icedid | e88f86634b1a30b45429d6f721fef75902fb55a78629f1c0193e1629e955a55d

General

Target

JaffaCakes118_e88f86634b1a30b45429d6f721fef75902fb55a78629f1c0193e1629e955a55d
Size

113KB
Sample

241226-wehywatkgr
MD5

e007d203eb070e1f35fb2c791343a9e2
SHA1

fc1f90411c94a59edf6cc42af77ecb654bce973a
SHA256

e88f86634b1a30b45429d6f721fef75902fb55a78629f1c0193e1629e955a55d
SHA512

260d804b6a9a086b01c68f70f246fcab011eff30cd6bc48006d08c1479554b9bf6bcacd0b1e0f749e315837ebdaf46f99bba9ff5c9a105ab42a28cf40de8d56b
SSDEEP

3072:XaTWIP48EqyxjXzxAeADCEbAwHGl1OPTXGESdzP9:Xar4TzVDuDCEbA8GOWEW

Score

10^/10

Malware Config

Extracted

Family

icedid

Campaign

2642071409

C2

netmoscito2.uno

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails [email protected] or [email protected] BTC wallet: 15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj Ryuk No system is safe

Emails

[email protected]

Wallets

15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj

Targets

- Target
  
  dll64.dll
- Size
  
  43KB
- MD5
  
  cfad79ca83be1a597222a14d4afb8dbd
- SHA1
  
  4c2f0f0fad519bcbe7616fd0452dcfb9b0fb2081
- SHA256
  
  e53d34c5a00e62c90781e918fd5a198475d259a9017cd2b1b5d9b91350c1e876
- SHA512
  
  8abf010ebd670d90f06e0d2a8e92d84ff8dd3ab3cac03bb11cc5e344a26fb19afae033d86e8f77ecbe2ed0c5b960b42fe7b59a2cbd160f88fd091cd5904f1af4
- SSDEEP
  
  768:d39DqSdbgOgeRFb8w0E0o9z77Q+bDjBWSNMghNTbDKTvNo4ROIaSJd:L3dFRZ8wUG/DNBVbDKTi4RySJd
Score

10^/10

icedid 2642071409 banker loader trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Icedid family
  icedid
- IcedID First Stage Loader
  loader
behavioral1 behavioral2
- Target
  
  eiavW.exe
- Size
  
  172KB
- MD5
  
  c0202cf6aeab8437c638533d14563d35
- SHA1
  
  5767653494d05b3f3f38f1662a63335d09ae6489
- SHA256
  
  8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b
- SHA512
  
  02516128d43914d6ff1b7e702d25771aafd2edccee1729f88ad621cea15a648bb2737b87f564e0711e6f8f99c43eb406b3b6137c68086774f1417642d51c07c0
- SSDEEP
  
  3072:tEyekjv8/eFJ59W2+yV3XgDJ/nptkIV77pJd7RQy+P/:qMo/eF7EDyVgFfn7QyK
Score

10^/10

ryuk defense_evasion discovery execution impact persistence ransomware spyware stealer
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
behavioral3 behavioral4