ammyyadmin | d7676e38029789eb42452b343315be2187696c7432c3923281e961010c1c3913

Resubmissions

02/03/2025, 00:31

250302-avjdpaxyb1 10

01/03/2025, 18:26

250301-w3c3jaykt8 10

Sharing

Copy URL

Twitter E-mail

General

Target

250224-w9jtnaxqw7_pw_infected.zip
Size

16.9MB
Sample

250301-w3c3jaykt8
MD5

560392912801a789739dcfb266226f31
SHA1

503933de4c7205a07144f49560f636ea7afb5567
SHA256

d7676e38029789eb42452b343315be2187696c7432c3923281e961010c1c3913
SHA512

ca0cc8fa00c8d58dd5cd5330b33ea499dada4334c3595111d3a960ce850cf89837c0b8923418ad05d60e6a4be549a494390f553484ee229b136bb4511bf92b17
SSDEEP

393216:WVXqfO5xKJtoBZoqKeIwVtfxvfYst1rhdn2tCS6cFl+DJLc7xOuMO:UXqfjWoqKiVJJLrhd2cS12d2OuMO

Malware Config

Extracted

Path

C:\Users\Public\Documents\RGNR_34CB127E.txt

Ransom Note

Hello VGCARGO ! ***************************************************************************************************************** If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** *********What happens with your system ?************ Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US. You can google it, there is no CHANCES to decrypt data without our SECRET KEY. But don't worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY. We are looking only for MONEY, so there is no interest for us to steel or delete your information, it's just a BUSINESS $-) HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any other software, without OUR SPECIFIC ENCRYPTION KEY !!! Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view ! **** ***********How to get back your files ?****** To decrypt all your files and data you have to pay for the encryption KEY : BTC wallet for payment: 1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4 Amount to pay (in Bitcoin): 25 **** ***********How much time you have to pay?********** * You should get in contact with us within 2 days after you noticed the encryption to get a better price. * The price would be increased by 100% (double price) after 14 Days if there is no contact made. * The key would be completely erased in 21 day if there is no contact made or no deal made. Some sensetive information stolen from the file servers would be uploaded in public or to re-seller. **** ***********What if files can't be restored ?****** To prove that we really can decrypt your data, we will decrypt one of your locked files ! Just send it to us and you will get it back FOR FREE. The price for the decryptor is based on the network size, number of employees, annual revenue. Please feel free to contact us for amount of BTC that should be paid. **** ! IF you don't know how to get bitcoins, we will give you advise how to exchange the money. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1) Go to the official website of TOX messenger ( https://tox.chat/download.html ) 2) Download and install qTOX on your PC, choose the platform ( Windows, OS X, Linux, etc. ) 3) Open messenger, click "New Profile" and create profile. 4) Click "Add friends" button and search our contact 7D509C5BB14B1B8CB0A3338EEA9707AD31075868CB9515B17C4C0EC6A0CCCA750CA81606900D 5) For identification, send to our support data from ---RAGNAR SECRET--- IMPORTANT ! IF for some reasons you CAN'T CONTACT us in qTOX, here is our reserve mailbox ( [email protected] ) send a message with a data from ---RAGNAR SECRET--- WARNING! -Do not try to decrypt files with any third-party software (it will be damaged permanently) -Do not reinstall your OS, this can lead to complete data loss and files cannot be decrypted. NEVER! -Your SECRET KEY for decryption is on our server, but it will not be stored forever. DO NOT WASTE TIME ! *********************************************************************************** ---RAGNAR SECRET--- QWZjY0QxRTk2MWU4RTIwYkVCRUNhRWMzRjhCQTdlZDJkNUJCN2JkNDdDMzREMTYyNjNGNTdiZGFDYmI3ZEVhNw== ---RAGNAR SECRET--- ***********************************************************************************

Emails

[email protected]

Wallets

1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4

URLs

https://tox.chat/download.html

Extracted

Family

xworm

Version

5.0

outside-sand.gl.at.ply.gg:31300

185.7.214.108:4411

185.7.214.54:4411

Mutex

uGoUQjcjqoZsiRJZ

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Family

xworm

Attributes

Install_directory
%LocalAppData%
install_file
Google Chrome.exe
pastebin_url
https://pastebin.com/raw/hhG5zGXd

Extracted

Family

lumma

https://p3ar11fter.sbs/api

https://3xp3cts1aim.sbs/api

https://owner-vacat10n.sbs/api

https://peepburry828.sbs/api

https://p10tgrace.sbs/api

https://befall-sm0ker.sbs/api

https://librari-night.sbs/api

https://processhol.sbs/api

https://qualifiresui.cyou/api

Extracted

Family

quasar

Version

1.4.1

Botnet

microsoft

193.161.193.99:25170

Mutex

06cb3c8b-d800-42d6-af01-12c4e1f138b0

Attributes

encryption_key
95C77D90C8A49F5740548C8A0A430C41732B639C
install_name
runtime.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

llordiWasHere-55715.portmap.host:55715

14.243.221.170:2654

Mutex

124c5996-13c0-46a2-804a-191042a109db

Attributes

encryption_key
5F48258CBD7D9014A9443146E8A3D837D1715CAE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

asyncrat

Version

AsyncRAT

Botnet

test

otrodia8912.gleeze.com:3333

Mutex

123

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

stealc

Botnet

QQtalk

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Extracted

Family

asyncrat

Version

A 13

Botnet

Default

163.172.125.253:333

Mutex

AsyncMutex_555223

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

marsstealer

Botnet

Default

kenesrakishev.net/wp-admin/admin-ajax.php

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

a35ec7b7-5a95-4207-8f25-7af0a7847fa5

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Targets

- Target
  
  250224-w9jtnaxqw7_pw_infected.zip
- Size
  
  16.9MB
- MD5
  
  560392912801a789739dcfb266226f31
- SHA1
  
  503933de4c7205a07144f49560f636ea7afb5567
- SHA256
  
  d7676e38029789eb42452b343315be2187696c7432c3923281e961010c1c3913
- SHA512
  
  ca0cc8fa00c8d58dd5cd5330b33ea499dada4334c3595111d3a960ce850cf89837c0b8923418ad05d60e6a4be549a494390f553484ee229b136bb4511bf92b17
- SSDEEP
  
  393216:WVXqfO5xKJtoBZoqKeIwVtfxvfYst1rhdn2tCS6cFl+DJLc7xOuMO:UXqfjWoqKiVJJLrhd2cS12d2OuMO
Score

10^/10

ammyyadmin asyncrat flawedammyy lumma marsstealer njrat quasar ragnarlocker squirrelwaffle stealc xworm default microsoft office04 qqtalk sgvp test bootkit credential_access defense_evasion discovery downloader execution impact persistence privilege_escalation pyinstaller ransomware rat spyware stealer trojan upx
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- Ammyyadmin family
  ammyyadmin
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Xworm Payload
- FlawedAmmyy RAT
  Remote-access trojan based on leaked code for the Ammyy remote admin software.
  trojan flawedammyy
- Flawedammyy family
  flawedammyy
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Mars Stealer
  An infostealer written in C++ based on other infostealers.
  stealer marsstealer
- Marsstealer family
  marsstealer
- Modifies WinLogon for persistence
  persistence
- Njrat family
  njrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- RagnarLocker
  Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
  ransomware ragnarlocker
- Ragnarlocker family
  ragnarlocker
- SquirrelWaffle is a simple downloader written in C++.
  SquirrelWaffle.
  downloader squirrelwaffle
- Squirrelwaffle family
  squirrelwaffle
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Async RAT payload
  rat
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (7949) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Squirrelwaffle payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  defense_evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1