dharma

General

Target

03318fc8ac8ebfc2f093c64f02c4eaef2cb9c886270d04fac120d21005020d16
Size

92KB
Sample

250115-xywvhstmdr
MD5

55e784c5be50ae7c1049bc0fe346fa42
SHA1

6d45524919344c8ddde7851373c55474f4361c6a
SHA256

03318fc8ac8ebfc2f093c64f02c4eaef2cb9c886270d04fac120d21005020d16
SHA512

93fdc88eb4dbbe13636c44423169a7d6f420106285ea75b03f8b322af259e6ae8f69601c467ba212795ee99c67358822fff73fec4ee255222fc832ee2b447b89
SSDEEP

1536:mBwl+KXpsqN5vlwWYyhY9S4AC7ZoqfmlZG1ZlKqPVERK+W9WS1DE:Qw+asqN5aW/hL4lo81TTeALfDE

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

We downloaded to our servers and encrypted all your databases and personal information! If you do not write to us within 24 hours, we will start publishing and selling your data on the darknet on hacker sites and offer the information to your competitors email us: [email protected] YOUR ID If you haven't heard back within 24 hours, write to this email: [email protected] IMPORTANT INFORMATION! Keep in mind that once your data appears on our leak site,it could be bought by your competitors at any second, so don't hesitate for a long time.The sooner you pay the ransom, the sooner your company will be safe.. Guarantee:If we don't provide you with a decryptor or delete your data after you pay,no one will pay us in the future. We value our reputation. Guarantee key:To prove that the decryption key exists, we can test the file (not the database and backup) for free. Do not try to decrypt your data using third party software, it may cause permanent data loss. Don't go to recovery companies - they are essentially just middlemen.Decryption of your files with the help of third parties may cause increased price (they add their fee to our) we're the only ones who have the decryption keys.

Emails

[email protected]

Targets

- Target
  
  03318fc8ac8ebfc2f093c64f02c4eaef2cb9c886270d04fac120d21005020d16
- Size
  
  92KB
- MD5
  
  55e784c5be50ae7c1049bc0fe346fa42
- SHA1
  
  6d45524919344c8ddde7851373c55474f4361c6a
- SHA256
  
  03318fc8ac8ebfc2f093c64f02c4eaef2cb9c886270d04fac120d21005020d16
- SHA512
  
  93fdc88eb4dbbe13636c44423169a7d6f420106285ea75b03f8b322af259e6ae8f69601c467ba212795ee99c67358822fff73fec4ee255222fc832ee2b447b89
- SSDEEP
  
  1536:mBwl+KXpsqN5vlwWYyhY9S4AC7ZoqfmlZG1ZlKqPVERK+W9WS1DE:Qw+asqN5aW/hL4lo81TTeALfDE
Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (309) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral1 behavioral2