Overview

overview

10

Static

static

3

Botox-0xb.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Botox-0xb.zip

  • Size

    54KB

  • Sample

    250404-b15pjszns8

  • MD5

    1f4fb785b1dc67ce5eccd4a4ecabf6b9

  • SHA1

    b0fffcaea262df466f55e0c83bfc6acde6284699

  • SHA256

    bc0588d8d360f6e7fa386200d72b1857f913b36b2124d615acbfbc2851db630b

  • SHA512

    7165c5620b67c6a2af7be7b18c5f257fd2d40595acabcd0264e738edd89ec8e4974e85a08cd93f2d38a63a44749a8db56164ae31e3b717d83f6385f9efc6c845

  • SSDEEP

    1536:OTw7WEG4DV2oXHkrkFy+KWKv4GESt1iKr16fdu2:OTHE7BNHskQ+KJ4GPDrsfdu2

Score
10/10
credential_accessdiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\case_id.txt

Ransom Note
Case ID: ZL0RD2 ## ⚠️ YOUR FILES HAVE BEEN ENCRYPTED ⚠️ Your important files have been **encrypted** by **Moroccan Dragons** using military-grade encryption. This includes all documents, photos, videos, databases, and other critical data. You cannot access them without our decryption key. ### What Happened? We have locked your files with a unique encryption algorithm. Decryption is **impossible** without the corresponding private key. ### How to Recover Your Files? To restore access, you must pay **1.103301 Monero (XMR) [230 US Dollar]** to our secure wallet: 💰 **Payment Amount:** 1.103301 📥 **Monero Wallet Address:** [Monero Address] ### After Payment: 1. Send proof of payment along with your **Case ID** to our email: **[Contact Email]** 2. Our system will verify the transaction. 3. We will provide the **decryption software** and **unique key** to unlock your files. ### IMPORTANT WARNINGS: ⏳ **You have 48H to pay** before the price **doubles**. 🚨 If you fail to pay within **48H**, your files will be **permanently lost**. ❌ Attempting manual recovery or using third-party tools **will corrupt your data**. 🚫 Do not contact authorities—they cannot help you, and failure to comply will result in total data loss. ### How to Pay? 1. Buy **Monero (XMR)** from a cryptocurrency exchange (Binance, Kraken, etc.). 2. Transfer the required amount to our wallet address. 3. Email proof of payment and your **Case ID**, and we will handle the rest. 🔒 **Your files are locked. The choice is yours. Act now before it's too late.**

Targets

    • Target

      Botox-0xb.exe

    • Size

      170KB

    • MD5

      8f0da65b1714819a26b959b6530cc576

    • SHA1

      01145678908c0d379467e37f6679d248f1b7a3a4

    • SHA256

      f2f15ed5568b4ea4c9ccf7f772347651c2aa13b266ddbbf3893795794214bb2f

    • SHA512

      c4aa9db30de6cb03c2d24a8931e2ee2701aa634fdddd4d666e0b08e165ac9c190d28fb7fefbbbfa84ecda9bf2843fc15ca0a8387d15a4e18f85aa5cf45ad9dd3

    • SSDEEP

      1536:4lX4Sg8k5hRaWsgB7VIzYn2YxBTpchbpMApZNoJj2010v0s0fqStAkGpV/ITZDdx:49tg5v5P7Vo010v0s0QRe3olYkbLdA

    Score
    10/10
    credential_accessdiscoveryransomwarespywarestealer

    • Renames multiple (2459) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.