Resubmissions

14/03/2025, 12:46

250314-pz49aatrv9 10

14/03/2025, 12:43

250314-pydpya1vbs 10

14/03/2025, 12:42

250314-pxnths1tf1 10

14/03/2025, 07:46

250314-jmdmxawvhv 10

General

  • Target

    2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil

  • Size

    92KB

  • Sample

    250314-pz49aatrv9

  • MD5

    b66ef055f69d2d1a1d8a6f7128cc34a4

  • SHA1

    b0bdbebb93abe1c437d9b8f243368ca0de74603a

  • SHA256

    c7d0fa4e911df7241f9385a109ad4814d10fb640bb8151e7d1abeec1065bcacd

  • SHA512

    c052dd76b90cad8b5d40409d00ef41d3e75439edab7e6cb79d60ec98bd17af172e4e56fa031bf1cd5256d7baa0f6ea13648044da641df90e992f36432fe0d64a

  • SSDEEP

    1536:Y73nkB0DyMgQSm9NwcKzwpR+7JICS4ABwZ/gsZujGC:c/hKzstg5gs2

Malware Config

Extracted

Path

C:\Users\r6cx9989a6-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats Happen? [-] All your data were stolen. Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension r6cx9989a6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [-] What guarantees? [-] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] Using a TOR browser! 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A9CC7C529A4ECA4B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 2xNpHhGq14JosXFi09dkLt483qYvfOQFgCRszKIdsihrq5Jz108HOaxagvWluT4O /S4SOeXoTcrwHLwG5MIF4c3pWay0jN9gVvfm1MDgg2u2mIqjG+/XXiVdz8FOzTYZ gaTLRxPeJlC8XxyJQT77qqvKoeOBrLv1u9gavk983lffbYgoWaHmZpLwJnfXO6gX oM/8jKjUc4ZOsB3TFW0TJix3NjxL+Wkl5nFkhyyooUssJ/qfn5F05viuhGyKBOe2 bYbKFo8Egj5NrkJt54SWDE8FT2HHZ2gQOL4nSEtqZ6trVzEB9aBKe8IMOgITG9Zu Fb0FNl47VduLzcwVmr/ykrANW/jDlaGaJmx8OOcQWhUqy/fPwGuFNjJZinow07I3 iO/xP3E9EsfCXmghgpa4kHWR8PieVd/4qs27f735iE43vfdI68TM/fO58GIZFLvc 5j+Q01ni/qaQxs/EJjelP4JEoDlkAtDqqbNeaXLEThKekEeKuJnuFdPTc29HxrI3 lt0N4j3GhTUqS1n4h11q2sEdZpNKQpDroXD3411YI8eaTDvmcY8cHeihrgCJmVJz FR0RpSVPQGG7cBP4rchOGHJe/SltxKh9i2CvJJsEdO2Qe/SGY7JyS/TXbmWq98SW EPagrn16t0M3UHbVf7EEwM9tHvI12ZIU4xPKzyU3W4ebzSTFuHrWvp0otnX4DReC niQ3P/OolaLasrmA3F1WnBWwsCQdwaCOgCLNb7LORu1GzfQsk7fxcuZnQTD70dJe c8/emPTGQ4RvjKYTZFiUhGu4GmnG+GZwQ6SZ4gqgyzNlX/AcjZ2opryN8jvOS6fo pPre8VMjx4GsXq0U8dJF85sU6wC0rEtVrfjfCMQF0Q6HRl8Lq8GlXGih4w5EoDFz ZF0ED+fm3EN4aXBhbv7w8Epdy/HW2maAf3zKE8deJsaUGS/d5pl1hgJXHVlHr+R6 8u3hnJhAJwH4uFd8Ius5YH8Upe6C0kx7oZxkdKUcUq0Dohjg+hLRV2W5Hl6VpFUx el20vhr4DEQpMZhFPxKw4a1lZKcW4JPlRDPkld4GlGrX3PWclEVwJWaOMFXy66t0 jDdgs5LjPmdabzTio15cnRV6ovY1GQaCG09PXUUhKKeGxrUZX2VRlMKqXfjEIGDY 1gncIokG8qs06Lfa7XTfeczFKkW1iU4WNnITf9yZ2gZifnHO4Irn9w0NdB1LJ83V 1LmStiKH7Ht3bYGksruSPz97u0rzIFk53rCva/6MQ50GICMN/2ip7G9ihNMV/eLH AT4ytxqbU6eECO8ibShIzWtBDh1TPSjp3l2afOF6PD7WaFn68STsZOWhGIFC+E7b tEWXQhFU+FpHXl8wQbhcbvKAxB29FuEjs2IW6SSb77V9MTZA ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A9CC7C529A4ECA4B

Targets

    • Target

      2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil

    • Size

      92KB

    • MD5

      b66ef055f69d2d1a1d8a6f7128cc34a4

    • SHA1

      b0bdbebb93abe1c437d9b8f243368ca0de74603a

    • SHA256

      c7d0fa4e911df7241f9385a109ad4814d10fb640bb8151e7d1abeec1065bcacd

    • SHA512

      c052dd76b90cad8b5d40409d00ef41d3e75439edab7e6cb79d60ec98bd17af172e4e56fa031bf1cd5256d7baa0f6ea13648044da641df90e992f36432fe0d64a

    • SSDEEP

      1536:Y73nkB0DyMgQSm9NwcKzwpR+7JICS4ABwZ/gsZujGC:c/hKzstg5gs2

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks