Resubmissions

08/02/2025, 14:58

250208-sb844ssnhj 10

05/01/2025, 12:40

250105-pwcpvswphr 10

05/01/2025, 12:38

250105-pvbq6swpfr 10

05/01/2025, 12:24

250105-plfzjatpdx 10

General

  • Target

    1a54a44791801f12bf597282ee4f296834f6c1c128464f4ba0ad470be343fbbc.exe

  • Size

    270KB

  • Sample

    250105-pwcpvswphr

  • MD5

    2eccc71416422af47b5969cc0ac64642

  • SHA1

    c0aaa01ed6d08c19df613913de1cce8c54c66461

  • SHA256

    a9f4afd73b873c926a383915a44b84fa903897427ed8393dd9243b68265de6c0

  • SHA512

    22aaba3a9b65b306116c15b4d54bfd4ec238da439023599f3f2be637d6d99fb833121de14c55daad4fc1006b22b054523ab1bb011ec45ae618bd46ce71556e48

  • SSDEEP

    6144:XEohG/el4VQg/U+Dgx3bMAVVzddi6jWGPxF:XEoPlK53DgZMSVFjW0x

Malware Config

Extracted

Path

C:\Users\Admin\Data breach warning.txt

Ransom Note
# RA World ---- ## Notification Your data are stolen and encrypted when you read this letter. We have copied all data to our server. Don't worry, your data will not be made public if you do what I want. But if you don't pay, we will release the data, contact your customers and regulators and destroy your system again. We can decrypt some files to prove that the decrypt tool works correctly. ## What we want? Contact us, pay for ransom. If you pay, we will provide you the programs for decryption and we will delete your data where on our servers. If not, we will leak your datas and your company will appear in the shame list below. If not, we will email to your customers and report to supervisory authority. ## How contact us? We use qTox to contact, you can download qTox from office website: https://qtox.github.io Our qTox ID is: 358AC0F6C813DD4FD243524F040E2F77969278274BD8A8945B5041A249786E32CC784580F2EC We have no other contacts. If there is no contact within 3 days, you will appear on our website and we will make sample files public. If there is no contact within 7 days, we will stop communicating and release data in batches. The longer time, the higher ransom. ## RA World Office Site: [Permanent address] http://raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion [Temporary address] http://161.35.200.18 ## Sample files release link: Sample files: https://gofile.io/d/ufuFye ## Unpay Victim Lists *** You'll be here too if you don't pay! *** *** More and more people will get your files! *** [NIDEC GPM GmbH] [Die Unfallkasse Th�ringen] [HALLIDAYS GROUP LIMITED] [Rockford Gastroenterology Associates] [Di Martino Group] [Alablaboratoria] [Comer] [Informist Media] [SUMMIT VETERINARY PHARMACEUTICALS LIMITED] [Chung Hwa Chemical Industrial Works] [Aceromex] [247ExpressLogistics] [Yuxin Automobile Co.Ltd] [Piex Group] [Zurvita] [BiscoIndustries] [Decimal Point Analytics Pvt] [DeepNoid] [Eastern Media International Corporation] [EyeGene] [Insurance Providers Group] [Thaire] [Wealth Enhancement Group] You can use Tor Browser to open .onion url. Ger more information from Tor office website: https://www.torproject.org
URLs

https://qtox.github.io

http://raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion

http://161.35.200.18

https://gofile.io/d/ufuFye

Targets

    • Target

      1a54a44791801f12bf597282ee4f296834f6c1c128464f4ba0ad470be343fbbc.exe

    • Size

      270KB

    • MD5

      2eccc71416422af47b5969cc0ac64642

    • SHA1

      c0aaa01ed6d08c19df613913de1cce8c54c66461

    • SHA256

      a9f4afd73b873c926a383915a44b84fa903897427ed8393dd9243b68265de6c0

    • SHA512

      22aaba3a9b65b306116c15b4d54bfd4ec238da439023599f3f2be637d6d99fb833121de14c55daad4fc1006b22b054523ab1bb011ec45ae618bd46ce71556e48

    • SSDEEP

      6144:XEohG/el4VQg/U+Dgx3bMAVVzddi6jWGPxF:XEoPlK53DgZMSVFjW0x

    • RA World

      RA World ransomware, also known as RA Group, is a crypto-ransomware variant that has evolved from the earlier Babuk ransomware. It emerged in April 2023.

    • Raworld family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (187) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks