Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://roblox.com

windows10-2004-x64

10

Resubmissions

31/01/2025, 14:27

250131-rsfnfsznhk 10

31/01/2025, 14:21

250131-rn459axqft 10

31/01/2025, 14:14

250131-rjzd7sxpgt 10

31/01/2025, 14:10

250131-rg2rjsxpcs 3

31/01/2025, 11:31

250131-nm7cfawnhr 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://roblox.com

  • Sample

    250131-rsfnfsznhk

Score
10/10
crimsonratfantomgandcrabinfinitylocktroldeshbackdoorcredential_accessdefense_evasiondiscoverypersistenceransomwareratspywarestealertrojan

Malware Config

Extracted

Family

crimsonrat

C2

185.136.161.124

Extracted

Path

C:\$Recycle.Bin\HAHTGDAQH-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .HAHTGDAQH The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/a5d78aa5fd16c088 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAMjNhBkttS6pClc0QUHotvczFrCQPQFxE5Svz4YIAGahlh3TQigITyeRPTgLofiIDtEKnvVzGTufcMs/80/TVZ9E+yqajw+BklfkxA5bEqy5vkEqA57nUm2slMjhAgnvSMtiKPeNKgyiBca4qsJl9baAnZn3GrRKTxvGHrJO0LWmyKO77Onq04zoaU7fBOQJ9PCfpzKRxi09LHEtyb2oGp5LGle4Rsyp5vyCwHfVxjIU1kgJ8jdZ20PVG9v/Gp0h513wix0ciD3V0IgiSYJbQqHoEHPyF9ntwL5+wZ2o3bWcQiOQkjVsTADnP6vCrWTIOlp2EqhL+5/m02qCIkhNt1cCC9DyDZK3fS1GLlWwDOH+xdtAWPJIjjvtOnfFtKaILoFUYU1ceOO9BMC7ko9sHSUEEE2prUIh2O2dcr9M0hN9xs+nD8ksd0rXbh9PipctJJ7QQJ9YoZOA+O1voapkmsaa+5d+O6gjCpqLiwBmcWy30O6vRKurqtU7YuPXnqaUtyXNNbr5mtSXMnfbncFWPxRPVWMeLk76b5llBmSkJzNQ3yYE6poYJBVH71RoQptRsLMHdJ6fbXMeV/mE8FvgH/7LRa8jGWM9APM57r5LHpfl22bUsIH8Aj8eDax/YFEB3L546ipUimJiDCERKwLqTBNquWQEH8Xk3i45M/UFPXg+aTwz2klPYEneFlunAjHp/aqaX7ZvwVJiOfXJ73SiBZtymvb7BlzcNsB35ko2xAfvFPnZ4DrTFwN7afsKLCdVXdjMm0nLssKKETGCIjpyv0R+RE4vO0CdeQuH0Gk2HmUsvT4ZrtGr0IW6CHUWie4aZ5il5cgfu65UxGnAPaWq/yeVlrC34rKz5CjmbXkhK+rL0tlS+Bi4MUVhlHw/r2SsRB0ncnJvRGCmd7NLzN+mKvFAtokOv1ZSchEhCmBeaws50z3ltLhrhFmJfGwhogtIoZ6rHTCkaTEf+GhykI96QR6643B+sl3hEYUdQ1YcgApq/vq7bAWq0U8maUBzrvjM10H7dJnbDoa3BkSlH/rz6DD2yCIlpYM9xblowUiObNDVVDDyCNLzbbUEAK69vdtSWQU3u13Ftk0kzkiaLFRI19xr0f+Kxs+yS2agGfKPilco14SkFUt8IDHyNlk3vpODdL7pO3s8/W9+O4CV47YWvM0G2VGnNKmHxwAjL7NPBBhHXWVtnBE4kMasbDb8N0WO1zqv2E8/uS/KJi5NT5s4t4O85B/o2WGn/NHhHKjsbM1QsdClrm0/i+5tUzHGHv0SGdGUyzP74Wt2OuKOXokAg/V4GH0AKWOqSsDZmivqYiE2CLJO/OoruZyizGVgH2DFfjNZH7XRXxDIs1qFpJ60yO7u0qyfbMUYY7PHnFC92F8IbrnT3gjv5CN7e7tboma+wEfNldRE4D2x60SKrKQQNKQtXJWnXPKmooZug4VF6LitqcWNyDnJlKx1d3qEh7W+hMiRG3HcIALujIVZbsWoszcrSQFec50fCTuSmA0jtcM4ahezyQhrkNTDUX9m/4MN2k2G7ITndwrvrIwkvJq6zB9P4Kmah5xjfjxCOIWlJ21EQ4Dgc8dUCZF7TyPxHLMRIxAykzOGh/Oa4Kr0i6I8O8MphLNfgiVemoIfM/oKmTMlg7cUH21OfYdB0qJWhT1YsCokKwgfcNPQqAWfbOoImD+hSaYcCFMmMwqyp/YVeOj7RT6+6GLCYdZbziWk6GCUjj7lwl/X7pAbn4Z1R/xvAQww43SH/q8UYaw6vNbpUNqNhv/TjdnFOHdTF/UjqXYF/yPuSZWNCF0etdiWwFvIjwruohBN+tAINvtoQZtA6Kn2t5ljbhiPGn/KtDiU77Q/oRiasPWDAQk2Whgf3hNvvbZsVeu5XGohKtwEUiVorUgbs8zyO65XcogLn3GA/aLkM9lyba7H3EsbO5V1gKx/KT7qBwcnThEtSqNwRhPL58g9Th5gz4w1Ptn4456F6r2fLoQAmx5wVog97k2waL1J3zHPC+JCtYX4DABUc7e1oNGJlTr/8Y73udun3IeJyDk0cGhgKDDYUxGsuPTsMs/3A3HnhYAorBBZmqIB7epRECKPyLmbufUrcjC/h7CvchTTN1blEYAfd6bnK+XzlNGC7ggh6HCM5VJn/lHeG5poURPtmMsv0eP1JwuoAk77DxmbOkQHW3UDoCnyguGNY+TAaSLOtzYzrkah7na4dxcSqX23VJD7q435aGn9SgojD0QRLdzjFCg= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDs9NbJMJDRAuKVvODDRXvIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJLNAIBnBqqcY2R7G3YLHJmYKR2EeBP9/yr/NlLLzjUaP0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtoypC8F1fulXzmY7q54Buw/gTuwK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhxNQXIE31UkGbyf6MN51c1gY/++QRe2kEznTbCqfrOdcnPBOVfcolLq8b/gmccCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/a5d78aa5fd16c088

Extracted

Path

C:\g6QpgrhJDdQZeF0\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>idMfK/LDV7uLs89uKGcSNyvlnfU55qaBwNu2Q7wcPYGJnxICEMhuk1SD6ZIRIxSc1BQ7a/WOfQyb9h8WqY+LcbXjMH0u2+6fLU5TPs3lNh5R+EKmZaKY0x9zzvn2Y0fvKbTLFcHi1mmof6dSpEwL4EldxcKZEtmcYz5tYqx9MQXq8+N4jvw7eLz3Ics7fxqLlcnzthC+A3G8Tqnben/0w9wS/Yxk4XTkmVKfU5jHFIo/z9QVJ18vJybTBnbEPvAUR6aFefsXCYTDo5tGgJhPGvXMdIyx2gcwSQXHD5QJtGqHZxLFRsuIKFbJBsK1zwn2jZGavaU6uAIhqc461mQgkQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Targets

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Impair Defenses

1
T1562

Safe Mode Boot

1
T1562.009

Modify Registry

7
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Tasks