7880389d89e8e28cbf6ac18bfb40dc8661dec9d9723e97b14bea6f8dff91804b

General

Target

LoaderFuscate.exe
Size

13.9MB
Sample

250128-ctvrfatpc1
MD5

c07637410f1d07d4fd69030fac313a7f
SHA1

72a944ca04c28d7d651468b082ba1630900272e0
SHA256

7880389d89e8e28cbf6ac18bfb40dc8661dec9d9723e97b14bea6f8dff91804b
SHA512

747ebeceacf1342bee878ca9aa141b3939c309eee4c14dad3c9ab3f5a7affef45adff9ffc88c7e73368eb7fb3239a242845d4acbd3a3cf5ae94f403209d6393c
SSDEEP

393216:pV2YFanmL01+l+uq+VvyUR9LrvF1+TtIiLCS9DNsIRfamd:XE601+l+uqgvyO9fd1QtIQ9iIdd

Score

10^/10

Malware Config

Extracted

Path

C:\utZMwPnzM.README.txt

Ransom Note

███╗ ███╗ █████╗ ███╗ ██╗██╗ █████╗ ██████╗██████╗ ██╗ ██╗██████╗ ████████╗ ████╗ ████║██╔══██╗████╗ ██║██║██╔══██╗██╔════╝██╔══██╗╚██╗ ██╔╝██╔══██╗╚══██╔══╝ ██╔████╔██║███████║██╔██╗ ██║██║███████║██║ ██████╔╝ ╚████╔╝ ██████╔╝ ██║ ██║╚██╔╝██║██╔══██║██║╚██╗██║██║██╔══██║██║ ██╔══██╗ ╚██╔╝ ██╔═══╝ ██║ ██║ ╚═╝ ██║██║ ██║██║ ╚████║██║██║ ██║╚██████╗██║ ██║ ██║ ██║ ██║ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ What Happened? All your important files have been stolen and encrypted and only WE can decrypt your files but if you do not pay we will remove your unique decryption software and publish your data to the public. How do i pay? Send 300$ worth of BTC to the following wallet, then contact us on discord using the username: ballets4 we will give you the decryption software after the payment has been confirmed and delete the data we stole. Bitcoin wallet: bc1qgngtzxgt3vcgx7andfl2temn3vt4unf5lmcqkj How can i trust you? Because nobody will trust us if we cheat users and whats the point of not giving you the decryption software. DO NOT try to decrypt your files yourself as this may cause a permanent file corruption. DO NOT rename any file as this may also cause a file corruption. You only have 3 days to pay, if you did not contact us or pay us in these 3 days we will release your data to the public and remove your unique decryption software.

Targets

- Target
  
  LoaderFuscate.exe
- Size
  
  13.9MB
- MD5
  
  c07637410f1d07d4fd69030fac313a7f
- SHA1
  
  72a944ca04c28d7d651468b082ba1630900272e0
- SHA256
  
  7880389d89e8e28cbf6ac18bfb40dc8661dec9d9723e97b14bea6f8dff91804b
- SHA512
  
  747ebeceacf1342bee878ca9aa141b3939c309eee4c14dad3c9ab3f5a7affef45adff9ffc88c7e73368eb7fb3239a242845d4acbd3a3cf5ae94f403209d6393c
- SSDEEP
  
  393216:pV2YFanmL01+l+uq+VvyUR9LrvF1+TtIiLCS9DNsIRfamd:XE601+l+uqgvyO9fd1QtIQ9iIdd
Score

10^/10

defense_evasion discovery dropper evasion execution impact ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (484) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Download via BitsAdmin
  dropper
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1