Overview

overview

10

Static

static

3

Ultra Mega...9).exe

windows10-2004-x64

10

Ultra Mega...9).exe

windows10-ltsc 2021-x64

10

Ultra Mega...9).exe

windows11-21h2-x64

10

Resubmissions

03/03/2025, 22:52 UTC

250303-2ttxksssfx 10

03/03/2025, 22:39 UTC

250303-2k977s1r17 10

03/03/2025, 22:13 UTC

250303-1496wa1mz6 10

03/03/2025, 22:08 UTC

250303-12lqha1lz8 10

02/03/2025, 00:28 UTC

250302-astfwaxxft 10

26/02/2025, 16:01 UTC

250226-tglrfavp16 10

26/02/2025, 16:01 UTC

250226-tf7mhsvvcz 3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Ultra Mega Null DDoS Panel (added API Function in v2.39).exe

  • Size

    22.4MB

  • Sample

    250226-tglrfavp16

  • MD5

    317c5fe16b5314d1921930e300d9ea39

  • SHA1

    65eb02c735bbbf1faf212662539fbf88a00a271f

  • SHA256

    d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40

  • SHA512

    31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031

  • SSDEEP

    49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6

Score
10/10
asyncratmarsstealermetasploitquasarragnarlockersquirrelwafflexwormdefaultoffice04solarafakebackdoorbootkitdefense_evasiondiscoverydownloaderexecutionimpactpersistenceransomwareratspywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Public\Documents\RGNR_6D6FC352.txt

Ransom Note
Hello VGCARGO ! ***************************************************************************************************************** If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** *********What happens with your system ?************ Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US. You can google it, there is no CHANCES to decrypt data without our SECRET KEY. But don't worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY. We are looking only for MONEY, so there is no interest for us to steel or delete your information, it's just a BUSINESS $-) HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any other software, without OUR SPECIFIC ENCRYPTION KEY !!! Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view ! **** ***********How to get back your files ?****** To decrypt all your files and data you have to pay for the encryption KEY : BTC wallet for payment: 1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4 Amount to pay (in Bitcoin): 25 **** ***********How much time you have to pay?********** * You should get in contact with us within 2 days after you noticed the encryption to get a better price. * The price would be increased by 100% (double price) after 14 Days if there is no contact made. * The key would be completely erased in 21 day if there is no contact made or no deal made. Some sensetive information stolen from the file servers would be uploaded in public or to re-seller. **** ***********What if files can't be restored ?****** To prove that we really can decrypt your data, we will decrypt one of your locked files ! Just send it to us and you will get it back FOR FREE. The price for the decryptor is based on the network size, number of employees, annual revenue. Please feel free to contact us for amount of BTC that should be paid. **** ! IF you don't know how to get bitcoins, we will give you advise how to exchange the money. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1) Go to the official website of TOX messenger ( https://tox.chat/download.html ) 2) Download and install qTOX on your PC, choose the platform ( Windows, OS X, Linux, etc. ) 3) Open messenger, click "New Profile" and create profile. 4) Click "Add friends" button and search our contact 7D509C5BB14B1B8CB0A3338EEA9707AD31075868CB9515B17C4C0EC6A0CCCA750CA81606900D 5) For identification, send to our support data from ---RAGNAR SECRET--- IMPORTANT ! IF for some reasons you CAN'T CONTACT us in qTOX, here is our reserve mailbox ( cargowelcome@protonmail.com ) send a message with a data from ---RAGNAR SECRET--- WARNING! -Do not try to decrypt files with any third-party software (it will be damaged permanently) -Do not reinstall your OS, this can lead to complete data loss and files cannot be decrypted. NEVER! -Your SECRET KEY for decryption is on our server, but it will not be stored forever. DO NOT WASTE TIME ! *********************************************************************************** ---RAGNAR SECRET--- QWZjY0QxRTk2MWU4RTIwYkVCRUNhRWMzRjhCQTdlZDJkNUJCN2JkNDdDMzREMTYyNjNGNTdiZGFDYmI3ZEVhNw== ---RAGNAR SECRET--- ***********************************************************************************
Emails

cargowelcome@protonmail.com

Wallets

1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4

URLs

https://tox.chat/download.html

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

193.161.193.99:43242

havocc.ddns.net:4782
Mutex

45bfb701-bea2-411a-948d-9a6abe001f83

Attributes
  • encryption_key

    80594967BC0A4839C316A44D62DE36E9BF18177F

  • install_name

    SYSTEM26.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

xworm

Version

5.0

C2

outside-sand.gl.at.ply.gg:31300

Mutex

VQd9MfbX4V71RInT

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain
1
ZL3Yaeg/PJ0Y7FJtsCrVug==
aes.plain
1
RLT9zkHiRr/5AJtJw8Tw3A==
aes.plain
1
iwq27h/tG7NiXuGTi1TLFw==
aes.plain
1
Lj9B0TP2c9JGSsX7MQ7n9w==
aes.plain
1
7rRc/WewXDuuvExU1MTFVw==
aes.plain
1
XbYEdfPuBnixoFuSNn1nSA==
aes.plain
1
UyWucCFaZsa6ZWDJM7yw/g==
aes.plain
1
PLjAaQfjxSa0AqTb2Mztsg==
aes.plain
1
tnLiJ8v1cfsNd5eJoRhseg==
aes.plain
1
5M01DMI0Ca42x7nsBSma3w==
aes.plain
1
c9iLfbThOQerF9WWkucaag==
aes.plain
1
KluxaWEQRuofx8dnnm0lJA==
aes.plain
1
p75TdH41qqGxIKzGvwfpnw==
aes.plain
1
qWfNplSuVYyRhBCBd7gbWA==
aes.plain
1
3pz+DSOF7CNCeLXAZIjzcQ==
aes.plain
1
9bOnRp64Sa7O1yBGRLmhVg==
aes.plain
1
tQ43J6HkCx+AoIVYVR/5fw==
aes.plain
1
4IO7pBswk3ZfoqaXWKY+LA==
aes.plain
1
bcyDd7+Du+2axnrsByTfkg==
aes.plain
1
QuaykfErcINcTYMDsX/Tkg==
aes.plain
1
MR/ujHAlpZ+IJH2xVdLPKw==
aes.plain
1
qm4zfv7d0AEy6LRo/XimVg==
aes.plain
1
C7pxMbOAPndv5+MrPB/ygQ==
aes.plain
1
wMe1vCdv5J3WTlJ/DLJsWw==
aes.plain
1
nMyuZo9TU8kJkdMqWhvKRw==

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

147.185.221.19:58142

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

SolaraFake

C2

anyone-blogging.gl.at.ply.gg:22284

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    Windows.exe

  • install_folder

    %Temp%

aes.plain
1
OYUbd0bNb13HxWjxL8vDgVijf0brC8hH

Extracted

Family

marsstealer

Botnet

Default

Targets

    • Target

      Ultra Mega Null DDoS Panel (added API Function in v2.39).exe

    • Size

      22.4MB

    • MD5

      317c5fe16b5314d1921930e300d9ea39

    • SHA1

      65eb02c735bbbf1faf212662539fbf88a00a271f

    • SHA256

      d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40

    • SHA512

      31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031

    • SSDEEP

      49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6

    Score
    10/10
    asyncratmetasploitquasarragnarlockersquirrelwafflexwormoffice04solarafakebackdoorbootkitdefense_evasiondiscoverydownloaderexecutionimpactpersistenceransomwareratspywaretrojanmarsstealerdefaultstealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Xworm Payload

    • Mars Stealer

      An infostealer written in C++ based on other infostealers.

      stealermarsstealer

    • Marsstealer family

      marsstealer

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Metasploit family

      metasploit

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • RagnarLocker

      Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.

      ransomwareragnarlocker

    • Ragnarlocker family

      ragnarlocker

    • SquirrelWaffle is a simple downloader written in C++.

      SquirrelWaffle.

      downloadersquirrelwaffle

    • Squirrelwaffle family

      squirrelwaffle

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Async RAT payload

      rat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (5723) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Squirrelwaffle payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

1
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.