General

  • Target

    12cf510444fbe31d26b0d07046827713acff59310a677041d10a38baa5475bb9.exe

  • Size

    9.1MB

  • Sample

    250317-cl1byswzhy

  • MD5

    ffdfb4889a8af7fee5c0d60731b3ff1b

  • SHA1

    5e968b7cf87b36bf705882fb13e4774ef38f2386

  • SHA256

    12cf510444fbe31d26b0d07046827713acff59310a677041d10a38baa5475bb9

  • SHA512

    d9f8431cfe9e9999d1ac9957c99b18b45d38af2af612fe32b4c4573468e829b67619083e5b5f777ac2284131b38c0df973501138bb56b5e553303eb78ccc1073

  • SSDEEP

    6144:ar9SUF0Gbetbpf5+hoIFZ/vNmjLPVwYpE/LpbueRsdxIh7m5hfLPeov23vWENOSe:U7yw2

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\READ ME.txt

Ransom Note
---= GANDCRAB V5.0.3 REMAKE BY FLOWERSUSER7213 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** **** This malware is given for trusted users only and this is malware and ruins your day! >:) ******** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS AND YOU CANT USE IT AT ALL PLEASE MAKE A SNAPSHOT AND RUN THIS PROGRAM!***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .TUSOSOIN The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/34afc7c684c32ae3 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAJAlV4LM0r1mdKJe7TrSYzWg1pIbZuxvwhUQOpudTDF53oc8xWboGzrxsWibIiyvIQcM/VggX7NB3oFKQybUpzlBNz44BcBIlYS9tZasuQ9jTohuwgs0ac2yhyFN7vP4eiFk9gvU5veaWJlEJME+ki2skQD/o26yNNZXZAgOtPX1JLmn/p/cOQ5eLLrgdJJ6wR0D8irpxydJpTto+/S5dmzS4O4RwEwI7/tK6nWV3O3zWe2n2dn9GwFS4oWjWr2nDRntyE4kjlaij9X8Ix9ZxkcNM2wUsj5Ch6B9c16yLaQ21Kt4Mt2p/HP0ZXiOH7xSiI4WKtL3s7M7+dskL+yvDamVYMS1hyJSbLdsPiD2NNcizTszQ5s5VFAoA4AmUPCiwFnmD/KKS8m9iftJazHt7KTu7ogdXnvxAN41+umsnqmpUOcOnHatboDEOyhOz6MidUxTszUYi7t70R7T/1DgHQ0YwjL8epCFvv2sPUxJ9YTeKNPcO4vhuCbgk22vnng1gF25CPdS7ssJLPgKL0fsfZNwAUjJKeP9AFCqy07JB9VY2qlhMJoR9Tq1bB4XICsMRIl90dxxqQnrJol9BqgKpvMkioqV2U/3kuPxOFKclQ/5+2wLTnBe0oHyHSxcmx9XWPZPGDden1JjdJg8jFDUaDX26xAY5ezZNyh/HcwdkcBsyqS2MF2T3QbBHKv6PUNpwdiSXfWW4v7okGvADFxoqDi0tov5Gzkng1NO/0lQlgMDGS9Cee7BcSm0Lv/w3zV3s+/fMjPpW84EgX6KwpRvFw+0/Yk3uHt6rABl78w4Qha6lG5j/C+nI9wikWhEHsE7umkDiSnr8EXa1ZBMkgLNRKs50oulAdjZFz4/yo27jQahsI5Fkaz0h+8eCkkbgsmasjb+7i8e70QPSjV8QZh999KAmdAZckRpba/pBOla7drHuTT/04EjYZJSi1FMcdPCCGhJ1USnETjPFDfbyuTMSVrpLwymW8Z/7XQi0tiH1t6QbHQO+DZ+SY84Roi7jlPTw0Pq33vZ9iyNSzA0/XnNmajFK4LWmvSi/SoFEYXOTePRxVGm454MkrBtXzhc/G7Or/RXl+K7hEXx+CcK/cfXqph300b8OQbd6qoEOzgUpTcDg5F2TexUrVcDlG+j+EWIKVKUwmCKMpROtUbnRngb7qEjRDWO7pKrRVgwgjn8L1tgQ4S0Y0tm812n5YwVHpiWv8PeIQd3tqXq6v4c8ffEanCOSUjhLhPKDzbsFRL2WtnJ8e+HPWao7plS5ZMd39r5AAwTLtK4AA+MwoCf3h/S7bXFUqipcoKdGoL64ObfP6sDYyRiiURlIo0NreHUx4WtFLu+dk/WbsLVzF89F+v+wYQUrPAb3H54qiS4FOAzTxKxiAYyUUpyFTOE+ajuxepeVVyO0qI7VzWp24ep9BYZEoNVyDuwijmlDqdGSbo1afQ/Pjm2zNxoZQBAtfL2G0bJ73cfoIFBStYhDrFLbrODDsFgf4bDhFQSzLImBKzPUXdqUHrOo2LpBP8LCZ7JpN88Q2Ib3AgwAMAyzv1X7JiqnvF71ytrxOAP/jNT9wbNofWdWqFYNa5sJmdxs1MaBnpfnQjElmJ9Ns9spKrQ/oJufKrNcDYFnLlw3qZ4huzSdMRliaNSPFuDeiPNG6XRkKdgmBpT2Wa7TFLBdmF1WBUbfwmE4BN8rFYMZpjUJkNqOBgzoBfTsiDmO+cXAekUFaXtKfUYLavvWWAC9yk09FyOKe8j4e4uxoGfIjr4LlLEFRF7ET9HBCU0GYF48judY4sdSkZv9qd1QxhzsCZo13ei7fpKqlzuHubnlnLVGhVVEeGGP7iKS3lU3TTVxzq/3C7vJf66UW7IkKwjERJQuGZiWeUsW2TIe3zJTcC+evBT+EHbhWlnwcpL/jLIdv2fecjBZxTKaPGk7N5I4qSDUhFWCydfbt1AGcVdbM8bYwl/gf7iI5df/7/WWv29iX8Ukf02reLIfTp1SXIhcusZmv3gwbIAZm2aBGhDHgj23vkJ++HHFOGX2JLxd/LJrTsVyd5LaBi5vEawPIDpwaiAnh719pD81JY7s4nWNe7DIr33/pHKutIITZB/kUjb4jDwYZH66K3X3UXSqUZGAZykVh1YxBX5b9VJqeaE1sgg+2KT1KpTujmaHaDkKy/ceevVDmlSTIw66whvMqFc/H4MvBsQ9DVyTq1xk2QNh8nTC9s5Ih6Ng2io/Ox3WsUVeBT+6xljP3AW1P8= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U7OxBlagOWntiDxwOqf191YnvOeWPx5OYfxd1ZZETpJRrHZy7mhWprezTFGHwx5FBJjzntMK77r6TUHaDB7iIpJD8/bFAv/9mGGoBpAZLv6jx/xY2WXxP5KAiqChSETkAroAlbYGONOX07mSbUAkaXQIbYOWrsC3YZtYF6TRxoEpGY4+2+2ASVK2ZBFV7gPZuRPcDCJ/2PyMLkO0MLEPxIodLAmTS5xpmtgoVHZkP7o/WPrX1sJzwjbqjdxAK3gtl5hnQ91rCBkxIg6GDIYr831oSnXFTA/zkeYtFNi0qcun/bqr5+lisrEkkRvB5+L3/2A2GesiGohYb1qBBnbt+BHVEc8b+SdG4o24NqaSY8FyH4za2ROitJRvTQAqbVO7JIAJppFqwNUoAxPBnKo+CO5fAKCfjGEzg6hrLw3rxAZKww7xZinpCRFF3uPLaOb91wsZMHQTRkOKPzmU1gPgG39UmRzflSzzQUxni7JolpqwqXJNVdfpIzeqfBkcecB9P3ZNnH9VQ2fCiqYREqftdUj3BddMYJGmHssOIL+SRQ== ENJOY YOUR FUCKING PC!
URLs

http://gandcrabmfe6mnef.onion/34afc7c684c32ae3

Targets

    • Target

      12cf510444fbe31d26b0d07046827713acff59310a677041d10a38baa5475bb9.exe

    • Size

      9.1MB

    • MD5

      ffdfb4889a8af7fee5c0d60731b3ff1b

    • SHA1

      5e968b7cf87b36bf705882fb13e4774ef38f2386

    • SHA256

      12cf510444fbe31d26b0d07046827713acff59310a677041d10a38baa5475bb9

    • SHA512

      d9f8431cfe9e9999d1ac9957c99b18b45d38af2af612fe32b4c4573468e829b67619083e5b5f777ac2284131b38c0df973501138bb56b5e553303eb78ccc1073

    • SSDEEP

      6144:ar9SUF0Gbetbpf5+hoIFZ/vNmjLPVwYpE/LpbueRsdxIh7m5hfLPeov23vWENOSe:U7yw2

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks