blackmatter | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

Target

RS.7z
Size

20.5MB
Sample

250325-sd5jpsxyct
MD5

2e40472330409ed96f91e8e0bb796eb4
SHA1

8fd90404184de1a627068a93482313449dbbec91
SHA256

c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9
SHA512

b11720cb8519fc6838161ba8bf696681b242b0789ffd5c442efbb50161d511fd65229ca88a347c856e8ff91501c077f5de7714b09e29d4400f595bfe7829189d
SSDEEP

393216:NkDF1XseDcJIrXeSG0b5mKZ1F0gvpdO8GPnqzHLP3iN5M0CptgNpAcklC0CN:GDjXseDcSra45mKt0gvT0PnMbzkNpAc/

Malware Config

Extracted

Family

blackmatter

Version

1.2

Botnet

512478c08dada2af19e49808fbda5b0b

Credentials

Username:
[email protected]
Password:
120Heisler

Username:
[email protected]
Password:
Tesla2019

Username:
[email protected]
Password:
iteam8**

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes

attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true

rsa_pubkey.base64

aes.base64

Extracted

Family

mespinoza

Attributes

ransomnote
Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] [email protected] [email protected] Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://wqmfzni2nvbbpk25.onion/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.

Extracted

Family

sodinokibi

Botnet

$2a$10$kmb3nsvQXC.93GYNCGKy/uq9hYHivf0e3HcajFIifr8Hf3fmnofgm

Campaign

7258

Decoy

gasbarre.com

all-turtles.com

rksbusiness.com

christ-michael.net

mardenherefordshire-pc.gov.uk

erstatningsadvokaterne.dk

marchand-sloboda.com

unim.su

bauertree.com

faronics.com

moveonnews.com

autopfand24.de

mountsoul.de

beaconhealthsystem.org

cerebralforce.net

aprepol.com

kaotikkustomz.com

dubnew.com

simulatebrain.com

alvinschwartz.wordpress.com

Attributes

net
true
pid
$2a$10$kmb3nsvQXC.93GYNCGKy/uq9hYHivf0e3HcajFIifr8Hf3fmnofgm
prc
outlook

agntsvc

infopath

sqbcoreservice

steam

firefox

ocomm

ocssd

mydesktopqos

oracle

powerpnt

wordpad

synctime

sql

thebat

onenote

excel

visio

encsvc

winword

mydesktopservice

dbsnmp

isqlplussvc

tbirdconfig

mspub

msaccess

thunderbird

ocautoupds

xfssvccon

dbeng50
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Data leak [+] First of all we have uploaded more then 70 GB archived data from your file server and SQL server Example of data: - Accounting - Finance - Personal Data - Banking data - Confidential files And more other... Our blog: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/ Read what happens to those who do not pay. We are ready: - To provide you the evidence of stolen data - To give you universal decrypting tool for all encrypted files. - To delete all the stolen data. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
7258
svc
svc$

vss

sophos

mepocs

backup

sql

memtas

veeam

Extracted

Family

sodinokibi

Botnet

$2a$10$dfjpLrXuDytfF.kmYtQ1ROgsXjTJEe8EmQT65ftxlTpJtXPZrhsAq

Campaign

7178

Decoy

kamahouse.net

bridgeloanslenders.com

abitur-undwieweiter.de

live-your-life.jp

xn--rumung-bua.online

anteniti.com

marcuswhitten.site

ostheimer.at

joseconstela.com

deepsouthclothingcompany.com

dr-seleznev.com

ecpmedia.vn

aunexis.ch

anthonystreetrimming.com

pocket-opera.de

mooreslawngarden.com

osterberg.fi

extraordinaryoutdoors.com

kamienny-dywan24.pl

fitovitaforum.com

Attributes

net
false
pid
$2a$10$dfjpLrXuDytfF.kmYtQ1ROgsXjTJEe8EmQT65ftxlTpJtXPZrhsAq
prc
avgadmsv

BackupUpdater

ocautoupds

synctime

thebat

excel

isqlplussvc

ccSetMgr

SPBBCSvc

Sage.NA.AT_AU.SysTray

lmibackupvssservice

CarboniteUI

powerpnt

BackupMaint

onenote

klnagent

sql

Rtvscan

xfssvccon

Smc

mspub

encsvc

LogmeInBackupService

kavfsscs

ccSvcHst

BackupExtender

NSCTOP

outlook

dbsnmp

mydesktopservice

tbirdconfig

ShadowProtectSvc

msaccess

wordpad

mydesktopqos

BackupAgent

visio

kavfswp

ocssd

thunderbird

infopath

agntsvc

sqbcoreservice

steam

AmitiAvSrv

dlomaintsvcu

Microsoft.exchange.store.worker.exe

winword

dbeng50

firefox

TSSchBkpService

DLOAdminSvcu

kavfs

ocomm

oracle
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Attention!!! [+] Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
7178
svc
ssistelemetry

adsync

svc$

msseces

mbamservice

ssastelemetry

altaro

sbamsvc

ds_notifier

ntrtscan

ofcservice

code42service

macmnsvc

memtas

auservice

telemetryserver

tmccsf

psqlwge

sppsvc

viprepplsvc

azurea

ds_monitor

swi_filter

protectedstorage

mfemms

mfevtp

kaseyaagentendpoint

ltservice

dssvc

altiback

masvc

huntressagent

mcafee

kaendchips

kavfs

reportserver

savservice

altiftpuploader

sophos

svcgenerichost

altiphoneserv

klnagent

mepocs

ds_agent

threadlocker

sql

vss

tmlisten

backup

tmbmserver

savadminservice

vipreaapsvc

mfewc

altictproxy

ltsvcmon

altivrm

huntressupdater

kaseyaagent

teamviewer

msdtsserver

amsp

storagecraft

veeam

bedbg

Extracted

Path

C:\Users\Admin\readme.txt

Ransom Note

---=== Ranzy Locker 1.1 ===--- Attention! Your network has been locked. Your computers and server are locked now. All encrypted files have extension: .ranzy ---- How to restore my files? ---- All files on each host in your network encrypted with strongest encryption algorithms Backups are deleted or formatted, do not worry, we can help you restore your files Files can be decrypted only with private key - this key stored on our servers You have only one way for return your files back - contact us and receive universal decryption program Do not worry about guarantees - you can decrypt any 3 files FOR FREE as guarantee ---- Contact us ---- You have two way to contact us: 1. Open our recovery-website (can be open in any browser): https://ranzylock.hk/N6CFBPYX 2. In case of link doesnt work open our mirror recovery-website via TOR Browser: Download TOR Browser here: https://www.torproject.org/download/ Open TOR mirror website: http://a6a5b4ppnkrio3nikyutfexbc6y5dc6kfhj3jr32kdwbryr2lempkuyd.onion/N6CFBPYX ---- Data Leak Attention ---- !!! All your sensitive data was downloaded to our servers !!! We are ready to publish this data in our blog with your Company Name, if you will not contact with us by email !!! Only we can delete your files from our servers !!! Only we can restore all your files without any LOSS ---- Recovery information ---- key: eyJleHQiOiIucmFuenkiLCJuZXR3b3JrIjoidHJ1ZSIsInN1YmlkIjoiMTQzNzUiLCJsYW5nIjoiZW4tVVMAIn0= personal id: 10EKVPIH

URLs

https://ranzylock.hk/N6CFBPYX

http://a6a5b4ppnkrio3nikyutfexbc6y5dc6kfhj3jr32kdwbryr2lempkuyd.onion/N6CFBPYX

Extracted

Family

sodinokibi

Botnet

Campaign

367

Decoy

craftingalegacy.com

g2mediainc.com

brinkdoepke.eu

vipcarrental.ae

autoteamlast.de

hostastay.com

gavelmasters.com

ronaldhendriks.nl

successcolony.com.ng

medicalsupportco.com

kompresory-opravy.com

sveneulberg.de

oththukaruva.com

voetbalhoogeveen.nl

selected-minds.de

log-barn.co.uk

fsbforsale.com

jobkiwi.com.ng

ivancacu.com

11.in.ua

Attributes

net
true
pid
5
prc
wordpad.exe

outlook.exe

tbirdconfig.exe

agntsvc.exe

thebat.exe

mydesktopservice.exe

sqbcoreservice.exe

thunderbird.exe

ocomm.exe

excel.exe

thebat64.exe

steam.exe

xfssvccon.exe

firefoxconfig.exe

sqlagent.exe

ocssd.exe

mydesktopqos.exe

msaccess.exe

isqlplussvc.exe

mspub.exe

winword.exe

sqlbrowser.exe

dbeng50.exe

sqlservr.exe

oracle.exe

encsvc.exe

powerpnt.exe

dbsnmp.exe

infopath.exe

ocautoupds.exe

mysqld_opt.exe

visio.exe

msftesql.exe

mysqld_nt.exe

synctime.exe

sqlwriter.exe

mysqld.exe

onenote.exe
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
367

Extracted

Path

C:\Program Files (x86)\sr08lbl-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion sr08lbl. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C9BC31D195EDEEED 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/C9BC31D195EDEEED Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: JyJaRlY+PCFZO5BcBkivn12YUJVShYVBb0xFYWkRiBr9uf1GJG0QTJ7RrxrlgPqM hr8kp/0yyPxKq8srZw/aUSFkfwdrQzbk+r4UnLgW6t8sd9oW6lt9TFI824NoFDRq hW+hy/h25LkLrcxnqeU0srk6vMQlbsxnm5zOG+p7k37AGGSECn91nmyvvSEzkkNp NyR+Ufc5QRc9xxb806nvdTWMHTcoJg9aSb5oVnZvnf7+/WP76xKN1GN25XzY9iL5 D8eSr5CPJ3Uf4VaJuqhbOlLQNoxWfS2wtp9mfKs/0PIYMXP1VBACLhiQynJRkR3G mSe69nL6q20LP2enMKvMFzzJJSd2VG4t5H4yk1O+ckWby0XV2r/fJWnStNYpEqIe rpOVm/dYDKi3EQVaZabUBsqD5gs6FijXBhpWQxxFhfTfl2TWQOGWEBnNQVIv6iE2 TvNd1vBqX0D5A/UINQ5B3s9YBxYpMQL52o55tj13YJKg5Vh5osTmrZX0WYnSPWth Yvjv3wKrntSrTwrtjMOZiOqULWV4DuFpqneXx6CVrp/rXICLdwtNal/yM/De6SqL RnNP4PsI457JkS+4AWN1WqYSCnDP3n7Hb5wkYV+rb7bFbk8XB5LC1eXXpPdrqyor /vtnwV222d8iv2jvjiBSQHszvEhat5C8hDHBPcDfzza7vEnMeSYKcodfN/blXovI 3LSmMnpiKt8saYTuFa5H0aHSOQIrPedD5o6r0tHnk4BTpSDPm8BRYlelrj3Z6tV2 VG2qe/5tBBTmg7winWVC4eWRmpvfC5D9KsicNG3VaodICqr6IzLz8H9qA2PL5agW yQuZEqHFXxsuRnywWl4TC+4rthdKwMnC40MoGSIwGxnii41x8/snWenQnZQDHOsM Ai8EAPmqhrbB0hFOgrm3DibQ3OToCFKDAQdgt1Qw5NIAQcGxPEnchhbQQS9XBbEV vCQI5KLbC7ExbuI7WIsTdG3lHshjjylZSBVYpSZ1zo54EjUH1eZS8yF7Dmlla+d/ mk+kGc72gejFRlmewtgL0DUpUWbg65KhRwXsk5qvb4mXOu+sOqI2hL5AYNHbtED4 CHIa32wfbyV6CfuzmK2lwPItd3AuaM0Bet6BVpRvF1KJEz7AtqVetlkEL+10QdlN bAKIPgPxLV5ezupS77wIcoZoMnotSMr3B46BBjlaAVLrv9dDm3ZGKbdf0mxpapoc Rv5+UX1mGq2R9F3AZSgylw== Extension name: sr08lbl ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C9BC31D195EDEEED

http://decryptor.top/C9BC31D195EDEEED

Extracted

Path

C:\Users\k30zg2xv-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion k30zg2xv. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1253381EA533C8F3 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/1253381EA533C8F3 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: RTM6vCJhfwvNUpBHHLiMCA5BsKYnKwcZgNg349zGbGHWB8oet6ZcolATm9HStIgQ 7IoyZ+VMuQEMEsQG4Dy2s7puI9WB9QNVs0z1Kd9Y9vNvqEJX6nUMJ8ZM+w+p6fzz DqeA3HQ9tWK0vEOrIMlS+cQKtmkcCAdGreEPpVTisdIB7fj9/wKNTfx54ZzDaaT+ rGvLK0H/z4SCP4D4CcXHiqVwydGNEZzkT5DjgwLgXMmKjPX/eFE1rv/XoIMm7exV VJxLNQpGweFDKDGM/RJP+lY580I+3Fbt9abiIKFcGN5ubsnGfIYfvmdyKRrBgBlQ wyEoIBzAUOScIihbOc4dF2qcIOALUiH938C6a4tQg2lg/jizC9Xprub2aepXJOFc 7P41hOUy5rKaQQJh8ItaEg5THIr57joDdH2d1vG0R8AZetoXjNhpXsMJAoOGjPcp X6tFcqh89RoEeSbYnOjUGjiSE3GTYrR8O5v3ViwNFWWSabudtyMeADckHjDoQk8A DI/cDDSLkeQOpi6YcKwXoLTc9akX3b5Y3QKsZ5qbcDgc+nmla4xUCQ+yqV9U4ak3 lKHcEc3SYxx3XtTocmLAhT4LqI5SRpmXhBerRW6B3SfyVbanoBz9L0dRFmUvv0vO /oBLTlHa6fEz7YjBPXhTNchiiNBUglyQQArTRAz0CLraZmfVD540nWW97wPMGu1r /oAIMgTRd3SRo3KZ0mDEtvPQY0Lvn1jWxcu2nxo3rz5GFezPkgUlsdGoKcGtFQwA /hEvxDDHEF/D8c4axBOYEr6F9fbOPtzFgaWDQ6t0qDrW62x7B/I7mUd/B9jXPp85 XXA/F98D+6TkfPvE5KPrnubDRq9laSHDuD/LP52uFFkqvRpoo0zsf4YwN8je2f1G FgsPK77P4kJke8Fy2OW/V6WGT8IJ48xAapxkdXONN7QrhKhdJdajBe9lhG8+mBaE P6czjbrNvs4SW4iUdNzDyP7srLbQ1D+wgVNRNOqIVAxNI4S+wR+2ldT+yyVRbw7r btxY8XDRpagCJ4aBycst9xns0x+2AmtkA6qwtNZQX9aG2J9giwgOR3rs4aJHSHHq a3VhPW8BekcnZ+tOzq1fSQb81nVe95JIc6a9iA1vxmEE6yNWC7cm7dqEF6Cypb+n JJJL81FwXmFP3iKENKD4ORijil4t6C3mkP/Grtl7xhuoLtsqiatuHErjM9Uygs7O /yFBrvdLTL2u5e+T Extension name: k30zg2xv ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1253381EA533C8F3

http://decryptor.top/1253381EA533C8F3

Extracted

Path

C:\Program Files (x86)\62x9w-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 62x9w. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B4CC399F2542F9CA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/B4CC399F2542F9CA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: DKeU51ZNdU8telmNVgIYQ1rX0w1AYEk6ytwCVwE+1zf2+bi3gF2tUdPDuuMiyQhz H7q9UVdFnHd0dM/GAWBe3ndhCOniHBb6Fa+ygc3W2OLTaDsmG/BVi0sY+RtVOaqu 02vxk7DKlXyszosJ+lc9ggUkPS2Kgw6kGTvh36m4ynk7hUp+5uv6EAL0P9vap0u8 wGaG5RZUUJP4QDOQdHku8rvzo5SFamfmb/pTzZXOSFfuPGFyPHNisLOs2oGOM24f YNsFGxgDv7VlBzMeXktlZLky+CJASojSxVtHY1I6ZQ7j1qhU2nDfAHVd8cMB+ux0 XFp1FFZADLNbeU4QqOHh/O7Q0ll29xHdYQw+2inris6XiQNcFT1up112iBoTPiLO q7cCmJWc0X/BBptq7rUKaYgGB3H0WIifVzRwdZI1EyT1t+jRVKnzjR8r+IxrosvK v8ooqoUGihURObpPJbMkh6JWukZNP1Hth3GRTS1BE0hRQvX3iCBxqlUfOfsm9OiY uVfaVKtwlAb935qEs09582NavMpkblsssDPQdiA+HrJ8FvVwEDfbmGSkuPb0RY7n Sk3EwKIccW+puGooTN9FnhkvTc43e8yRRCd0dnSK54JxoaTMAO9wn8X4gMbwMyXo qfNivmxW4XnSPNw+vyFgGEojRaFtnT45XJ+T17+l59rPof6ngUb0ZbtgI83IF+ra cglwGV+aXBIpdBtN4NlFU58ww7VaiS9K1u3/s8CiweV+hgW6lW4LrU2+yICZQ8sM 9dM40gweMl3OZcO5X5CxnokPK8WQj68yAFDfBocBIkxvwq4Yk/QWUmOnEfx9mIYU nIXXKtL+bCEQgdljnWI0rYJc+gWdBKorncCHYx4CtYZ0S6ygFlsJ4WYpd2VZiBNM S/fp8+fxVfyVg7z3CMh0Fp1ArUOMUHfrGfBC+e7umiG2t6MFYFHc6RFvViDrpp01 KCWx1d2bzkTdf/v03DqHO2DmTYWtbgF0iOtVd24UVxOXHJ0XdsG1ur/G7lKfPz02 D5i9znQ78gn6g2eqcKorvSHPeYkuDbPgVc/pfkR1ySAhTj89/6tXj6XF3MJxVHHd PStJZJeC/eDSEcN0Y5tQHv0tHXIEpbSTUFjWHKbkgtemxJDvjvVsYUHNCz5vyQrH 36T3t5BX9EmzLSygHdkOQPoZVp9w8fA/iEegdVkazgHT0NWGw5F3Lw4pjUWaXzmB T7PIAIsfcm1lx3hO Extension name: 62x9w ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B4CC399F2542F9CA

http://decryptor.top/B4CC399F2542F9CA

Targets

- Target
  
  RansomwareSamples/RansomEXX_14_12_2020_156KB.exe
- Size
  
  156KB
- MD5
  
  fcd21c6fca3b9378961aa1865bee7ecb
- SHA1
  
  0abaa05da2a05977e0baf68838cff1712f1789e0
- SHA256
  
  4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458
- SHA512
  
  e39c1f965f6faeaa33dfec6eba23fbfff14b287f4777797ea79480bb037d6d806516bda7046315e051961fce12e935ac546819c1e0bef5c33568d68955a9792a
- SSDEEP
  
  1536:7ZLTzASUIG0TOOYTufIaSWvRYkekdvizSBXxNe9VPw6s6aUCT7Q7qn:OBI9HYyfNBdviGBBQsrhPk4
Score

10^/10

ransomexx_win defense_evasion discovery evasion ransomware
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- RansomEXX Ransomware
  Targeted ransomware with variants which affect Windows and Linux systems.
  ransomware ransomexx_win
- Ransomexx_win family
  ransomexx_win
- Clears Windows event logs
  defense_evasion ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (161) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables use of System Restore points
  defense_evasion
- Overwrites deleted data with Cipher tool
  Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5
- Target
  
  RansomwareSamples/Ranzy_20_11_2020_138KB.exe
- Size
  
  138KB
- MD5
  
  954479f95ce67fcb855c5b882d68e74b
- SHA1
  
  43ccf398999f70b613e1353cfb6845ee09b393ca
- SHA256
  
  c4f72b292750e9332b1f1b9761d5aefc07301bc15edf31adeaf2e608000ec1c9
- SHA512
  
  515e675401ec67d2d06f06264cb33808ad7d214a0609492ddf73f40a3b829358d75f79fff04b29c6953fc3f450c0d55207d5a6fd3b571f60ae05e25327c41a5f
- SSDEEP
  
  3072:WNnBEPCZ788hExMfHg/50iIETyyCDRk8gE9QIluYEh0VZvcWrMFh:WPEa586nHg/50/ET3CoE7uYEau
Score

10^/10

discovery ransomware defense_evasion execution impact
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (188) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral10 behavioral6 behavioral7 behavioral8 behavioral9
- Target
  
  RansomwareSamples/Ryuk_21_03_2021_274KB.exe
- Size
  
  273KB
- MD5
  
  0eed6a270c65ab473f149b8b13c46c68
- SHA1
  
  bffb380ef3952770464823d55d0f4dfa6ab0b8df
- SHA256
  
  7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed
- SHA512
  
  1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff
- SSDEEP
  
  3072:n/YRw64GUbH9dpWYEFq5hY9e1Z36NS31gs03ApyCb6DnE/PdrfS6sOK5hI+z7XI:Qa6owYEFq5hY9aqNS1y4/PdzS+s64I
Score

10^/10

ryuk credential_access discovery ransomware stealer spyware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Renames multiple (7346) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral11 behavioral12 behavioral13 behavioral14 behavioral15
- Target
  
  RansomwareSamples/Sekhmet_30_03_2020_364KB.msi
- Size
  
  364KB
- MD5
  
  15fc8a15e86c367586e3661b03bcab44
- SHA1
  
  a6a6f2dc244d75cac1509e46c7de88ff479b9ee6
- SHA256
  
  b2945f293ee3f68a97cc493774ff1e8818f104fb92ef9dbeead05a32fc7006ff
- SHA512
  
  cad4c868065a4715126a6e644c1fc1c5d9832e027f62f2f9370172e523fe7db63119871ba64977fc2f25959197a20f0e0e98bd66b2539eae7d46ded9d571436b
- SSDEEP
  
  6144:nj+vyxz9WYWqpkGbOAqMK/oVZUlz/F8GO53OuzZOJM7CQ5g//s4Y:j+wpWYkGA/WGUGO53OIZkh/Y
Score

1^/10
behavioral16 behavioral17 behavioral18 behavioral19 behavioral20
- Target
  
  RansomwareSamples/Sodinokibi_04_07_2019_253KB.exe
- Size
  
  252KB
- MD5
  
  1ce1ca85bff4517a1ef7e8f9a7c22b16
- SHA1
  
  f35f0cd23692e5f5d0a3be7aefc8b01dfdd4e614
- SHA256
  
  06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851
- SHA512
  
  6e67fa01a8792453b148074fe027def90e1d3f6042037216986ee9e3d0c436c177764bc5e5900dbbab91e10d8a3c86a2ea04ef547149bfc92a33ec0236759949
- SSDEEP
  
  6144:Rb8oNGxoFlv2ynsDJv++C3uGsKTYZH7nJHVyjG7q9J4:RTvnOdtC+GENnvyjGN
Score

10^/10

sodinokibi 5 367 discovery ransomware spyware stealer upx defense_evasion execution impact
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Sodinokibi family
  sodinokibi
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral21 behavioral22 behavioral23 behavioral24 behavioral25
- Target
  
  RansomwareSamples/SunCrypt_26_01_2021_1422KB.ps1
- Size
  
  1.4MB
- MD5
  
  d87fcd8d2bf450b0056a151e9a116f72
- SHA1
  
  48cb6bdbe092e5a90c778114b2dda43ce3221c9f
- SHA256
  
  3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80
- SHA512
  
  61a636aca3d224dcd2ed29ca000cf0ecf88f51ffd7cb5182ea4599c9e889cb74b78824d93c7383457bd6d591506202527d44c6a15c93a9ab9cfc8230faddd04b
- SSDEEP
  
  12288:1deyF8N4Ateo7FURIFdnHt+gifa/kf5jOcXsikHOQLWOj9:1deyF8N4Ateo7WROdnHQgmSccikHh9
Score

1^/10
behavioral26 behavioral27 behavioral28 behavioral29 behavioral30

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Defacement

T1491

Inhibit System Recovery

T1490

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Deletes NTFS Change Journal

RansomEXX Ransomware

Ransomexx_win family

Clears Windows event logs

Modifies boot configuration data using bcdedit

Renames multiple (161) files with added filename extension

Deletes backup catalog

Disables use of System Restore points

Overwrites deleted data with Cipher tool

Checks computer location settings

Enumerates connected drives

Deletes shadow copies

Renames multiple (188) files with added filename extension

Enumerates connected drives

Ryuk

Ryuk family

Renames multiple (7346) files with added filename extension

Checks computer location settings

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Modifies file permissions

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Sodin,Sodinokibi,REvil

Sodinokibi family

Deletes shadow copies

Checks computer location settings

Reads user/profile data of web browsers

Enumerates connected drives

Sets desktop wallpaper using registry

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30