Overview

overview

10

Static

static

3

Botox-0xb.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Botox-0xb.zip

  • Size

    54KB

  • Sample

    250404-bwhzzsxwf1

  • MD5

    1f4fb785b1dc67ce5eccd4a4ecabf6b9

  • SHA1

    b0fffcaea262df466f55e0c83bfc6acde6284699

  • SHA256

    bc0588d8d360f6e7fa386200d72b1857f913b36b2124d615acbfbc2851db630b

  • SHA512

    7165c5620b67c6a2af7be7b18c5f257fd2d40595acabcd0264e738edd89ec8e4974e85a08cd93f2d38a63a44749a8db56164ae31e3b717d83f6385f9efc6c845

  • SSDEEP

    1536:OTw7WEG4DV2oXHkrkFy+KWKv4GESt1iKr16fdu2:OTHE7BNHskQ+KJ4GPDrsfdu2

Score
10/10
credential_accessdiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\case_id.txt

Ransom Note
Case ID: OXFO4L ## ⚠️ YOUR FILES HAVE BEEN ENCRYPTED ⚠️ Your important files have been **encrypted** by **Moroccan Dragons** using military-grade encryption. This includes all documents, photos, videos, databases, and other critical data. You cannot access them without our decryption key. ### What Happened? We have locked your files with a unique encryption algorithm. Decryption is **impossible** without the corresponding private key. ### How to Recover Your Files? To restore access, you must pay **1.103301 Monero (XMR) [230 US Dollar]** to our secure wallet: 💰 **Payment Amount:** 1.103301 📥 **Monero Wallet Address:** [Monero Address] ### After Payment: 1. Send proof of payment along with your **Case ID** to our email: **[Contact Email]** 2. Our system will verify the transaction. 3. We will provide the **decryption software** and **unique key** to unlock your files. ### IMPORTANT WARNINGS: ⏳ **You have 48H to pay** before the price **doubles**. 🚨 If you fail to pay within **48H**, your files will be **permanently lost**. ❌ Attempting manual recovery or using third-party tools **will corrupt your data**. 🚫 Do not contact authorities—they cannot help you, and failure to comply will result in total data loss. ### How to Pay? 1. Buy **Monero (XMR)** from a cryptocurrency exchange (Binance, Kraken, etc.). 2. Transfer the required amount to our wallet address. 3. Email proof of payment and your **Case ID**, and we will handle the rest. 🔒 **Your files are locked. The choice is yours. Act now before it's too late.**

Targets

    • Target

      Botox-0xb.exe

    • Size

      170KB

    • MD5

      8f0da65b1714819a26b959b6530cc576

    • SHA1

      01145678908c0d379467e37f6679d248f1b7a3a4

    • SHA256

      f2f15ed5568b4ea4c9ccf7f772347651c2aa13b266ddbbf3893795794214bb2f

    • SHA512

      c4aa9db30de6cb03c2d24a8931e2ee2701aa634fdddd4d666e0b08e165ac9c190d28fb7fefbbbfa84ecda9bf2843fc15ca0a8387d15a4e18f85aa5cf45ad9dd3

    • SSDEEP

      1536:4lX4Sg8k5hRaWsgB7VIzYn2YxBTpchbpMApZNoJj2010v0s0fqStAkGpV/ITZDdx:49tg5v5P7Vo010v0s0QRe3olYkbLdA

    Score
    10/10
    credential_accessdiscoveryransomwarespywarestealer

    • Renames multiple (2330) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks