Overview

overview

10

Static

static

10

HEUR-Troja...fdf.7z

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HEUR-Trojan-Ransom.Win32.Generic-41c059f4dfaa143cc75df07f38f50d7d6ac0c6416d3e21aac2e530683c037fdf.7z

  • Size

    1.5MB

  • Sample

    250402-wa1ywstmv4

  • MD5

    3290585e13e51afac3b0e2e17fc18212

  • SHA1

    146f76cbdbf088fba0ca2bbe1efece22cebfa254

  • SHA256

    712b77a8e132fdef3974b4ce3cf5da81ed98fc4ef3754c407c696922d662df02

  • SHA512

    5612dc1ef3be15387a3217aeaa4291eb361b659e47d96c51259bae2c63efffd17523c3235ac859b31fdc452012679878105b14883c14542d74543ac44a13da10

  • SSDEEP

    24576:hfGKRIF3Cr01NK5+2i5L5kr+NcgpMSlG6ZKzoQMgvxk2RG8+u:lNQ9t5L5y+mclG6ZixBr+u

Score
10/10
satancryptorzebrocybackdoorcredential_accessdefense_evasiondiscoveryransomwarespywarestealertrojan

Malware Config

Extracted

Family

zebrocy

C2

Windows XP Professional x64 Edition

Extracted

Path

C:\ProgramData\Adobe\# M0rphine Help #.hta

Ransom Note
<html> <head> <title>M0rphine</title> <HTA:APPLICATION ID="" APPLICATIONNAME="" BORDER="DIALOG" MAXIMIZEBUTTON="NO" SCROLLFLAT="YES" CAPTION="YES" SELECTION="NO" INNERBORDER="NO" ICON="" SCROLL="NO" SHOWINTASKBAR="YES" SINGLEINSTANCE="YES" SYSMENU="YES" WINDOWSTATE="NORMAL" /> </head> <script language=javascript> var winWidth = 800; var winHeight = 600; window.resizeTo(winWidth, winHeight); window.moveTo(screen.width/2-winWidth/2, screen.height/2-winHeight/2); </script> <body bgcolor=buttonface text=buttontext style="font: 10pt 'Tahoma'"> <div style="font-weight:bold; font:16pt; text-align: center" id="Tittle">Attention!</div> <br> <div style="padding:15px" id="SubTittle"> Your documents, photos, databases and other important files have been encrypted cryptographically strong, without the cipher key recovery is impossible! <br> <br> To decrypt your files you need to buy the special software - <strong>M0rphine Decryptor</strong> and your <strong>Private Decryption Key</strong>. <br> <br> Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk. <br> <br> If you want to restore files, write us to the our e-mail: <strong>[email protected]</strong> <br> <br> Please write your <strong>Personal Identification Code</strong> in body of your message. <br> <br> Also attach to email 3 encrypted files for free decryption test. (each file have to be less than 1 MB size and not have valuable content) <br> <br> It is in your interest to respond as soon as possible to ensure the restoration of your files! <br> <br> Your <strong>Personal Identification Code</strong>: </div> <center> <textarea style="overflow:auto; font:10pt 'Tahoma'" name="TextArea" rows=10 cols=120 readonly>5354000000019F040000E8946C9F8DB7879D943D305BD566A1BC3A2AB2354E2845D6F013E22157A2CB8C1179234BF0B82A4CB30AB1C9449C8A0A1B01BD56CDA0FC26DA18E63A1704ED28F7727BED74D3D1D5D0B4C9BDA83C75C780AA15B67A97315ECD06E933BE9A71E34D80F510A73415E2BFDA0CE615BDDAAD312EB0A4D94CE178CEBA8559712040C0FB331545775A67B40CC4E0D8421173F3B3E0329F275E24A95807C527F85420D9F34A01BC5184F651B66F4FE4638500127EE4B43D864B4B094A7109EADCA3C7956BC427C3E3844DDB5C8C51F0C8A78A6517E2EBB9EA42495FC5C05AAE63059F323BF7B06FB864625FDDEBE2C7993044482463D0D849DA6E8E3C8F49BEAB6F690ED376DD7A47CA2BE103C13B27F9BA61F10C3950C137B0F7E33A6CC67683DF19AFBC1A1AF7AE6027B17AB33ADEFCAAD817E0C13DDE5756A2A4230D94CF8A94121B0269B9AF2AD0194BAA0A478200AA96E776E103469CB68AB153BB333A7DF71E45D86A41DCEF70E29D777407F9381277790817D84ECA7B0EDC1B5B6EDF03F8A2BFEC323C69358D7057299D177C6DECFA43984AD70F7C9857520C16045480FF84BFCCFB8EC7575A7CD1CAD4AC458D215C0AD4D8F735D0986873B99B64F55E88EB565A764743B5FF85B96FD0B71209BC4878EF19F337F034CD28A0655B00E567035384D80329FE7B788651BBC4673D822264C828A280D92D55C41C2B27361D476538AF672BD107D95D0847C3819868F3081983F0E96D31F6F1C0584F075D25F78162C87616070A6CC3F8E22290DE7B63ECC823BBCFBAD6BE66FD6C2835D51CA2836184259B2A19D85A7E2554084E595991D61DA529DFC3A7416928362B2EA509DA0C30A7EB2712760A3DCE125BC450C62332C110CFC19C61AD2A0AB54B66DAAF39C72F9B87E82D232E37A25B3ABC0A33A9D0BC05871919E5523582DFDF0FB0C182060880EEE498ECF8A1AB0D1F6A006F0B3D76B6CF4A5ECD5E9EEB70D6B73BE8CC0D296E8E3B437CC3E6A777C40E3AA4F20D7287B2AD985012A78992AE8ADC7C47C3EC71C1FE79B1EC6060A2276110F35C81F3C4B41DFAFCE99701440342AD5E67FBCBB4A8B089ACEFC831135B11CAAAEA5FE07BAD2BFEE70567E853FFA81B6BF0AE68CD90D2B1A5459C2B90D6C5153FCD12140A0A9FBC655496C9BEB12B47906AAF6E66785DA1D073B819A1CBF3EBE5D64355118692EE05079EFE495E64A41A2720B9389B628586BD4BCC26D2FC312C0FE98525FBB13805B9ABFB47EA9C802E80B24D608EDDA4FC2B94758A2E528AFBF4B0ECA5A25FDD818FB73AABB14D178167B63D19DEF74CB4EDD562BF00F5CEA3A8C54CA407C1AFEF56416775E1607E53014337F699CB284FEC90B674010D8B183B6B1607CA0A34A08F08C46AE6FF5D960668B82013E9525965C08FEAC59905E523AFA5398BB4FE63B2CF2E6BDBCF23CC7EE74F91737F81E9B887DE474498E330166000645A3AC70FA399684E391EDCFA9ED42C81B53804B7C25B5F9AFB54796F467616180AA1F5CB80536436DAE613A7195C4A53198F085A32B98B63D9C6A21D579AA2EABBF1CC53B99E5FCE436D5DA90ED5CFE2A38C64B481A84F41ACF383EE429E56772BFB58282BD60C82E91CD88F59311337BD8F156075806865AB75EE7737406FD4314732F873156AEB1C69E6C88319394B24E2CA020FB1040000</textarea> </center> </body>
Emails

<strong>[email protected]</strong>

Targets

    • Target

      HEUR-Trojan-Ransom.Win32.Generic-41c059f4dfaa143cc75df07f38f50d7d6ac0c6416d3e21aac2e530683c037fdf.7z

    • Size

      1.5MB

    • MD5

      3290585e13e51afac3b0e2e17fc18212

    • SHA1

      146f76cbdbf088fba0ca2bbe1efece22cebfa254

    • SHA256

      712b77a8e132fdef3974b4ce3cf5da81ed98fc4ef3754c407c696922d662df02

    • SHA512

      5612dc1ef3be15387a3217aeaa4291eb361b659e47d96c51259bae2c63efffd17523c3235ac859b31fdc452012679878105b14883c14542d74543ac44a13da10

    • SSDEEP

      24576:hfGKRIF3Cr01NK5+2i5L5kr+NcgpMSlG6ZKzoQMgvxk2RG8+u:lNQ9t5L5y+mclG6ZixBr+u

    Score
    10/10
    satancryptorzebrocybackdoorcredential_accessdefense_evasiondiscoveryransomwarespywarestealertrojan

    • SatanCryptor

      Golang ransomware first seen in early 2020.

      ransomwaresatancryptor

    • Satancryptor family

      satancryptor

    • Zebrocy

      Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.

      trojanbackdoorzebrocy

    • Zebrocy Go Variant

    • Zebrocy family

      zebrocy

    • Renames multiple (2226) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks