agenda | 2600-0-0x0000000010000000-0x00000000104B5000-memory[.]dmp

General

Target

2600-0-0x0000000010000000-0x00000000104B5000-memory.dmp
Size

4.7MB
MD5

0d8adf6b72dacaf256865e8a8e954837
SHA1

209b4932b9970a78bf6a63a4e16e2004b609c05e
SHA256

c5f6714134e6cc3ebb5ae70e5ce291d7bc61ee7d4093445c4deba8790fc69899
SHA512

a752ecbeefa5bc963491e014d1cdd8c378c2411333d0bb7e0f27f5a76988623923a42bbba7add5e9e0ed3dfecc2ccc9f90a5b4df48e365e38fd7be51247144ac
SSDEEP

98304:hr/rt1Pwknx3fDcL0HiPN4DleqDczCkyooSFwPD+8th5Xr:hr/rjwkx3fDcAcN+leqDQCkyoiR

Score

10^/10

agenda

Malware Config

Extracted

Family

agenda

Credentials

Username:
AD\jmenard
Password:
M3n4rd@37!

Attributes

company_id
56HjMifonf
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from your system/network. Our group cooperates with the mass media. If you refuse to communicate with us and we do not come to an agreement, your data will be reviewed and published on our blog and on the media page (https://31.41.244.100) Blog links: http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials Please note that communication with us is only possible via the website in the Tor browser, which is specified in this note. All other means of communication are not real and may be created by third parties, if such were not provided in this note or on the website specified in this note. -- Credentials Extension: 56HjMifonf Domain: hjcxf6wov3lwaskhkefxedtlatelzo7picfic6dihlw524vhpcuwfdyd.onion login: NThTEat-7vPblJBqA6a1ApJmTN_n0v-I password:

rsa_pubkey.plain

Signatures

Agenda family
agenda

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2600-0-0x0000000010000000-0x00000000104B5000-memory.dmp

Files

2600-0-0x0000000010000000-0x00000000104B5000-memory.dmp
.dll windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Sections

.text
Size: 2.8MB - Virtual size: 256.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 258.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 1.6MB - Virtual size: 258.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.eh_fram
Size: 243KB - Virtual size: 260.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 260.6MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 260.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 7KB - Virtual size: 260.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 260.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 260.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 106KB - Virtual size: 260.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 2.8MB - Virtual size: 256.0MB

.data Size: 3KB - Virtual size: 258.8MB

.rdata Size: 1.6MB - Virtual size: 258.8MB

.eh_fram Size: 243KB - Virtual size: 260.3MB

.bss Size: - Virtual size: 260.6MB

.edata Size: 512B - Virtual size: 260.6MB

.idata Size: 7KB - Virtual size: 260.6MB

.CRT Size: 512B - Virtual size: 260.6MB

.tls Size: 512B - Virtual size: 260.6MB

.reloc Size: 106KB - Virtual size: 260.6MB

.text
Size: 2.8MB - Virtual size: 256.0MB

.data
Size: 3KB - Virtual size: 258.8MB

.rdata
Size: 1.6MB - Virtual size: 258.8MB

.eh_fram
Size: 243KB - Virtual size: 260.3MB

.bss
Size: - Virtual size: 260.6MB

.edata
Size: 512B - Virtual size: 260.6MB

.idata
Size: 7KB - Virtual size: 260.6MB

.CRT
Size: 512B - Virtual size: 260.6MB

.tls
Size: 512B - Virtual size: 260.6MB

.reloc
Size: 106KB - Virtual size: 260.6MB