dharma

Sharing

General

Target

TOTALLYNOTRANSOMWARE.py
Size

1KB
Sample

250224-vdm1rstky3
MD5

147bb993b1108746186107ac426805d3
SHA1

87e5f3235f300bfe00e18bb476457797d7880140
SHA256

c2cbfe93a17545b58a1fa9347c018a732414e8e36c99a4b03e643e1ae9bc2310
SHA512

51e134e0cde7fa28697a80ac1ee63dcaa59a6078e42e7c25a491af6bb521d72259a5e37992553260bfffa11b91188bfb2fcf5b5b2eae08c21eb92f190c47a18d

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>JS52T6bnrg44m0Xx/9HzuZ/1gJHesO4pYXMhOQol5G7EVhLz0tVtQHO2FE2zlfbLrk6bLG/YVcqaKWIf7XwLV5BNy447+u+a6KHQrKA0V4+S//btIt1gU1T16u3OLtSfyYvA3XuuCSAG1paQxIQkJ6LrpyVkIC4Xt/jDHDosH6wFqfsKqQy76HW/FqIgV+CuHfWkpxEsya1HVycbFmAzcoDAZIqw+nbbYGpxL3vGHbT9qEhis79f7J4lF/MPAv0RqPbb6Q3ssJ5ji5imB53/eYBA75jfTqwRXqu2D7vPhb/JnnsQR2AhlDML607sP8RsNoxdInUi7/1cEL7x3H0MMg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>M69mgMuq37Gd2L8WYJV7BFkqIqAmDVsTGg9MKvF+mIRRwX1YIpfl3aqwfJnvdIkVGt/JZpUHLazulwPnUe5Utut+M5PTi/vND7y7/RiG7B6b6gPZ763Rds6z34KFWPZxkx3TYkbtXH5ui2dU4pJIsU0xiGihfSQ+bGz4/LmytEfgLJSikeV8DCjuJgjb7PX48VAklAsOfzn7Gc4DaA9NHdFjkMLvmOqXbmmhj17Ag2582T1yikvt3sMkfSQseyxOV1U/2FMMOeGdeDikfhMTAzryJx3avSrBjxJX2oK2IIoskcY1IT8aY8Vx9nuBzN1JM2zdYrAQWpsnyPwJi5eFYQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>YIAKR3FzAK8dnrua9XH5Icbsbl0RgrXqmC+MQVlplNONPVlJdI/HvnbMeIingeaP8mLpY8EocCUmfUiRJJkWbGiEqzW5HDTpdNxjaU/iuLR4OadTfH/3fZuOZv1x3iZxhaOBr2gFBK9DEATsYJ9uFtIMW7RKunBtyH+2z/mO0kjcVErUt5+PHTeJjgJcyJkZYJEgR7UfqL5wndZhkqKYPCyqS2nBEReCq4RGUuVYC3P0ytXd77+AgypCXL7aj3cA3nfQLDV1SRAv6H+MukwoJ2Loaq2AJ0mmpB18JIpek6TOD47VL7Bm6t41XMSPO3fRmOxdFft0nda1vr9liDkbIw==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>OdStzrZpuWx120zzOAPD8bKlZSjQNduXu6zfrzWXapDHUXTuTnTDIZHqNPpXHkVofaOdkttVlyfrskicT7SMtTq3U7RluTiY5G5ZxH2vaXFYoppkGRV6PdCPtftUHBQ3XyySS10LJI2b3gAjdNpWkpEp3RafkO2YNvoDyGJwccv+bbQnta2Dd4ZqQCADVuUfsFGBoGszvna4cSVRR3o/vzGz/Z/On6z/6/HMu+fT85vhPTBkXMUtC0ZdezPtBs9zdb7np4xEP7wSsdZi/hNrP7TapMQ0z7ZG6pLEY4KeZuqmeHsytMxW4ndHZ+YuSS54+bdqHklaE3x/k1+CBDkLaQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>I+NG7Gl9J7j98grK7KHkgR76duGmbLInv6cvtFl9X5BnKu8wsIc7eQdKhsms2Q3FX9sNDNZCAEcAbJ6xvouv26zNU0UPbCjAAZUCxXCkcQ8ZJRfDjlDfDwQGWAojevleI+EThwA/qD6Afpp7koXC8zjK+VYZj/FkjaK0MkHQL0zQIFLloA9zUhGgXGtvicQUFRjlMYIciXVBIh7htrYgoQoesckkqm5kGUh3L75Ui1qRSrKSsqsfsaWvK2FWBD9pIGCYtI0D8dsUVYyOssOYOAlqrmdOMtRZ2AdvNwVHa8sKWiGCQIRewtZmJxXz23D1OFs26w7bs0FztpCpRIL5fQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>PG739Oa3/AYOz0ZH3Lt+rCQpGPhMA9ftkcgITxSyJRj178+hy4hlxGrUTWr5mKkuBoZIehl7KQv2Jw3Jl3rtwzjVeGKNSdwvsl5qnE8j/LA6DRi/PBrtjqlcO+4KmaUdphUpThTc15kVdOnMSsvLc7ouWB0w9gHhWBpsZi7dQwXwfmbwMZnE5korFn4CsfeWRi+vSo0VFjIrRHN6vXYMcxggH/3j70WkN8G2CKeEq1t1vlVqE2wQadtr0AVY0Q4hl2sh+qs/tyisGOSO/h1tZv/c/Y2dcJGefApi/zzC1yqGRZpOw/m7zq4IKxgvaJOfa4yav17q5xVplLQnGnEKxA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>ITOVfrb/VClkN5UNiFiM3f0BRXrnwYmmxWREI9J8oQk+EHHFeM95C0uwAjbS+iywBG+cdozWvL3JbaPrfYTDNmg032bfLtUJpXvAmCyBB0r/mGDAqHcT4plZgwFfpbd+pQE6Wq+Pf9Ymq5S+zbNQCQ4E+MA5OEFFelLGglUPl5kwNe61bVIxmefHDupTt/f1Ipyj4MPtlRSKS+Igpi4NVLLhcLjOJM6HPRjaKxNF+UEC7kgBeR5opRCeszfN5qXGqw2/R52ZkPnhN8KKR90wAdLMtb/rvenlv4oz+QHOvjjUbFc/ZjGmaDne1vKIK+3zn9jzTojsryA0rQWjtZhjxQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Targets

- Target
  
  TOTALLYNOTRANSOMWARE.py
- Size
  
  1KB
- MD5
  
  147bb993b1108746186107ac426805d3
- SHA1
  
  87e5f3235f300bfe00e18bb476457797d7880140
- SHA256
  
  c2cbfe93a17545b58a1fa9347c018a732414e8e36c99a4b03e643e1ae9bc2310
- SHA512
  
  51e134e0cde7fa28697a80ac1ee63dcaa59a6078e42e7c25a491af6bb521d72259a5e37992553260bfffa11b91188bfb2fcf5b5b2eae08c21eb92f190c47a18d
Score

10^/10

dharma fantom credential_access defense_evasion discovery execution impact persistence privilege_escalation ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Fantom
  Ransomware which hides encryption process behind fake Windows Update screen.
  ransomware fantom
- Fantom family
  fantom
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Disables Task Manager via registry modification
  defense_evasion
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Deletes itself
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1