83be1a597222a14d4afb8dbd
- SHA1
  
  4c2f0f0fad519bcbe7616fd0452dcfb9b0fb2081
- SHA256
  
  e53d34c5a00e62c90781e918fd5a198475d259a9017cd2b1b5d9b91350c1e876
- SHA512
  
  8abf010ebd670d90f06e0d2a8e92d84ff8dd3ab3cac03bb11cc5e344a26fb19afae033d86e8f77ecbe2ed0c5b960b42fe7b59a2cbd160f88fd091cd5904f1af4
- SSDEEP
  
  768:d39DqSdbgOgeRFb8w0E0o9z77Q+bDjBWSNMghNTbDKTvNo4ROIaSJd:L3dFRZ8wUG/DNBVbDKTi4RySJd
Score

10^/10

icedid 2642071409 banker loader trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Icedid family
  icedid
- IcedID First Stage Loader
  loader
behavioral1 behavioral2
- Target
  
  svchost.exe
- Size
  
  726KB
- MD5
  
  8a317e1b7c9671698a8467c6a7786782
- SHA1
  
  d166a8738595e3dd83c32ec30a221cda7daeac8f
- SHA256
  
  59ec0fa1c554bc9d1253ab499e20eb28d19ed9aa324f642051ce3f322adfaf5f
- SHA512
  
  74bbfbfe3aa43d3d3f0e58f739efdf0d9409fd09616035bd3c42fe236864437814363ffc311b0e2987afe733023b073ada7ab2cb8487d4ca2804264d487fb730
- SSDEEP
  
  12288:NH/679bIIANL45W4GSTceMWaugshfutrLtVmEcZHU+iC:ZUNITL40p2c1z8futftd2HU+iC
Score

10^/10

ryuk defense_evasion discovery execution impact persistence ransomware spyware stealer
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Suspicious use of SetThreadContext
behavioral3 behavioral4