Resubmissions

28/03/2025, 15:18

250328-sp5nvaxyaw 1

27/03/2025, 10:37

250327-mn29faz1b1 10

General

  • Target

    FileCoder.zip

  • Size

    157KB

  • Sample

    250327-mn29faz1b1

  • MD5

    fd66d3226dcd2ef199def516b3b0b4b6

  • SHA1

    22e8ec0468fa34e0781b13c205b4bca5cfb92917

  • SHA256

    9c3f4ee8eba7b34bb92c3a7a8f2cf50382363eb645e86b5b9eda5e576ea5d951

  • SHA512

    739eb8297f21bd6249596f4f6c5fdbc515da79ea5dc7865d549e0e7a7165d3d92a70046439d756c66459fc25b0ca0b5971b131102fce6254fea820a0b1c776e6

  • SSDEEP

    3072:fVMER/uBDXzwozHMS0a+2ncQX5R2yAekiz/DsG/wZ:fVJRGBwobR0xATR2yAekUKZ

Malware Config

Extracted

Path

/Users/run/Downloads/README!.txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption method. What do I do ? So , there are two ways you can choose: wait for a miracle or start obtaining BITCOIN NOW! , and restore YOUR DATA the easy way If You have really valuable DATA, you better NOT WASTE YOUR TIME, because there is NO other way to get your files, except make a PAYMENT FOLLOW THESE STEPS: 1) learn how to buy bitcoin https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version) 2)send 0.25 BTC to 1EZrvz1kL7SqfemkH3P1VMtomYZbfhznkb 3)send your btc address and your ip (you can get your ip here https://www.whatismyip.com) via mail to [email protected] 4)leave your computer on and connected to the internet for the next 24 hours after payment, your files will be unlocked. (If you can not wait 24 hours make a payment of 0.45 BTC your files will be unlocked in max 10 minutes) KEEP IN MIND THAT YOUR DECRYPTION KEY WILL NOT BE STORED ON MY SERVER FOR MORE THAN 1 WEEK SINCE YOUR FILE GET CRYPTED,THEN THERE WON'T BE ANY METHOD TO RECOVER YOUR FILES, DON'T WASTE YOUR TIME!
Wallets

1EZrvz1kL7SqfemkH3P1VMtomYZbfhznkb

URLs

https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version

https://www.whatismyip.com

Targets

    • Target

      FileCoder/FileCoder

    • Size

      355KB

    • MD5

      a4de8f25c75060b1a8cee817ec8e4e4a

    • SHA1

      52b7efa7deeb2010665a7fc433a5ac33c4815875

    • SHA256

      c9c7c7f1afa1d0760f63d895b8c9d5ab49821b2e4fe596b0c5ae94c308009e89

    • SHA512

      5e29dbe0bb73400e45857c074429ca3a875065ad4938e222ff56052ed0cdec142aff15aba639a3713a393ce7baac26a6e648c21c87b9407ea6a8b9719316b501

    • SSDEEP

      3072:tOttBofYRoEl5pXxMx5GaMmvdBJYbTqSsQdMky1vvizjMSmu8y2y+Eg74YYQ/uyH:efpBMxsaAT3Ak+azvgEqYQ5XPbFAXsr

    • MacOSFilecoder

      MacOSFilecoder family.

    • Macfilecoder family

    • Login Hook

      Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon.

    • Queries the hardware information (I/O Kit registry).

      An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

MITRE ATT&CK Enterprise v15

Tasks